ProtonMail logged IP address of French activist after order by Swiss authorities

ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.

For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying premises rented by Le Petit Cambodge — a restaurant that was targeted by the November 13th, 2015 terrorist attacks in Paris.

On September 1st, the group published an article on Paris-luttes.info, an anticapitalist news website, summing up different police investigations and legal cases against some members of the group. According to their story, French police sent an Europol request to ProtonMail in order to uncover the identity of the person who created a ProtonMail account — the group was using this email address to communicate. The address has also been shared on various anarchist websites.

The next day, @MuArF on Twitter shared an abstract of a police report detailing ProtonMail’s reply. According to @MuArF, the police report is related to the ongoing investigation against the group who occupied various premises around Place Sainte-Marthe. It says that French police received a message on Europol. That message contains details about the ProtonMail account.

Here’s what the report says:

The company PROTONMAIL informs us that the email address has been created on … The IP address linked to the account is the following: …
The device used is a … device identified with the number …
The data transmitted by the company is limited to that due to the privacy policy of PROTONMAIL TECHNOLOGIES.”

Cops are lying ? pic.twitter.com/xIglWqLcfk

— MuArF (@MuArF) September 2, 2021

ProtonMail’s founder and CEO Andy Yen reacted to the police report on Twitter without mentioning the specific circumstances of that case in particular. “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” he wrote.

In particular, Andy Yen wants to make it clear that his company didn’t cooperate with French police nor Europol. It seems like Europol acted as the communication channel between French authorities and Swiss authorities. At some point, Swiss authorities took over the case and sent a request to ProtonMail directly. The company references these requests as “foreign requests approved by Swiss authorities” in its transparency report.

Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.

— Andy Yen (@andyyen) September 5, 2021

TechCrunch contacted ProtonMail founder and CEO Andy Yen with questions about the case.

One key question is exactly when the targeted account holder was notified that their data had been requested by Swiss authorities since — per ProtonMail — notification is obligatory under Swiss law.

However, Yen told us that — “for privacy and legal reasons” — he is unable to comment on specific details of the case or provide “non-public information on active investigations”, adding: “You would have to direct these inquiries to the Swiss authorities.”

At the same time, he did point us to this public page, where ProtonMail provides information for law enforcement authorities seeking data about users of its end-to-end encrypted email service, including setting out a “ProtonMail user notification policy”.

Here the company reiterates that Swiss law “requires a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding” — however it also notes that “in certain circumstances” a notification “can be delayed”.

Per this policy, Proton says delays can affect notifications if: There is a temporary prohibition on notice by the Swiss legal process itself, by Swiss court order or “applicable Swiss law”; or where “based on information supplied by law enforcement, we, in our absolute discretion, believe that providing notice could create a risk of injury, death, or irreparable damage to an identifiable individual or group of individuals.”

“As a general rule though, targeted users will eventually be informed and afforded the opportunity to object to the data request, either by ProtonMail or by Swiss authorities,” the policy adds.

So, in the specific case, it looks likely that ProtonMail was either under legal order to delay notification to the account holder — given what appears to be up to eight months between the logging being instigated and disclosure of it — or it had been provided with information by the Swiss authorities which led it to conclude that delaying notice was essential to avoid a risk of “injury, death, or irreparable damage” to a person or persons (NB: it is unclear what “irreparable damage” means in this context, and whether it could be interpreted figuratively — as ‘damage’ to a person’s/group’s interests, for example, such as to a criminal investigation, not solely bodily harm — which would make the policy considerably more expansive).

In either scenario the level of transparency being afforded to individuals by Swiss law having a mandatory notification requirement when a person’s data has been requested looks severely limited if the same law authorities can, essentially, gag notifications — potentially for long periods (seemingly more than half a year in this specific case).

ProtonMail’s public disclosures also log an alarming rise in requests for data by Swiss authorities.

According to its transparency report, ProtonMail received 13 orders from Swiss authorities back in 2017 — but that had swelled to over three and a half thousand (3,572!) by 2020.

The number of foreign requests to Swiss authorities which are being approved has also risen, although not as steeply — with ProtonMail reporting receiving 13 such requests in 2017 — rising to 195 in 2020.

