After being accused of lying about the tools put in place to protect the data of Internet users, ProtonMail modified several pages of its site, including the one concerning the company’s privacy policy. But the changes seem to be mostly on the surface.
At the beginning of September 2021, ProtonMail found itself at the heart of a major controversy. Forced by the Swiss justice to communicate information on the owners of a Proton mailbox, the company had to justify itself while it promises precisely ” do not log IP addresses [des internautes] by default. “
What changed ?
In a blog post published on September 6, company CEO Andy Yen recalls that Proton is not above the law and found himself obliged to monitor the activity of French activists who were using ProtonMail to activities deemed reprehensible by the French authorities. Specifying again that the registration of IP addresses ” is obviously not made by default », The person in charge still announced some changes in the way of operating of Proton. Changes in the privacy policy and in other parts of the site have already been made.
From the home page, the message sent by ProtonMail has changed. By comparing the page as it is today with an archived version a few hours before the outbreak of the controversy, we notice that the discourse is different. Proton no longer promises a ” anonymous email ” who ” does not log IP addresses by default “, But is content to highlight the fact that the service” respects privacy and primarily serves Internet users (and not advertisers) “. A link to the Tor version of the service is also displayed more prominently.
On the page detailing the security protocols implemented by Proton, it’s the same story. The reference to not registering “default” IP addresses has simply disappeared, as has the ” that no personal information is required to register for the service »(The IP being considered as personal data). The company is now content to say that it “ do not track internet users ” and ” does not build advertising profiles »From the personal information of its customers.
Modifications that are more aesthetic than practical
The privacy policy and the judicial transparency report published by the company have changed little. Just is it noted that “sIf you break Swiss law, ProtonMail may be forced to register your IP address », But that only Swiss justice can oblige the company to communicate personal information on its customers. More discreet additions on data retention to fight against spam and access to certain identifiers of the device connecting to ProtonMail have also been inserted.
The mention the reference ” email addresses, SMS and phone number “Which can be kept as long as” the legitimate interest of protecting the service against spam the request Is for example new. This data can a priori also be kept ” if Swiss legal obligations Ask. The vagueness surrounding the term ” legitimate interests Is not reassuring, especially when it comes to phone numbers. However, this is more of a general clarification than a profound change in the way ProtonMail manages its data since no phone number is required to register for the service.
A communication problem
More generally, the changes made by the company seem more aesthetic than practical. The processing of personal data operated by ProtonMail has not really changed, from what we can see. No wonder there, since the ProtonMail controversy was more a communication problem than anything else.
By posting everywhere on its site that the service ” did not register IP addresses by default ProtonMail had built an image of a hyperprivacy email client that did not record any data about you. But the company is not above the law and must obey the orders of the Swiss authorities if it is forced to do so. This means, as with all other sites on the web, that personal information (such as IP addresses) can be transmitted by order of justice. No web service can truly claim to offer “no-log” browsing, ie completely anonymous. If justice comes knocking on its door, a business must obey the law.
It is to avoid a new controversy that Proton no longer displays its promises of anonymous browsing so conspicuously. Well aware that the reputation of the service is at stake, Andy Yen nonetheless recalls that Internet users ” with advanced privacy protection needs Better to use Tor. ” The internet is generally not anonymous “Writes the CEO, who explains that this cannot be changed” because of the way the network works “. Far from condemning the climate activists at the heart of the matter, the CEO says the Proton team is ” also made up of activists “, And that the fight should rather focus around”unjust laws Increasingly used by governments. Or the art of extinguishing one fire by lighting another.
