Protonmail provided the IP address of a climate activist to Swiss authorities, after which the activist was arrested. The privacy-focused email service was obliged to do so after it received an order from the Swiss authorities.
Protonmail would have initially received a request from the French police, according to a police report that appeared on Twitter. After the company rejected this request, the French authorities allegedly submitted a request to the Swiss police via Europol. The case was eventually taken up by Swiss authorities, who found that the climate activist violated Swiss law. The Justice Department then submitted the warrant to Proton. The CEO of Protonmail writes on Twitter that the company could not contest this decision.
Proton has responded to the incident in a blog post and on Reddit, stating, among other things, that the company does not monitor IP addresses by default. The company says it will only start logging the IP activity of specific accounts after the company receives a binding court order to do so from Swiss authorities, as also stated in Protonmail’s privacy terms. In addition, Swiss authorities only approve requests when Swiss law is violated by a suspect, Protonmail writes.
The company further emphasizes that Protonmail’s encryption cannot be circumvented, even if the company receives a court order to do so. The company also states that it does not share data with foreign governments, because that is illegal under Swiss law. “We only comply with the legally binding orders of the Swiss authorities,” Proton said.
Protonmail has been keeping a transparency report since 2014, in which the company describes how it handles court orders. The number of orders from the Swiss government to Protonmail has risen from 13 to 3,572 since 2017. In 2017, the company objected to three requests; last year that number was 750.
In the blog post, Protonmail further writes that the company also offers a Tor website that should facilitate anonymous access to the email service. In the future, Proton will also indicate more clearly in which cases the company must comply with requests from authorities on its website.
A statement from Protonmail