The company says it complies with lawful requests for user data but it also says it contests orders where it does not believe them to be lawful. And its reporting shows an increase in contested orders — with ProtonMail contesting three orders back in 2017 but in 2020 it pushed back against 750 of the data requests it received.

The Swiss government determined that this case met the legal standard under Swiss law. Unfortunately there was no possibility to appeal that ruling in this case. However, we always fight when we can (and in 2020, we fought over 700 cases on behalf of users).

— Andy Yen (@andyyen) September 6, 2021

Per ProtonMail’s privacy policy, the information it can provide on a user account in response to a valid request under Swiss law may include account information provided by the user (such as an email address); account activity/metadata (such as sender, recipient email addresses; IP addresses incoming messages originated from; the times messages were sent and received; message subjects etc); total number of messages, storage used and last login time; and unencrypted messages sent from external providers to ProtonMail. As an end-to-end encrypted email provider, it cannot decrypt email data so is unable to provide information on the contents of email, even when served with a warrant.

However in its transparency report, the company also signals an additional layer of data collection which it may be (legally) obligated to carry out — writing that: “In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.”

In general though, unless you are based 15 miles offshore in international waters, it is not possible to ignore court orders Andy Yen

It’s that IP monitoring component which has caused such alarm among privacy advocates now — and no small criticism of Proton’s marketing claims as a ‘user privacy centric’ company.

It has faced particular criticism for marketing claims of providing “anonymous email” and for the wording of the caveat in its transparency disclosure — where it talks about IP logging only occurring in “extreme criminal cases”.

Few would agree that anti-gentrification campaigners meet that bar.

At the same time, Proton does provide users with an onion address — meaning activists concerned about tracking can access its encrypted email service using Tor which makes it harder for their IP address to be tracked. So it is providing tools for users to protect themselves against IP monitoring (as well as protect the contents of their emails from being snooped on), even though its own service can, in certain circumstances, be turned into an IP monitoring tool by Swiss law enforcement.

In the backlash around the revelation of the IP logging of the French activists, Yen said via Twitter that ProtonMail will be providing a more prominent link to its onion address on its website:

Yes, we will be updating this today to link to our Tor page.

— Andy Yen (@andyyen) September 6, 2021

Proton does also offer a VPN service of its own — and Yen has claimed that Swiss law does not allow it to log its VPN users’ IP addresses. So it’s interesting to speculate whether the activists might have been able to evade the IP logging if they had been using both Proton’s end-to-end encrypted email and its VPN service…

No, there is no legal basis for logging VPN under current Swiss law.

— Andy Yen (@andyyen) September 6, 2021

“If they were using Tor or ProtonVPN, we would have been able to provide an IP, but it would be the IP of the VPN server, or the IP of the Tor exit node,” Yen told TechCrunch when we asked about this.

“We do protect against this threat model via our Onion site (protonmail.com/tor),” he added. “In general though, unless you are based 15 miles offshore in international waters, it is not possible to ignore court orders.”

“The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from three authorities in two countries was required, and that’s a fairly high bar which prevents most (but not all) abuse of the system.”

Some thoughts on the French “climate activist” incident. It’s deplorable that legal tools for serious crimes are being used in this way. But by law, @ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.

— Andy Yen (@andyyen) September 5, 2021

In a public response on Reddit, Proton also writes that it is “deeply concerned” about the case — reiterating that it was unable to contest the order in this instance.

“The prosecution in this case seems quite aggressive,” it added. “Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used). We will continue to campaign against such laws and abuses.”

We are engaged heavily in fighting unjust laws in CH, US and EU. However, it is impossible to refuse government orders (you can be shut down or jailed). The solution comes through changing the laws through democratic processes.

— Andy Yen (@andyyen) September 6, 2021

Zooming out, in another worrying development that could threaten the privacy of internet users in Europe, European Union lawmakers have signaled they want to work to find ways to enable lawful access to encrypted data — even as they simultaneously claim to support strong encryption.

Again, privacy campaigners are concerned.

ProtonMail and a number of other end-to-end encrypted services warned in an open letter in January that EU lawmakers risk setting the region on a dangerous path toward backdooring encryption if they continue in this direction.