ProtonMail sends IP addresses to the police: 4 questions to understand the controversy

On Sunday, September 5, 2021, Proton Technologies found itself in the midst of a major controversy. The publisher of the ProtonMail service has in fact transmitted to the French courts information on several users of his service.

The news was received very coldly by users, as ProtonMail is sold as a secure, privacy-friendly exchange solution that keeps virtually no customer information. But then why is this case making so much noise?

What happened?

On September 5, in the middle of the afternoon, SecoursRouge published an article (containing information from Paris-Luttes.info) explaining that several French activists of the "Youth for Climate" collective had been monitored by the hexagonal authorities.

As part of this investigation, the French police sent a request for information via Europol (the European Criminal Police Agency) to ProtonMail, the email box used by the collective. The company therefore provided the Swiss authorities (which validated the request) with the IP address of the accounts concerned.

Does ProtonMail keep the IP addresses?

It is precisely on the question of IP addresses that criticism has crystallized. Indeed, on its website, the company states that "by default, it does not record any meta tags such as the IP address used to log in to its S account". How, then, could the IP of the activists be passed on to the justice system?

Screenshot of the Proton homepage

The subtlety is found in the reference to "by default". As the company explained in a Reddit publication, "if we receive a legal order concerning a specific account, we may be obliged to monitor it." the Swiss judiciary, in agreement with the French authorities, has therefore asked Proton to monitor the activity of certain accounts. Forced by the Swiss Federal Department of Justice and Police (DFJP), Proton started recording the IP addresses of these accounts.

This does not mean that Proton keeps the IP addresses of all Internet users who visit its service. But if justice requires some details of future connections to be retained upstream, ProtonMail may be forced to do so. As the company's CEO explains on Twitter, "in the case of a criminal case, some privacy rights can be suspended by the authorities."

Are my emails safe?

In the judicial police report accompanying the case, the information provided by Proton to the authorities is detailed. This includes the date the account was created, the IP address associated with the account, and the footprint of the device used (smartphone or PC, native application or web interface, etc.).

No other information seems to have been communicated, and certainly not the content of the e-mails. As the company details in its transparency report, "under no circumstances will ProtonMail be able to provide the content of the end-to-end encrypted messages sent via ProtonMail." technically, the decryption key required to access its Proton box is, in any case, only known to the account user. As a result, Proton cannot access the content of the emails.

Should I leave ProtonMail?

The controversy surrounding ProtonMail has inflated, as the encrypted messaging solution was built precisely on promises of privacy protection and protection of personal data. But as the company writes, "No matter what service you use, unless it's based 15 miles offshore in international waters, the company will have to comply with the law" and that's what Proton has done here, backwards a priori.

"the legal proceedings were particularly aggressive in this case" details the company, which does not hesitate to talk to the French authorities, which are using "more and more […] Anti-terrorist laws in an inappropriate manner ".

This is not the first time that Proton has been forced to provide information about its customers. In the transparency report, it can be seen that in 2020, the Swiss authorities made 3,572 requests for access and 750 were challenged by the company.

Finally, on Reddit, the company recalls that Proton is the only email provider that offers an address accessible via Tor, the decentralized computer network that masks your IP address. Despite the controversy, Proton remains one of the most secure consumer mail services. The company, on the other hand, is not above the law.