Proton Mail Discloses User Data to Law Enforcement
The secure email service Proton Mail is once again facing criticism after disclosing user data to law enforcement authorities. Proton offers a range of services marketed as secure and private, including Proton Mail, which features end-to-end encryption. The company claims its products are designed for privacy-conscious users, ensuring that no one can read the contents of emails or attachments, with no advertising trackers and adherence to “the highest privacy standards.”
However, Proton does have access to certain user information, which it sometimes shares with third parties. One notable scandal occurred in 2021, when Proton was compelled to log the IP address of a user who accessed their Proton Mail account. This action was taken in response to a binding order from Swiss authorities, which could not be appealed or refused. The user in question, a French activist, was later arrested after Proton shared this data with French police.
Following this incident, Proton removed statements from its website claiming it did not track user IP addresses and updated its privacy policy. The previous wording, “by default, we do not keep any IP logs which can be linked to your anonymous email account,” was replaced with: “ProtonMail is email that respects privacy and puts people (not advertisers) first.”
Proton has also previously faced accusations of assisting authorities and enabling real-time surveillance of users.
Recent Case Involving Spanish Police
It has now come to light that Proton provided the Spanish police with the recovery email address linked to a person suspected of supporting Catalan separatists. Spanish authorities reportedly passed this email address to Apple, which was then able to identify the individual associated with the account. As a result, the suspect was arrested.
Proton confirmed to the digital rights organization Restore Privacy that it was aware of the case, but stated that it was bound by Swiss anti-terrorism laws. A Proton representative explained, “Proton holds minimal information about users, as shown by the fact that in this case, the data used to identify the terrorism suspect was obtained from Apple. Proton provides privacy by default, not anonymity by default, because anonymity requires certain actions from the user to ensure proper operational security, such as not adding an Apple account as a recovery method.”
Andy Yen, CEO of ProtonMail, further clarified on X (formerly Twitter) that when the company receives a court order from a Swiss court, it simply cannot ignore it. “The name/address of the terrorism suspect was actually provided to the police by Apple, not Proton. The suspect added their real Apple email address as a recovery address in Proton Mail. Proton cannot decrypt data, but in terrorism cases, Swiss courts can obtain the recovery email address for the account,” Yen wrote.