- ProtonMail under fire by Swiss lawyer who claims they voluntarily give away user metadata.
- The service dismisses the claims and says they’ll only do this when ordered by a court.
- The lawyer says ProtonMail’s ads are misleading as privacy protection laws don’t apply to Police operations.
Martin Steiger, a lawyer from Switzerland, has publicly accused ProtonMail of “voluntarily offering assistance for real-time surveillance”. The relevant information was passed to Steiger by Stephan Walder, the head of the Cybercrime Competence Center in Zurich, who later revised and clarified that ProtonMail is a potential provider of assistance, placing them in a more generic context. However, Mr. Steiger insists that there has been no errors or misunderstandings in what he reports, and maintains that ProtonMail is offering “IP logging” services when the Swiss authorities request it. He even cites ProtonMail’s most recent transparency report which mentions the following:
“In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law.”
Gelernt: @ProtonMail unterstützt Echtzeit-Überwachungsmassnahmen, auch ohne BGE … Wird von Cybercrime-Staatsanwalt Walder ausdrücklich als positives Beispiel erwähnt!
— Martin Steiger (@martinsteiger) May 10, 2019
ProtonMail is a Swiss-based end-to-end encrypted email service that has been one of the most popular choices of people who want to secure their email communication and keep the contents of their messages private. As expected, the company responded to Steiger’s claims by characterizing them as false statements and accusing the lawyer of spreading factually incorrect information knowingly.
The service clarifies that they are not offering assistance voluntarily, but only after obliging orders that concern criminal cases. Moreover, they highlight the fact that their service features end-to-end encryption, which practically means that they cannot provide unencrypted user messages to a court, no matter what order is issued. ProtonMail’s terms and conditions forbid users from using the email service to conduct illegal activities, and so when investigations concern such infringements, the company is always on the Police’s side. However, they only do this when they are ordered by a Swiss court or prosecutor.
In his blog post, Mr. Steiger is mentioning the problem that arises from the metadata and how real-time surveillance is possible through their offering. Even if ProtonMail isn’t revealing the actual content of the email messages, the metadata would be enough for the authorities to draw safe conclusions and get to learn a lot about one’s life. This applies not only on ProtonMail but all email services, but the objection of the lawyer boils down to the fact that the service is falsely advertised as “ultimate privacy” email platform. The lawyer states that data protection laws in Switzerland that ProtonMail loves to invoke in their promos are in principle not applicable to surveillance measures by secret services, police authorities, and public prosecutors.
Update (May 31, 2019): Here’s what ProtonMail said to TechNadu: ”We think it should be obvious that ProtonMail does not engage in illegal obstruction of justice, and that when served with a lawful court order, we must comply, to the extent that is possible given our cryptography. ProtonMail has never been advertised as “ultimate privacy” from criminals, as alleged. In fact, our terms and conditions have always clearly stated that ProtonMail cannot be used for illegal purposes”