Switzerland-based email provider ProtonMail has come under fire for sharing one of its customers’ IP addresses with the police.
TechCrunch reports that the service, which punts its end-to-end encryption as a major feature for protecting its users’ emails, provided Swiss police with a French activist’s IP address earlier this year.
The ProtonMail user is a member of a group of young anti-gentrification activists who forcibly took over several commercial premises and apartments near Place Sainte Marthe in Paris.
The group has protested against companies buying real estate and hiking up locals’ rent prices up to four times. It is also opposed to Airbnb and high-end restaurants.
Real estate companies discovered an activist used the ProtonMail email address to coordinate the group’s efforts and approached French police to investigate.
The French police then reached out to Swiss police to acquire the IP address via cross-border law enforcement agency Europol.
The activist group acquired an abstract of a police report with ProtonMail’s reply to the Swiss police’s request, which it then posted on the anti-capitalist news website Paris-lutte.info.
In response to the backlash on Twitter, ProtonMail founder and CEO Andy Yen explained that ProtonMail must comply with Swiss law.
“As soon as a crime is committed, privacy protections can be suspended, and we’re required by Swiss law to answer requests from Swiss authorities,” Yen stated.
“There was no legal possibility to resist or fight this particular request.”
Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.
— Andy Yen (@andyyen) September 5, 2021
Swiss law also obliged ProtonMail to notify a suspect that their data was requested, which is not the case in most countries.
However, the police had secured a gag order which prevented ProtonMail from disclosing the incident to the user while the investigation was ongoing.
Yen added that ProtonMail’s encryption was not bypassed in the investigation and that the company does not log the IP addresses of its email users by default.
Yen also highlighted that VPN services received different treatment than email services in Switzerland, which meant that authorities could not use the same legal mechanism to force the company to log the IP addresses of ProtonVPN users.
Users continued to berate ProtonMail for providing the information to authorities for the investigation into the activists, but not doing so for previous instances where ransomware hackers had used its email service.