Back in 2004, a platform known as Lavabit was one of the most popular, open-source, encrypted webmail services. That is, until Summer of 2013, when the U.S. Federal Government demanded that Lavabit hand over private keys. These would allow the government to spy on emails sent and received by Edward Snowden. After Lavabit’s surrender to the demands, users left in droves and the service eventually suspended its operations.
A new service known as ProtonMail quickly became the go-to encrypted email service for privacy-conscious web users.
However, after a supposed privacy breach that saw multiple arrests by French police, angry users have been raising questions online about just how secure ProtonMail really is. Does ProtonMail log user data? Did ProtonMail break their privacy policy?
Why Did ProtonMail Hand Over Users’ Data?
For context, a green-friendly group known as “Youth for Climate” has been occupying residential and commercial properties since 2020 as part of its activities. Unfortunately for them, the group drew unwanted attention from French authorities recently, when they occupied a Cambodian restaurant in Paris known as Le Petit Cambodge.
The premises suffered heavy damage in the terrorist attack of 2015 that took place in Paris, and their squat in the building didn’t go unnoticed.
Following the trespassing, French police wanted to uncover the identities of these group members communicating via ProtonMail. They submitted a request via Europol to obtain users’ data from the Switzerland-based company.
As it transpires, the request was granted. It seems that Swiss authorities took control of the investigation, issuing the request to ProtonMail directly.
Did ProtonMail Violate their Privacy Policy?
ProtonMail relented to the request and handed over the data requested from them. However, it didn’t go unnoticed by angry users on the web. People have questioned why the company had stored users’ details in the first place.
After all, the homepage is appealing to any privacy-conscious internet user. It talks about data protection under Swiss law and end-to-end encryption. What it doesn’t specifically mention, however, is anything about data logging.
The answers, it seems, lie in the company’s privacy policy, which contains crucial information that isn’t available on the homepage. According to the company’s privacy policy, the following applies to IP logging:
“By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud (…) If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.“
This, according to ProtonMail’s CEO Andy Yen – is the reason why the company took action. He said:
“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended, and we’re required by Swiss law to answer requests from Swiss authorities (…)”
This is a very specific statement, and it seems to tie back to the Transparency Report that ProtonMail published on September 6 in relation to this incident. This report refers to such requests as “foreign requests approved by Swiss authorities.” Put everything together, and one thing is clear: ProtonMail is firm on the fact that they were acting in line with their privacy policy.
Essentially, foreign governments or investigative agencies could ask Swiss authorities to request ProtonMail to release user information. And this incident proves that they would have to comply.
Our Thoughts
Based on the above, it would seem that the company acted in line with their privacy policy. However, the whole incident is a stark reminder that encrypted, anonymous services aren’t always completely safe – or anonymous.
One thing that’s worth noting is that the privacy policy excludes ProtonVPN – another service that the company offers – from this clause. Indeed, when you use a VPN, you’re cloaking your IP address, making you harder to track. This is why we always recommend that you use a VPN whenever you connect to the internet. The best VPNs, like ExpressVPN and NordVPN, cloak your identity and don’t log your data.