French police request forced ProtonMail to reveal IP logs


By far the favorite free email service of Swiss-based and privacy-conscious ProtonMail, it has built its reputation largely on its commitment to not keeping user IP logs except in “extreme criminal cases”. A recent case, originally developed in France and passed on to Swiss police via Interpol, indicates that the circumstances may not need to be so dire for IP logs to be handed over.

ProtonMail says it was legally coerced by Swiss authorities and there was nothing it could do to resist. The issue appears to have prompted a recent update to clarify ProtonMail’s privacy policy, which now uses more general language saying that accounts suspected of “breaking Swiss law” may have their IP logs returned as part of of a “Swiss criminal investigation”. ProtonMail still does not collect IP addresses by default.

ProtonMail IP logs requested in French activist investigation

ProtonMail is popular for its end-to-end encryption and its promise of maximum user privacy, even for its level of no-fee accounts. While the service has always acknowledged that it may have to comply with law enforcement’s legitimate requests for information, it says it fights such requests whenever possible and limits the information it passes on to cases. “extreme”. A cornerstone of its policy is that it does not keep IP logs by default, but only when legally required to do so.

A recent case involving a user in France paints a different picture. A Parisian anti-gentrification activist involved in a high-profile campaign has been targeted after his group published information about police investigations and court cases the group was involved in. The ProtonMail email address appears to have been shared among several members of the group, and was found listed on anarchist websites. That, and the group’s targeting of Le Petit Cambodge restaurant which was hit by a terrorist attack in late 2015, appears to have prompted French authorities to uncover the identity of the creator of the email account.

In a process that has yet to be fully clarified, the French authorities (with the apparent facilitation of Europol acting as an intermediary) somehow coerced the Swiss authorities into revealing the IP address of the owner of the email account, the device identifier and the date the account was created. ProtonMail CEO Andy Yen attempted to comment on the matter on Twitter without addressing it directly, making general comments about how the company is subject to Swiss law and must comply with legal requests from Swiss authorities. Yen seemed to point out that the request came directly from Swiss law enforcement, not France or Interpol. ProtonMail only responds to legally binding requests approved by Switzerland.

Requirements of Swiss law

Swiss law requires users to be notified if a request of this nature is made, but Yen could not tell the press exactly when it happened due to confidentiality rules. The law authorizes a certain delay in certain cases; in this case, it looks like it took about eight months from when the IP logs started to when the user was notified. A delay of this duration generally requires the demonstration of “injury, death or irreparable damage” if the notification is not retained; it is difficult to say exactly on what the authorities would have based this assessment if that was the reason.

Valid requests under the law give Swiss authorities the right to access more than just IP logs. Law enforcement can further request the content of unencrypted account messages, account profile information and various metadata, storage usage and login times, among other things. However, they cannot force ProtonMail to attempt to decrypt the account’s encrypted messages. The company didn’t miss an opportunity to showcase its optional onion Tor address and VPN service, which would fully encrypt and obfuscate an account in such a way that little use could be legally gleaned from it under such an order. .

Privacy Concerns About Law Enforcement Requests

The removal of the notice about IP logs from the privacy policy seems intended to cover the circumstances of this situation, rather than as policy change that Proton now intends to save this information by default. However, this story has created concerns about account privacy, especially free accounts that do not use the ProtonVPN service.

Even with encryption enabled, email sender, email recipient, and message timestamps are still available (to work with SMTP) and can be collected from an account under investigation. If a foreign country is able to implicate Interpol, it appears Swiss authorities may be compelled to comply with an investigation and Proton will be forced to create IP logs (and may do so surreptitiously for months before notifying the user).

ProtonMail claims to have been legally compelled by Swiss authorities to reveal the email account owner’s IP address, device ID and account creation date. #privacy #datarespectClick to tweet

Proton has since posted several social media posts pledging to continue to fight requests that are not entirely legal and calling for legislative solutions to this potential end around user privacy.

Updated September 25, 2021 based on clarifications provided by ProtonMail.


Comments are closed.