ProtonMail advertises itself as the world's largest secure email service, and yet it recently shared the IP address and device details of a customer with Swiss and French authorities, which led to an arrest.
Etienne Maynier, an activist, hacker, and security researcher, shared details on Twitter of the information sharing carried out by ProtonMail. It was triggered by a legal request from Europol through the Swiss authorities and targeted a climate activist from Youth for climate action in Paris. As TechCrunch reports, the request was in relation to a group of activists occupying premises in Paris rented by the restaurant Le Petit Cambodge, which was targeted in the 2015 Paris terrorist attacks. The ProtonMail account was being used by the group for communication, so French authorities were determined to find out who created it.
Inevitably, the information sharing and subsequent arrest has raised a big question mark over how secure the email service really is if information can be so easily shared, especially when ProtonMail states on its homepage that "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."
ProtonMail founder and CEO Andy Yen responded to the questions being raised in a blog post, explaining that the service "received a legally binding order from Swiss authorities which we are obligated to comply with." The order could not be appealed and forced the service to "collect information on accounts belonging to users under Swiss criminal investigation." In other words, ProtonMail doesn't collect your information unless it's forced to (as it was in this case).
Yen also points out that the encryption used by the service for all data stored and sent by an account can't be bypassed. What's also interesting is the fact Yen says his team has no idea who the person was they had been told to monitor because "we do not know the identity of our users."
In response to this episode, ProtonMail is going to update its website to make the service's obligations clearer when it comes to criminal prosecution, and that the privacy policy reflects its obligations under Swiss law. At the same time, users who want anonymity are urged to use Tor to access ProtonMail and the provided onion site. Yen also points to the fact ProtonMail "fought over 700 cases in 2020 alone," but didn't state how many were won.