ProtonMail, known for its commitment to confidentiality, could well see its reputation damaged after it was reported by Paris-luttes.info that it had disclosed the address of a Youth for Climate activist. The information was originally requested by the French police via the EU crime-fighting agency, Europol.
The activist is believed to have taken part in a series of sit-ins in the Place Sainte Marthe area of Paris to fight the area’s gentrification.
ProtonMail has said that they were unaware that the people targeted were activists. Following a public backlash, Proton CEO and founder Andy Yen explained the situation in a blog post.
“In this case, Proton received a legally binding order from the Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request,” he wrote. The Swiss approved 195 similar requests for information in 2020 compared to 13 in 2017.
“Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders,” he wrote, adding that his company never provides information to foreign governments directly and only responds to Swiss authorities, or to requests approved by them.
“It was inappropriate for the French authorities to have used measures designed for serious criminal offences to pursue this inquiry,” a ProtonMail spokesperson told EURACTIV France, referring to the procedure conducted via Europol. “We also believe that Swiss authorities should have done more diligence before approving the request,” he added.
“We will continue to campaign against these laws and abuses, and we will continue to challenge unjustified government demands wherever possible,” the company said.
While ProtonMail is trying to downplay the case, touting the legal standards guaranteed by Swiss law, it is nevertheless urging its users to use the Tor browser to access the service, making it more difficult to identify the IP address.
The case is causing a stir because it illustrates the difference between privacy and anonymity – a nuance not always well explained by technology companies offering services that rely on data confidentiality.
ProtonMail provides encrypted mailing services, which ensures the communication can only be accessed by the senders and recipients of the message. The time, location, and IP addresses form the communication’s metadata, which is not covered by encryption.
“A useful reminder: despite marketing promises, no messaging service offers full insurance against abusive surveillance,” tweeted Olivier Tesquet, a journalist and digital and surveillance specialist.