ProtonMail IP Address Leak: French Activist Targeted
ProtonMail and IP Address Disclosure: A Detailed Examination
ProtonMail, a provider of secure, end-to-end encrypted email services, has recently faced scrutiny following reports that French authorities obtained the IP address of a French activist utilizing the platform. The company has publicly addressed the situation, emphasizing its default policy of not logging IP addresses and its adherence to Swiss legal regulations.
The Incident and Initial Response
A group protesting gentrification and real estate speculation in Paris has been occupying commercial and residential properties near Place Sainte Marthe. This local dispute escalated into a broader symbolic campaign, gaining media attention, particularly after targeting a restaurant previously affected by the 2015 Paris terrorist attacks.
On September 1st, an article detailing police investigations and legal proceedings against members of the group was published on Paris-luttes.info, an anti-capitalist news source. The article revealed that French police had submitted a request through Europol to ProtonMail, seeking to identify the creator of a ProtonMail account used for group communications. This email address was also circulating on various anarchist websites.
The following day, a Twitter user, @MuArF, shared an excerpt from a police report outlining ProtonMail’s response to the request. The report pertains to the ongoing investigation surrounding the occupations near Place Sainte-Marthe, indicating that French police received information regarding the ProtonMail account via Europol.
ProtonMail’s Position and Swiss Law
Andy Yen, ProtonMail’s founder and CEO, responded to the report on Twitter, clarifying the company’s obligations under Swiss law. He stated that ProtonMail must comply with Swiss legal requirements, which include responding to requests from Swiss authorities when a crime has been committed and privacy protections may be temporarily suspended.
Yen stressed that ProtonMail did not directly cooperate with French police or Europol. Instead, Europol served as an intermediary, forwarding the request to Swiss authorities, who then contacted ProtonMail directly. These requests are documented as “foreign requests approved by Swiss authorities” in ProtonMail’s transparency reports.
Further Clarification and User Notification
TechCrunch reached out to Andy Yen for further details regarding the case. A key question raised was whether the account holder was notified about the data request, as mandated by Swiss law.
Yen explained that, due to privacy and legal considerations, he could not comment on specific details of the ongoing investigation. He directed inquiries to the Swiss authorities.
He did, however, direct attention to ProtonMail’s public page providing information for law enforcement agencies seeking user data, including its “ProtonMail user notification policy.”
Delays in Notification
The policy states that Swiss law requires users to be notified when their data is requested in criminal proceedings. However, it also acknowledges that notification can be delayed under certain circumstances.
These circumstances include temporary prohibitions imposed by the Swiss legal process, court orders, or applicable Swiss law. Additionally, notification can be delayed if law enforcement provides information suggesting that doing so could create a risk of injury, death, or irreparable damage to individuals or groups.
ProtonMail’s policy indicates that users will generally be informed and given the opportunity to object to data requests, either by ProtonMail or the Swiss authorities.
In this specific case, it appears ProtonMail may have been legally obligated to delay notification, given the reported eight-month gap between the initial logging request and its disclosure. Alternatively, the company may have received information from Swiss authorities justifying the delay to prevent potential harm.
Rising Data Requests and Transparency
ProtonMail’s transparency reports reveal a significant increase in data requests from Swiss authorities. The number of orders received rose from 13 in 2017 to over 3,572 in 2020.
Foreign requests approved by Swiss authorities have also increased, from 13 in 2017 to 195 in 2020.
The company states it complies with lawful requests but contests those it deems unlawful. The number of contested orders has also risen, from three in 2017 to 750 in 2020.
Data Provided in Response to Requests
According to ProtonMail’s privacy policy, data provided in response to valid Swiss legal requests may include account information provided by the user, account activity metadata (sender/recipient addresses, IP addresses, timestamps, subjects), storage usage, and last login time. Unencrypted messages sent from external providers may also be provided.
However, as an end-to-end encrypted service, ProtonMail cannot decrypt email content, even with a warrant.
The company’s transparency report also notes that, in extreme criminal cases, ProtonMail may be legally obligated to monitor the IP addresses used to access accounts involved in criminal activity.
Criticism and Concerns
This IP monitoring capability has sparked concern among privacy advocates and criticism of ProtonMail’s marketing claims as a “user-privacy-centric” company. The company has been criticized for advertising “anonymous email” while retaining the ability to log IP addresses in certain situations.
ProtonMail offers an onion address, allowing users to access the service via Tor, which can help mask their IP address. It also provides a VPN service, which Yen claims does not log user IP addresses.
Future Steps and Broader Implications
In response to the backlash, Yen announced via Twitter that ProtonMail will prominently link to its onion address on its website.
The incident highlights broader concerns about the potential erosion of privacy in Europe. EU lawmakers are exploring ways to enable lawful access to encrypted data, despite claims of supporting strong encryption.
ProtonMail and other encrypted service providers have warned that such efforts could lead to backdoors in encryption, compromising user privacy.
Policy Update
An update to ProtonMail’s privacy policy has been noted by Open Terms Archive. The company added a statement clarifying that it can be legally compelled to log IP addresses in Swiss criminal investigations, but this obligation does not extend to ProtonVPN. Further details are available in its transparency report.
- ProtonMail is obligated to log IP addresses in extreme criminal cases under Swiss law.
- This obligation does not apply to ProtonVPN.
- Details are available in the company’s transparency report.
Related Posts
Ring AI Facial Recognition: New Feature Raises Privacy Concerns
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Intellexa Spyware: Direct Access to Government Espionage Victims
India Drops Mandatory App Pre-Installation After Backlash
Google's AI Advantage: Leveraging User Data
