Categories
Article & News

Attention Proton-Mail users!

Which data is stored?

Almost one year ago we have removed Proton Mail and Wire smartphone apps from XStealth and XStealth Lite. At that time we had some suspicions regarding users IPs management and real encryption, which now turned in evidence.

But before going further with investigation, we have to remind you our approach when it comes to encryption: it is for average people use and will defend you only against (some) hackers. Will not defend at all against law enforcement agencies, Police, Homeland Security Agencies and so on. Why? Simply because there is a master key for all encryption solutions, no matter if email, SMS, VOIP, etc. which is called interception warrant.

“It doesn’t matter which service you use, if it’s not 15 miles offshore in international waters, the company will be required to comply with the law.”

Andy Yen, head of ProtonMail, wrote in a blog post.

Last weekend, a scandal erupted around the secure email service ProtonMail – the service’s management announced that it was recently forced to disclose the IP address of one of its customers, as ProtonMail received an order from the Swiss authorities that could not be appealed or rejected.

The incident is related to a series of protests against gentrification that took place in Paris in the summer and fall of 2020. Then a group of activists Youth for Climate took over a number of squares and buildings in Paris, in protest against companies buying real estate and raising rents for local residents fourfold.

Then activists used the inbox on ProtonMail to organize protests (jmm [***] @ protonmail.com), and this attracted both the attention of real estate companies and the French police.

Last week, Paris Luttes (Paris Struggles) reported that the French police and Europol contacted the Swiss government and asked for help, seeking details about the identity of the mailbox owner.

Proton received a legally binding order from the Federal Department of Justice and Police that we were required to comply with. According to Swiss law, the suspect must be notified that his information has been requested, which is not the case in most countries.” – explains ProtonMail.

However, Andy Yen said that a separate nondisclosure order did not allow the company to notify the user in time about what was happening. That is, the service was forced to save the IP address that the French activist used to log into his mailbox on ProtonMail and hand it over to the authorities.

Proton may be required to collect information about accounts belonging to users that are under criminal investigation in Switzerland. Obviously, this is not done by default, but only if Proton receives a legal order for a specific account. The Internet is mostly not anonymous, and if you are breaking Swiss law, a law-abiding company like ProtonMail may be legally obligated to keep your IP address.

In doing so, Ian tried to defend the Swiss legal system as a whole:

The Swiss legal system is not perfect, but it has a number of checks and balances, and it is worth noting that even in this case, the approval of three governing bodies from two countries was required, which is a fairly high bar that prevents most (but not all) abuse of the system. […] Finally, Switzerland is generally not conducive to prosecutions that come from countries where there is no fair justice system.

However, ProtonMail users, of course, did not like what happened. Many remembered that the ProtonMail service has been used by ransomware operators, blackmailers and other criminals for many years, but the company’s management eventually helped the investigation, which targeted the activist, and not the capture of another extortionist group.

ProtonMail has also been heavily criticized for its marketing, as the company has been promising users “anonymous email” for years, although the latest transparency report shows the number of claims the company receives from authorities is growing exponentially, from 13 requests in 2017 to 3,572 last year (195 of them were foreign).

As a result, the company made changes to its privacy policy, which until recently read: “By default, we do not keep a log of IP addresses that may be associated with your anonymous email account.” Now the phrase “we don’t log IP addresses” has been removed, replacing it with the following sentence: “ProtonMail is an email that respects privacy and puts people (not advertisers) first.”

Is ProtonMail lying about their encryption?

In response to Nadim Kobeissi and LiveOverflow