ProtonMail is usually in the news for its strong privacy features and how it serves as a privacy-friendly Gmail alternative. However, that’s not the case this time around. The company is currently facing widespread criticism for logging the IP address of a French activist and revealing it to law enforcement authorities. Disclosing this piece of information has led to the arrest of the activist. In this article, we will be discussing what exactly happened and why ProtonMail revealed the IP address of its user. Also, we will talk about whether you can still trust ProtonMail with your privacy and its alternatives.
ProtonMail Logged IP Address of French Activist: Everything You Need to Know
Why Did ProtonMail Log IP Address?
Before we get to the part about why ProtonMail logged the IP address, it’s important to have some background info on the incident to understand the big picture. Over the past year, French climate activists have been taking over commercial apartments near Sainte-Marthe, France. As per the activists, this move is to fight against gentrification. For those unaware, gentrification is the process in which a neighborhood gets occupied by relatively wealthy people. It is followed by an influx of real estate investments, leading to an increase in the cost of living for an average person in the area.
The activists in question were part of Youth For Climate / Fridays For Future, a climate strike movement initiated by activist Greta Thunberg. According to Secours Rouge (French arm of International Red Aid), at least one of the Youth For Climate activists used ProtonMail for communications. ProtonMail typically doesn’t share data with French authorities since it is based in Switzerland and abides by Swiss laws. However, the French police sought the assistance of the Swiss government via Europol in their investigation. This move led ProtonMail to log the IP address of its user after getting the legal request.
What Did the Authorities Demand and What Did ProtonMail Disclose?
As mentioned above, ProtonMail can’t directly share data with foreign governments. In fact, doing so is illegal under Article 271 of the Swiss Criminal code. The police gained access to the IP address because Swiss authorities chose to cooperate with the French government. ProtonMail also points out how Swiss authorities will only approve requests that meet Swiss legal standards.
So, what else did ProtonMail disclose? Thanks to ProtonMail’s encryption, the contents of the emails, including text, attachments, and media, are not accessible even with legal orders. In a blog post clarifying its stance, ProtonMail mentioned that it doesn’t know the identity of its users with IP logging. “At no point were we aware that the targeted users were climate activists. We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes,” wrote the company.
Under Swiss law, ProtonMail should notify the user if a third party makes a request for their private data and if the data is for a criminal proceeding. However, there’s a big catch/ loophole here. On its law enforcement page, ProtonMail highlights that the notification can be delayed in the following cases:
- Where providing notice is temporarily prohibited by the Swiss legal process itself, by Swiss court order, or applicable Swiss law;
- Where, based on information supplied by law enforcement, we, in our absolute discretion, believe that providing notice could create a risk of injury, death, or irreparable damage to an identifiable individual or group of individuals;
- As a general rule though, targeted users will eventually be informed and afforded the opportunity to object to the data request, either by ProtonMail or by Swiss authorities.
This incident seems to fall under the first case, and that’s why ProtonMail didn’t notify the user. “Some orders are final and cannot be appealed, that’s just how the legal system works, not everything can be appealed. The user wasn’t notified for the same reason that you don’t notify a suspect before arresting them,” says ProtonMail founder Andy Yen.
According to a copy of the police report circulating on Twitter, the details French Police managed to find include the email address creation date, the IP address of the user, the device used, and the phone number tied to it.
What About ProtonMail’s No Log Policy?
At this point, you might be wondering about ProtonMail’s no IP logging policy that it boldly advertised on its website’s home page so far. Well, that claim is no longer present now. The company has updated its home page to remove the mention of not keeping IP logs, which is one of the reasons why we got here.
Here’s what the old copy said, thanks to a backup on The Internet Archive: “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”
And here’s what the updated copy states: “ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that. We also provide an anonymous email gateway.”
You can check them out in the image comparison below:
It’s also worth clarifying that ProtonMail doesn’t collect IP addresses by default. Instead, the monitoring/ logging starts after ProtonMail gets a legal request. “In extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. Whether or not a case qualifies for these enhanced obligations is determined solely by Swiss authorities and not by ProtonMail,” reads the company’s transparency report.
Is ProtonVPN Safe to Use?
Apart from ProtonMail, Proton Technologies has a popular VPN service that people often recommend as the best free VPN service. If you are a ProtonVPN user who’s questioning the company’s integrity after the IP logging incident, here’s what you should know. According to the company, their email and VPN services are subject to different terms under current Swiss law. Hence, the firm mentions that the law authorities can’t force them to log ProtonVPN user data.
How to Make ProtonMail Safer?
If you want an additional layer of privacy, ProtonMail has an onion site you can use from the Tor browser. It has been around since 2017, and ProtonMail highly recommends using this if you are actually conscious about your privacy. If you are not someone who’s at high risk, you could also consider investing in a good paid VPN.
Can You Still Trust ProtonMail to Uphold Your Privacy?
So, what did ProtonMail get wrong in this incident? For starters, the lack of transparency about its features right on its front page. Claiming to be a secure email service, we expected the company to do better to disclose how it handles legal requests. The previous copy of the site’s home page claimed not to keep any IP logs by default, which is indeed misleading to the average customer. However, it’s worth mentioning that the company has now updated the wording to reflect reality better.
If you want to switch from ProtonMail, you can consider an alternative service like Tutanota or Posteo. You will find more such privacy-centric email services in our articles about the best Gmail alternatives and best free email service providers. If you ask me, Tutanota or Posteo is what you should be looking at if you value your privacy. However, even these services are not immune to local laws. So you are not gaining a lot if you make the switch.
ProtonMail’s French Activist IP Logging Incident Explained
So that’s everything you need to know about the ProtonMail French activist IP logging incident. Meanwhile, you could also use secure messaging apps like Signal or Matrix-based Element for sensitive chats. If you have any other queries, feel free to drop us a comment below, and we will try to help you out.
Thank you for the article. I would like to add that you should always worry about your privacy. I chose Utopia about a year ago, and now I sleep well)
Nice overview, thanks.
Are there email providers in jurisdictions that do not have the loophole described above?
Or, at least, enabling providers to alert users when given legal orders?