ProtonMail issues IP of a French activist to police

[German]Swiss-based email service ProtonMail offers end-to-end encryption of mails before they are sent to ProtonMail's server. ProtonMail is operated by Proton Technologies AG, which is based in Plan-les-Ouates (Canton of Geneva). Its servers are located in two locations in Switzerland, outside EU and US jurisdiction. As a result, ProtonMail is (supposedly) considered a "secure email service and haven of privacy." Now ProtonMail has again releaed the IP address of a French activist to the police.


Advertising

ProtonMail releases data to the U.S.

First, a review: After all, I had already pointed out at the beginning of August 2021 in the article ProtonMail and the user data transfer to the US that the use of ProtoMail does not ensure that no user information goes to other countries. Anyone who maintains a mailbox with this service can have their data end up in the U.S. very quickly. I came across the issue in question via a tweet by Jens Kubieziel.

ProtonMail

ProtonMail, which claims to be a "secure email service from Switzerland", provides user data to security authorities. The details can be read in the linked blog post – regarding the legality of the data transfer – good or bad – I don't want to start a discussion about that.

IP of a French activist logged

Now there is a second case that became known. A police report revealed that the French authorities managed to identify the IP address of a French activist who used the online service ProtonMail. The background to the whole thing: for the past year, there has been an occupation of business premises and apartments near Place Sainte Marthe in Paris by activists. These fight against gentrification, real estate speculation, Airbnb and high-end restaurants. The squat, which started as a local conflict, quickly turned into a symbolic campaign that made headlines when activists began occupying rooms rented from Le Petit Cambodge. The restaurant was the target of the November 13, 2015 terrorist attacks in Paris..

On Sept. 1, the activist group published an article on Paris-luttes.info, an anti-capitalist news website, Techcrunch writes here. In the article, the group summarized information about various police investigations and court cases against some members of the group.


Advertising

French police sent through Europol a request to the Swiss police to force the Proton, the company behind ProtonMail, to identify the IP address of one of its users. It is probably the IP address of the person who set up a ProtonMail account – the police wanted to use it to find out the person's identity.

The activists of the group used this ProtonMail email address for communication. The address was also distributed on various anarchist websites. Based on this order of the Swiss police, the IP address was released and the activist was arrested. ProtonMail has released this statement on the case.

We would like to provide important clarifications regarding the case of the climate activist who was recently arrested by French police on criminal charges. We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way. In the interest of transparency, we would like to provide additional context. 

In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.

As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account.

It's not clear, according to Techcrunch, when exactly the affected account holders were informed that their data was requested by the Swiss authorities, because according to ProtonMail, notification is mandatory under Swiss law. Here, however, Proton refuses to provide any information, citing the ongoing proceedings, and referred Techcrunch to the Swiss authorities who created the request for information.

Under Swiss law (Proton said in this document), a user must be notified if a third party requests their private data and that data is to be used in criminal proceedings. However, under certain circumstances, notification can be delayed. Currently, it is unclear what exactly happened and what order was in place regarding the blocking of information by Proton.


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).