There was a mini-uproar on Twitter yesterday about a Swiss business complying with Swiss law. In this case, the business in Protonmail and the uproar was because users expected them not to have the type of data that they turned over to law enforcement under a court order. Ravi Lakshmaman provides the context on The Hacker News:
End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France.
The Switzerland-based company said it received a “legally binding order from the Swiss Federal Department of Justice” related to a collective called Youth for Climate, which it was “obligated to comply with,” compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account.
On its website, ProtonMail advertises that: “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”
Read more on The Hacker News.
TechCrunch has more details on the background of the case and the workaround that has Protonmail users especially concerned:
The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.
So as long as Swiss authorities comply with mutual assistance requests from law enforcement elsewhere via Europol, Protonmail will have to comply.
Keep that in mind.
Nothing’s perfect. Protonmail has to comply with Swiss law/orders, but users can also take steps to give themselves additional protection for their IP address by connecting to Protonmail using a VPN or Tor network.