Does ProtonMail really protect the privacy of Internet users? This is the question that has just been raised by a recent controversy which saw the Swiss company communicate to the authorities personal information from several French accounts.
On Sunday September 5, 2021, Proton Technologies found itself in the middle of a major controversy. The publisher of the ProtonMail service has indeed transmitted to the French courts information on several users of its service.
The news was received very coldly by users, as ProtonMail is sold as a secure, privacy-friendly exchange solution that keeps virtually no information about its customers. So why is this affair making so much noise?
What happened ?
On September 5 in the middle of the afternoon, the SecoursRouge site published an article explaining that several French activists from the “Youth for Climate” collective had been the subject of surveillance put in place by the French authorities.
As part of this investigation, the French police sent via Europol (the European criminal police agency) a request for information to ProtonMail, the mailbox used by the collective. The company therefore transmitted to the Swiss authorities (who validated the request) the IP address of the accounts concerned.
Does ProtonMail keep IP addresses?
Critics have crystallized precisely on the issue of IP addresses. Indeed, on its site, the company affirms that “ by default, it does not record any metadata such as the IP address used to connect to its account “. How then could the IPs of activists be transmitted to justice?
The subtlety is in the mention of ” by default “. As the firm explained in a post on Reddit, “ If we receive a legal order relating to a specific account, we may be required to monitor it.. The Swiss justice, in agreement with the French authorities, therefore asked Proton to monitor the activity of certain accounts. Forced by the Federal Department of Justice and Swiss Police (DFJP), Proton therefore began to record the IP addresses of these accounts.
This does not mean that Proton keeps the IP addresses of all Internet users who visit its service. But if justice requires upstream to keep certain details of future connections, ProtonMail may find itself forced to do so. As the CEO of the company explains it on Twitter ” in the case of a criminal case, certain rights to privacy may be suspended by the authorities. “
Are my emails safe?
In the judicial police report accompanying the case, the information that Proton transmitted to the authorities is detailed. It is a question of the date of creation of the account, the IP address linked to it and the fingerprint of the device used (smartphone or PC, native application or web interface, etc.).
No other information has, it seems, been communicated, and especially not the content of the emails. As the company details in its transparency report, “ Under no circumstances will ProtonMail be able to deliver the content of end-to-end encrypted messages sent through ProtonMail. »Technically, the decryption key necessary to access their Proton box is in any case known only to the user of the account. Proton cannot therefore have access to the content of the mails.
Should I quit ProtonMail?
The controversy surrounding ProtonMail has swelled, because the encrypted messaging solution is precisely built on promises of protection of privacy and defense of personal data. But as the company writes “ whatever service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law And that’s what Proton did here, backwards a priori.
” The lawsuits were particularly aggressive in this case. »Details the company which does not hesitate to tackle the French authorities who use« more and more […] inappropriate anti-terrorism laws “.
This is not the first time that Proton has been forced to transmit information about its customers. In the transparency report, we can see that in 2020, the Swiss authorities made 3,572 access requests and that 750 were contested by the company.
On Reddit, the company finally recalls that Proton is the only e-mail provider that offers an address accessible via Tor, the decentralized computer network which hides your IP address. Despite the controversy, Proton remains one of the general public email services that offers the most security. On the other hand, the company is not above the law.