ProtonMail has apparently shared IP logs with law enforcement agencies, which has resulted in the arrest of an activist in France. The move has drawn criticism since Protonmail is an end-to-end encryption service, markets itself for its privacy-focused services, and claims that it does not maintain IP logs.
A French Police report published on Twitter appears to show that the police used ProtonMail to collect the IP address of an activist. He was demonstrating against real estate gentrification in Paris.
The company accepted that it received a legally binding order from the Swiss Federal Department of Justice in a matter related to “Youth for Climate”.
Just another marketing gig?
ProtonMail advertises on its website that: “To create your secure email account, no personal information is necessary. We don’t maintain any IP logs that can be linked to your anonymous email account by default. Your privacy is prioritised.”
However, the corporation admitted that while it is illegal to comply with requests from non-Swiss law enforcement authorities, it will be forced to do so if Swiss agencies agree to assist foreign services such as Europol in their investigations.
In this case, the French police were able to obtain a Swiss court order after transmitting their request through Europol. Following the order, Protonmail started to log details of the activist’s IP address.
In a post shared on Reddit, the company stated:
“There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case.”
Andy Yen, CEO of Proton tweeted:
“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.”
Yen further added, through another tweet:
“The Swiss government determined that this case met the legal standard under Swiss law. Unfortunately there was no possibility to appeal that ruling in this case. However, we always fight when we can (and in 2020, we fought over 700 cases on behalf of users).”
A Clarification and Revision in the Privacy Policy
In a blog post, Yen clarified that the company “can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account.”
Following the incident, Proton also revised its privacy policy and added:
“By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.“
A German Court also passed a similar order
Previously in May this year, a Federal Court in Germany ordered Tutanota, another encrypted email service provider to monitor messages of accounts implicated in a blackmail case. The court ordered that it must monitor messages of two accounts implicated in the case for three months. It also ordered Tutanota to provide a copy of the emails, both incoming and outgoing.
End-to-end Encryption and new Intermediary Guidelines
The new intermediary guidelines mandate significant social media intermediaries to reveal the “originator of messages“.
However, only Indian courts and the Union Government can ask the intermediaries to comply. Courts can pass an order to that effect. With regard to the government, it will have to pass an order under Section 69 of the IT Act. [Read with Information Technology (Procedure and Safeguards for interception, monitoring, and decryption of information) Rules, 2009]
Further, they can pass such orders only in cases with prescribed imprisonment of not less than five years.
Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.