ProtonMail hands user's IP address and device info to police, showing the limits of private email

ProtonMail hands user’s IP address and device info to police, showing the limits of private email

They say there’s two sides to every story. Depending on your point of view, you may have heard a recent story that’s either about overreaching law enforcement and protestors exposed by organisations happy to hand over revealing data despite saying they won’t.


What happened?

ProtonMail offers end-to-end encrypted mail services. It’s one of those mail services people turn to should they require reassurance that what they do is kept private. 

There is a niche out there for privacy-focused people who’ve always wanted mail services. This is why services such as ProtonMail, Hushmail, PrivateMail and others are always in demand.

You may have run into Hushmail in the olden times (1998 onwards). They offered a similar service with the expectation of security and privacy for communications. At least some of their popularity at the time was based on geographical location. If they’re in Canada, legal demands for data would take time, so the theory went. At a bare minimum, anything handed over to law enforcement would surely be in encrypted form.

That was the theory, anyway.

Back in the day…

In 2007, reality came knocking at the door in the form of articles with titles like “Encrypted e-mail company Hushmail spills to feds”. US Law Enforcement made use of a US / Canada mutual assistance treaty and had a Canadian court serve up the necessary court order.

“12 CDs worth of e-mails from three Hushmail accounts” related to alleged steroid dealer antics were turned over to law enforcement. The bottom line from Hushmail’s then CTO was essentially that if you were engaged in illegal activity? Forget it. Not only are you breaking the Hushmail T&Cs, but you’re also breaking the law. Though they fight and resist many requests for information, the knock at the door for bad antics will happen eventually.

This seems to be a reasonable stance, unless you expected Hushmail to operate on the moon or some sort of abandoned platform in international waters. Privacy and avoiding snooping? Sure. Using our services for something illegal? Sorry, out you go.

Now we come to the present day.

Stop me if you’ve heard this one.

The ProtonMail situation: Nothing new under the sun

A lot of people are quite angry with ProtonMail at the moment. The reason? It handed a user’s IP address and device information to the police. This has, as expected, caused a bit of a privacy backlash. “Why are you storing things” seems to be the most common complaint. However, as the company pointed out, it doesn’t collect information on accounts by default. This is something that has to be enabled after a legal order:

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

Sometimes things have the inevitability of a runaway freight train, and this sounds like it fits the bill.

Of transparency and privacy policies

ProtonMail’s statements goes on to say:

As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders.

Remember what I said about Hushmail and abandoned platforms in international waters? Here’s ProtonMail on this very subject:

Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.

One more incident for the road?

ProtonMail has a full run-down of the current situation here, which links to their Transparency Report, which has been published since 2015.

I think realistically, we’d be hard pressed to lay blame at ProtonMail’s feet here. It’s called the long arm of the law for a very good reason, and it sounds as though no other options were available. Unlike the now ancient Hushmail case in 2007, email contents were also unavailable to investigators. I don’t remember if organisations in similar situations were publishing transparency reports back then, but I suspect it wasn’t common.

In many ways, this is a small improvement on what things used to be like. However you stack it up though, if you’re breaking the ToS of a service and breaking the law, you can probably only fend them off for so long. A third party encrypted mail service complying with local laws in the region they’re based in isn’t going to be your salvation. This situation will occur again, it’s inevitable. The only real surprise, is that we appear to have been taken by surprise.

If you’re wanting to lock things down yourself, this article may be a good place to start. Just don’t get up to anything illegal, because if you do then all bets are most definitely off.