ProtonMail, a Switzerland based email provider, has stated that it was forced to log the IP address of one of its customers after it received a legally binding order from the Swiss government that it couldn’t decline or legally appeal against. This was discovered after images of a French police report which showed that they had obtained the IP address of a climate activist who used ProtonMail was circulating on social media.
Over this weekend, this particular incident came to the attention of the public after it caused some unrest amongst ProtonMail users. The unrest was mainly because of ProtonMail constantly advertising their product as one that assures privacy, end-to-end encryption, and most importantly, no-log policies.
In a Reddit comment, ProtonMail perfectly summed up the whole incident, including how they cannot go against some legal obligations when it came to criminal investigations.
As seen above, they have clarified almost all the aspects of the issue by providing a complete and proper explanation for the incident with the inclusion of their objectives, links to their transparency report and privacy policies, and also about the law governing their actions along with its jurisdiction.
The case leading to the ProtonMail incident
In September 2020, a group of activists under the name ‘Youth for Climate’ led a series of anti-gentrification protests in Paris, France. The group reportedly occupied a series of squares and buildings in the Paris district of Place Sainte Marthe, to protest companies buying real estate and hiking up the rent prices up to four times the normal rate for local residents.
According to the same press release by Paris Luttes, the group used a ProtonMail email address to organize and coordinate their protests. This detail is suggested to have come to the knowledge of both the real estate companies, and thus, the French Police was called in to evacuate the group and investigate its members.
In another article by Paris Luttes, it was later revealed that the French Police worked through Europol, the EU’s premier law enforcement agency, to contact the Swiss government (one of the 27 member states associated with Europol) and ask for help in acquiring the details of the owner of the ProtonMail email address.
You may also like: Whatsapp fined $267m for violating GDPR
Legally binding order from Swiss govt.
As seen in a blog post published by ProtonMail, it has been clearly mentioned that:
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.”
ProtonMail also clarified that they can’t, under any circumstance, bypass their encryption; meaning all emails, attachments, calendars, files, etc. cannot be compromised even under legal orders. The company also said that they do not give data to foreign governments, which is illegal under Article 271 of the Swiss Criminal Code.
The email provider has also created a page on its official website entitled, “Information for Law Enforcement Authorities” which highlights all necessary information, especially for such cases.
In this specific instance, ProtonMail has clearly stated that:
“There was no legal possibility to resist or fight this particular request”