ProtonMail under fire over data handover

By Laura Berrill
Encrypted-email company ProtonMail faces criticism for handing over user details to authorities

The Swiss company sells itself on its privacy features, promising to let uses "take control" of their personal data.

But the company has now said it had been legally obliged to collect data from an account which is said to be linked to a “climate activist" arrested by French police.

The news also comes as world-wide-web inventor, Sir Tim Berners-Lee, joins the company's advisory board.

End-to-end encryption vow

In a press release announcing his appointment, Sir Tim said: "I am a firm supporter of privacy - and Proton's values, to give people control of their data, are closely aligned to my vision of the web at its full potential."

ProtonMail's website says its encrypted emails "cannot be shared with third parties".

It also says as well as offering end-to-end encryption, it did not, by default, keep "any IP [Internet Protocol] logs which can be linked to your anonymous email account". 

But some users felt it had failed to live up to that commitment. Now ProtonMail has removed it from the front page of its website, which it said it would update to clarify its obligations "in cases of criminal prosecution - and we apologise if this was not clear".

Its privacy policy now says: "If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation."

Order for data classed as ‘serious crime'

In a blog, ProtonMail said it had received a "legally binding" order from Swiss authorities to collect data. It added it had been unaware the targeted user was a climate activist.

The statement went on: "We only know that the order for data from the Swiss government came through channels typically reserved for serious crime".

The company says it has always been transparent that while it does not ordinarily keep logs, it can be required to record IP data linked to an account.

And internet archives show a section of its website, The Proton Mail Threat Model, had previously said: "The internet is generally not anonymous - and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address."

ProtonMail also publishes reports of the requests for information it receives.

Last year, it received more than 3,500 requests for assistance from Swiss authorities - compared with just 13 in 2017.

The company said it stood with activists and suggested those seeking anonymity also use The Onion Router (Tor) network, which hides users’ IP addresses under several layers of security.



Featured Articles

Exec Q&A with Michael Scharff, CEO & co-founder of Evolv AI

The CEO and co-founder of Evolv AI explains how they are optimising the customer experience and journey to be faster, smarter and more personalised

Exec Q&A with Karl Cheng, TMT Sector Leader of EY-Parthenon

Karl Cheng is Americas Technology, Media and Entertainment and Telecommunications (TMT) Sector Leader for EY-Parthenon, the global strategy consulting firm

Executive Q&A with CEO Guy Levy-Yurista of Synthace

Chief Executive Officer of Synthace, Guy Levy-Yurista, Ph.D, shares how the cloud-based Sythnace is changing the game for scientists within R&D

Executive Q&A with Shuki Licht, SVP & CIO, Finastra

Enterprise IT

Profits continue to soar for Belfast-based IT firm Kainos

Digital Transformation

Executive Q&A with Ciaran Dynes, CPO of Matillion

Cloud & Cybersecurity