ProtonMail shows faults in its unshakable privacy policy

2 years ago
protonmail

protonmaillast month the so-called privacy oriented ProtonMail webmail service quietly removed IP tracking from its list of privacy protections for which it has been praised for in the past.

The company’s privacy policy, which was quietly updated now says that if you are breaking Swiss law, ProtonMail can legally be compelled to log your IP address as part of a Swiss criminal investigation.

ProtonMail cooperate with police investigation into Youth for Climate Action

ProtonMail had received a legal request from Europol through Swiss authorities to provide information about Youth for Climate Action in Paris and ProtonMail did had over the IP address and information on the type of device used to the police which is interesting because ProtonMail has always stated that they do not collect or record IP information on client. As this request was successfully filled for Europol clearly the company does record and keep IP logs which calls into question their other privacy statements.

ProtonMail narrowly wins court ruling

The police noticed that the group of activists communicated via ProtonMail email address which led the police to approaching the company and requesting the information. In recent developments Protomail successfully defended their stance in court and have narroly escaped handing data over to authorities. Switzerlands Federal administrative court ruled on October 22 that email providers in Switzerland are not considered telecommunications providers under Swiss law, thereby removing them from the scope of data retention requirements imposed on telecommunicai9tons companies.

ProtonMail stand by commitment to privacy

The company released a statement on Reddit which insists that under no circumstances can their encryption be bypassed meaning items such as emails, attachments, calendars, and files cannot be compromised by legal orders which is a strong statement considering the new policy states that the company in fact can access the following pieces of information:

  • Sender and recipient email addresses
  • The IP address incoming messages originated from
  • Message subject
  • Message sent and received times

The above items listed are all generally available unencrypted from email headers standard in SMTP email specification, although the promises about user information logging seems to be a bit overstated.

Above all, the company’s takeaway is this: if you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation and in a clarification comment ProtonMail said that they do not give data to foreign governments which is illegal under Article 271 of the Swiss Criminal code.

A pause for thought

While it may be true that ProtonMail still actively provides a generally secure environment for free in which to work, it serves as a necessary reminder to stop and think about what your activities online look like, and what can be seen by others – including the service provider. Up until now it is fair to say that people carried out their business on ProtonMail with trust in its structure.

It is also interesting to see western governments such as France and Switzerland using law enforcement tools designed for the most extreme criminal offenses on a group of climate protesters in Paris. This may be a glipse of what it to come in the future – government bodies increasingly using invasive anti-privacy tactics on more and more trivial matters until one day we wake up and find no privacy at all.

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *