ProtonMail (Wrongly?) Criticized for Disclosing User IP to Authorities
Blaming ProtonMail misses important lessons of the case, as request from authorities ticked the necessary requirements under Swiss law
ProtonMail, a privacy and security-focused email provider based in Switzerland, has been strongly criticized for providing the IP address of a customer to Swiss authorities, ultimately leading to the arrest of a climate activist in France. But simply blaming ProtonMail misses the important lessons of this case.
French authorities were aware that a group ‘of interest’ (the Youth for Climate collective and associated groups) used the jmm18[@]protonmail.com email address. According to police reports, the climate group had hardened its interests along general anti-capitalist lines, and were taking part in illegal squatting and damage to property.
Since Switzerland is not part of the EU, the French police could not demand that the Swiss authorities obtain and hand over the IP address of the email user. Instead, it approached Switzerland via Europol. Switzerland acquiesced with Europol, and required ProtonMail to deliver up the IP address. Since the request ticked all the necessary requirements under Swiss law, ProtonMail had no option but to obey.
It should be stressed that ProtonMail cannot deliver the content of its end-to-end encryption – this is solely about the user’s IP address.
ProtonMail is not happy with the events. It published a blog titled Important clarifications regarding arrest of climate activist on September 6, 2021, commenting, “We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way.”
Several points stand out in this blog – most importantly that ProtonMail had no alternative but to comply with the Swiss court order. ProtonMail does not know the identity of its users. “We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.” It did not know that the target of observation was a group of French climate activists – for all ProtonMail knew, it could have been a gang of international terrorists.
It is possible that ProtonMail was required to monitor the IP or IPs used by the email address over a period of time, while simultaneously under a gagging order not to disclose the fact. Only after an arrest could matters be made public.
Lessons to be learned
SecurityWeek talked to European privacy activist and advocate Peter Sunde Kolmisoppi. He works on projects designed to help people protect their privacy (such as Njal.la, a privacy aware domain service with both VPS and VPN), but also encourages groups and political entities on increasing the right to privacy. He is a co-founder of The Pirate Bay and the founder of Flattr and Njal.la.
Sunde does not blame ProtonMail for what happened, but that doesn’t mean he is not angry at what did happen. The primary problem, he suggests, is that ProtonMail is “based in a country that has a government that can control their actions. That’s the main flaw. A lot of activists, technologists and hosters have this idea that certain countries are ‘bulletproof’ when it comes to privacy. That’s certainly not the case.”
This is the first lesson to be learned – to recognize that all companies are subject to the laws of the country where they reside, irrespective of their own principles and preferences.
He believes the solution here would be to decentralize the service – something eminently feasible given todays’ global public cloud. “The basic problem here is again that we’ve centralized things. Organizations, services – e-mail is among the easiest of all services to have decentralized – and trust.” But ProtonMail is what it is, and alternative ideas are irrelevant to the current situation.
“It’s not the fault of ProtonMail, he says, it’s the fault of the authorities. And I’m sure that ProtonMail will take lessons from this to improve their threat model.” ProtonMail has started to stress the availability of its onion service to allow users with heightened threat conditions to gain the additional protection of Tor, and provides clear access to its own VPN, ProtonVPN, on the home page.
Swiss law treats VPN different to email. “Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data,” wrote ProtonMail in its blog. The implication is that the French authorities may not have been able to secure the IP address had the activists been using ProtonMail with Tor and VPN as well as ProtonMail.
This is the second lesson – when using any service, be aware of the additional security protection that may be available, and use it.
Sunde’s anger is directed against the authorities rather than ProtonMail. It seems that the route taken to get the IP address was originally intended for just the most serious of crimes – not to be used against climate activists (although in fairness we don’t really know what else the authorities were hoping or expecting to find).
“Switzerland is not part of the EU, so we’re not sure why Switzerland nor the EU looked at this as a case as important enough to go to these extreme measures,” he told SecurityWeek. “There should have been many people that could have stopped this insanity.”
He continued with the third lesson to be learned: “In general, I would say that people should not trust any single entity/provider to protect any secret communication, because most of these organizations can be forced to do things, or there can be backdoors or security issues with other things. An app for secure chat is great but it will ultimately come down to if your computer/phone is secure – and it is not.”
Finally, wearing his activist hat, he added, “I think we need to shame both the Swiss and EU authorities for allowing this ridiculous thing to happen; and hopefully this situation will lead to better decisions on what they will do in the future.”
It is worth also adding that although there is no direct comparison, the primary argument that has led the European courts to issue the Schrems II ruling has been the ability of the NSA to obtain European personal information. In this instance, the French authorities obtained personal information of European residents through the cooperation of Europol and the Swiss authorities.