Facepalm: Proton Mail is facing renewed accusations of handing user data over to law enforcement agencies. The Swiss company provides a secure email service with end-to-end encryption, ostensibly to protect its customers' identities from prying eyes. However, recent events suggest otherwise.
Proton Mail recently came under scrutiny for (indirectly) providing Spanish authorities with enough data to identify and arrest a member of the Catalan independence organization Democratic Tsunami. The company claimed it was compelled to cooperate with law enforcement due to Swiss laws. They asserted that the Spanish police's success in apprehending the individual was partly due to the person's lack of a proper Operational Security (OpSec) policy.
Update (May 14): Proton contacted us with some clarification about this story and the data they claim was shared – and which wasn't. According to the company, they didn't share any data with a foreign government are bound by Swiss law to cooperate with them once a court order is issued. The below quote from Proton's PR department has been edited for brevity:
Proton responded to a request from the Swiss authorities. The way this (article) is written makes it seem like Proton cooperates or communicates directly with foreign law enforcement which we don't do. It would be illegal to do under Swiss law and the suggestion that we do could be concerning for many users.
Proton's robust encryption helps during these situations. This can be demonstrated by the fact that the Spanish authorities were unable to gather any information from Proton beyond the recovery email – as even Proton cannot see files, email contents, or any other personal information related to users' accounts, this information cannot be shared with authorities on request.
Proton Mail's primary service is an end-to-end encrypted email platform established in 2013. The platform aims to ensure that email content remains unreadable to both third parties and the company itself. While Proton Mail asserts it cannot access message contents, some user-related data passing through its servers could potentially be used to identify individuals.
In a separate incident in 2021, Proton Mail was required to provide Swiss authorities with the IP address and device details of a French climate activist. This information was subsequently used by French authorities to apprehend the activist. Proton Mail clarified that while email content is encrypted, the company is obligated to comply with lawful access requests for any data passing through its servers in criminal prosecution cases.
In the recent case involving the Spanish police, Proton was seemingly compelled to provide the Apple recovery email address used by a client known as "Xuxo Rondinaire." The customer was suspected of collaborating with Catalonia's police force, the Mossos d'Esquadra, while covertly aiding the independence movement in the region.
Authorities requested additional data from Apple, enabling them to identify the individual behind the pseudonym. Proton CEO Andy Yen confirmed that the personal data used to apprehend the alleged "terrorist" was provided by Apple, not Proton. Yen emphasized that Proton cannot decrypt data, but Swiss courts can mandate the sharing of recovery email addresses in "terror cases."
In a written statement, Proton AG clarified that their email service stores "minimal user information" and does not guarantee complete anonymity. Customers seeking enhanced security should implement proper Operational Security (OpSec) measures, such as refraining from using their genuine Apple account as an optional recovery method. While a recovery address is not mandatory for using Proton Mail, the company could be compelled to disclose such information under a Swiss court order.