Riseup, which is an email and VPN provider based in the United States, was forced to comply with data requests a few years ago:Īfter exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization). We have been keeping a close eye on the privacy space for years now, and this is not the first time something like this has happened. Other email provider’s that have bowed down to logging demandsīefore you rush to condemn ProtonMail, you should understand the situation a bit more with some background information. This was first noted by Martin Steiger in Switzerland here. ProtonMail’s Transparency Report shows numerous cases where they have complied with various court requests for user data.Īnd similar to the current logging case, ProtonMail did some major site revisions by changing the wording of the Transparency Report after some other cases came to light. This is detailed on the Transparency Report here. We should also point out that ProtonMail has logged users in the past when ordered to be a Switzerland court. Not the first time ProtonMail has logged users You can read ProtonMail’s response to the situation here. With just one quick request through a Swiss court, however, an outside government or agency could quickly get all the logs they needed to find and arrest the ProtonMail user they’re looking for. Technically, they probably did not keep any IP logs by default - but that is the key distinction. In ProtonMail’s defense, it does not seem like anything changed.
Gone is the claim, “we do not keep any IP logs which can be linked to your anonymous email account.” ProtonMail’s new homepage (after the logging scandal).
Using the Wayback Machine, we can see that ProtonMail did some editing to its website in the wake of this logging incident. While trust is very subjective, ProtonMail’s logging activities and subsequent website revisions have certainly raised some eyebrows.
When a privacy service’s claims do not line up with reality, trust is eroded and potentially lost forever. ProtonMail scrubs “we do not keep any IP logs” from its website… after IP logging incident It is also interesting how ProtonMail responded to this situation and the subsequent website revisions. The “extremely limited user information” is enough to find and arrest a ProtonMail user, with IP address and device info data.Governments can simply go through a Swiss court and then ProtonMail will start logging any user that is requested by the court. Switzerland jurisdiction does not mean very much.So now let’s compare the reality of this situation with ProtonMail’s claims. Here is how ProtonMail advertises itself and its Switzerland jurisdiction. Not only have they claimed to not keep any IP logs by default, but they also regularly tout their Swiss jurisdiction, which allegedly confers legal independence. In the case of ProtonMail, they have boldly touted their privacy and security credentials for years. We place a lot of trust in privacy services to do what they actually say. ProtonMail touts Swiss jurisdiction and privacy protection But should we jump to condemn ProtonMail or is this type of situation inevitable with privacy services? Let’s examine how ProtonMail responded to the situation and put it into context by comparing it to other cases where email and VPN services provided logs to authorities - as well as cases when they did not. The key evidence of what transpired behind closed doors was a court document detailing how ProtonMail provided IP address logs of its user to French authorities. The news gained traction first on Twitter, with various media outlets also picking up the story. The logs that ProtonMail provided helped the police to further build a case against the person, ultimately leading to his arrest. Note: ProtonMail has provided us with more clarification, stating that the location and identity of the suspect were already known to the police. So received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police - Etienne – Tek September 5, 2021