ProtonMail forced to collect an activist's IP address in police investigation
Switzerland-based email provider ProtonMail said it was forced to log the IP address of one of its customers after it received a legally binding order from the Swiss government that it couldn't legally appeal or decline.
The incident, which came to light over the weekend, has caused some unrest among the company's users as ProtonMail had boasted numerous times in its public marketing campaigns about its no-log policies.
However, in a Reddit comment on Sunday and in a blog post published earlier today, ProtonMail said it was cornered by Swiss authorities earlier this year.
Case related to anti-gentrification protests in France
The incident is a complex one and is related to a series of anti-gentrification protests that took place in Paris in the summer and fall of 2020 when a group of activists named Youth for Climate forcibly occupied a series of squares and buildings in the Paris district of Place Sainte Marthe, in order to protest companies buying real estate and hiking up rent prices up to four times for local residents.
The group apparently used a ProtonMail email address to organize their protests (jmm[redacted]@protonmail.com), a detail that came to the attention of the real estate companies and French police, which was called in to evacuate the group and investigate its members.
Last week, the website Paris Luttes (Paris Struggles) revealed that French police worked through Europol to contact the Swiss government and asked for help in obtaining details about the email address owner's identity.
ProtonMail said it couldn't fight the legal order
"In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with," a ProtonMail spokesperson wrote on Reddit over the weekend.
The order effectively forced the company to log the IP address used by the French activist to log into their ProtonMail inbox.
"There was no legal possibility to resist or fight this particular request," ProtonMail CEO Andy Yen said earlier today.
"Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries," he added.
However, the ProtonMail CEO said that an accompanying gag order also prevented the company from disclosing this incident to the user while the investigation was underway.
On the other hand, Yen also highlighted that despite the fact that they were forced to comply with Swiss law, the Swiss legal system is far more robust than the legal systems of other countries.
"The Swiss legal system, while not perfect, does provide a number of checks and balances, and it's worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that's a fairly high bar which prevents most (but obviously not all) abuse of the system. [...] Finally, Switzerland generally will not assist prosecutions from countries without fair justice systems," the ProtonMail CEO added.
Yen said ProtonMail encryption was not bypassed in the investigation.
He also said that email and VPN services are treated differently in Switzerland, and authorities can't use the same legally binding order to force the company to log the details of its VPN product.
Either way, the entire incident left a bad taste for most of the company's users.
With several ransomware gangs having abused ProtonMail addresses to ransom victims for more than half a decade, most users are upset that Swiss authorities decided to help an investigation related to an activist rather than one related to a ransomware group.
Hol’ up…— E (@nemesis09) September 6, 2021
So France police manages to get ProtonMail to release information about /climate activists/?
Good thing they don’t take ransomware that seriously, I guess
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.