ProtonMail forced to log user’s IP address after an order from Swiss authorities

Cyber Security

Following the incident the company has updated its website and privacy policy to clarify its legal obligations to its userbase

ProtonMail a Swiss-based secure email provider has been at the center of some controversy after it was forced to share the IP address of one of its clients, a climate activist, with law enforcement agencies due to a legally binding request by the Swiss authorities.

According to TechCrunch, which broke the story, the French law enforcement authorities were able to acquire the IP address of a French activist that was using ProtonMail’s services, by sending a request to the Swiss police through Europol.

“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request. As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” said Proton CEO Andy Yen in a blog post explaining the details of the incident.

The revelation was met with criticism from the company’s user base, with one user with the handle Etienne – Tek questioning what ProtonMail meant by its claim that it doesn’t keep any IP logs that could be associated with anonymous email accounts.


It seems that the company has since removed the claim from its website and amended its privacy policy. Yen said it would do as much in his blog, saying that the email provider would update its website in order to shed more light on its legal obligations when it comes to criminal prosecution cases and update its privacy policy to clarify its obligations under Swiss law.

However, he did highlight that ProtonMail’s encryption cannot be bypassed and that the company doesn’t give data to foreign governments, and it only complies with “legally binding orders from Swiss authorities”. The email provider also maintains that it doesn’t know the identity of its users due to its strict privacy measures.

Yen acknowledged that development is concerning, however he emphasized that the company does fight for its users, “Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone. Whenever possible, we will fight requests, but it is not always possible.”

Products You May Like

Articles You May Like

How adware exposed victims to kernel-level threats – Week in Security with Tony Anscombe
CrowdStrike Fault Causes Global IT Outages
HotPage: Story of a signed, vulnerable, ad-injecting driver
Play Ransomware Expands to Target VMWare ESXi Environments
Sunburst: US Judge Dismisses Most SEC Charges Against SolarWinds

Leave a Reply

Your email address will not be published. Required fields are marked *