ProtonMail is again at the epicenter of criticism, as it has been forced to share one user’s IP address with law enforcement authorities, which eventually led to the individual's arrest. According to Swiss law, the private and end-to-end encrypted email service was actually obliged to hand over what they had on the user (ProtonMail is based in Switzerland), as there was a criminal investigation launched against the individual.
This is something that has been discussed again in 2019 when Martin Steiger, a Swiss lawyer, warned the public that ProtonMail was misleading people by presenting their service as anonymous. Steiger added that the platform had the ability to perform real-time surveillance by enabling IP logging on specific user accounts. If the law enforcement got that real-time info, they could locate a user who may not be using a VPN to mask their real IP address, falsely assuming that ProtonMail never logs IP addresses.
This is precisely where the point of criticism comes, and why ProtonMail has to revise its marketing. On their very website, ProtonMail presents “Swiss Privacy” as a solid reason to choose the service, claiming that all user data is protected by strict Swiss privacy laws, creating a false sense that nobody is ever going to touch user data no matter what. Secondly, in the security section, the website clearly states that no tracking or logging ever takes place and that IP addresses or any other metadata aren’t recorded. There are no asterisks, no exceptions, and no clarifications about what happens in the case of a criminal investigation.
In this case, the person who got targeted and identified was a young climate activist in Paris, not a ransomware actor, a hacker, a child abuser, an extremist bomber, or anything that would make it easier for the public to accept. As such, ProtonMail appears to be on the wrong side of history on this one, even if they didn’t really have a choice on the whole data-sharing thing.
From what was made known by French media, the activists exposed themselves through their clothes in Instagram posts, even though they had blurred their faces. Europol carried out an in-depth investigation on “Youth for Climate Paris,” found a ProtonMail address (email@example.com), and then submitted a warrant on the basis of “theft and degradation in assembly and home invasion.”
ProtonMail officially responded to the outburst against its false marketing by saying they refuse all bogus police requests and only comply with legally binding ones. In 2020, they rejected over 700 requests for user account info, so they are trying to protect their users’ anonymity no matter what they’re doing, which the platform wouldn’t have any means of knowing anyway. Possibly, this case will force them to adopt different policies and methods in areas that are under their full and direct control.