Protonmail has come under heavy criticism for logging the IP address of a French climate activist under orders from Swiss authorities which were in turn requested by the French Police to track down the activist in the first place.
The company has been pretty vocal about the incident on Twitter and Reddit and even explained on Monday, providing more information into the incident stating that the IP logging wasn’t by default and had to be done to cooperate with local authorities or, in this case, the Swiss law.
When initially contacted by the French Police, Protonmail didn’t cooperate, causing the former to reach out to the Swiss Police via Europol to force the company into giving up the data required. Overall, approval was required from three authorities in two countries.
In the News: Lenovo unveils IdeaPad Slim 5 Pro in India: Price and Specs
What’s the incident all about?
The whole thing kicked off in the past year when a group of people took over a few commercial properties and apartments near Place Sainte Marthe in Paris to fight against gentrification, real estate speculation, Airbnb and high-end restaurants.
Starting as a local conflict, the issue soon became a symbolic campaign attracting headlines. The group started occupying premises rented by Le Petit Cambodge — a restaurant also targeted in the November 13th terror attacks on Paris in 2015.
Protonmail’s slip up came to light on September 1 when the group published an article on an anticapitalist-news website Paris-luttes.info. The article stated police investigations and legal cases against a few of the group’s members.
It also stated that French Police reached out to Protonmail via Europol to request the identity of a group member using a Protonmail email address to communicate. The rest of the group also used the same email.
The very next day, a tweet surfaced by MuArF showing an abstract of the ongoing investigation detailing Protonmail’s reply to the request. The abstract clearly states the French Police received a Europol message with the details of the Protonmail account.
Andy Yen, Proton’s founder and CEO, reacted to the police report stating that they had no choice but to comply with the request. The Swiss authorities communicated it under a criminal offence charge. The company is trying to clarify that they didn’t cooperate with either the French Police or Europol but couldn’t fight the Swiss authorities’ decision.
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with; there was no possibility to appeal this particular request,” said Yen in the announcement published by the company.
Yen also responded to the tweet about the police report, stating that the company must comply with Swiss law.
The company also notifies each individual whenever their data is requested to give them time and a chance to object to the data request either by ProtonMail or by Swiss authorities.
Protonmail does fight these reports when possible. “Whenever possible, we will fight requests, but it is not always possible”, adding that the company fought over 700 cases in 2020.
What seems to have happened in this case is Proton being obligated to comply with the Swiss authorities’ request as they were treating the charge as a criminal one, hence eventually getting the French Police what they wanted. For Protonmail, only the Swiss law matters, but that’s getting worse too.
Protonmail states in its transparency report that it received 13 orders from Swiss authorities in 2017, which rose to 3572 in 2020. The report also records a massive rise in foreign requests for data approved by the Swiss, rising from 13 in 2017 to 195 in 2020.
In the News: BrakTooth: 16 vulnerabilities that put billions of Bluetooth devices at risk