Encrypted email company ProtonMail has faced criticism again after handing over user details to the authorities. The Swiss firm markets itself based on its privacy features, allowing users to “take control” of their personal data.
According to Proton, its “end-to-end encryption and zero-access encryption ensure only you can see your emails,” and “not even Proton can view the content of your emails and attachments.” However, news service VilaWeb reports that the mailing service allegedly handed over an account’s recovery email address information to Spanish police concerning a suspect believed to be supporting the Catalan independence organization, Democratic Tsunami.
Apple was then allegedly able to provide information about the suspect’s recovery email address, name, home address, and phone number. Under national security claims, ProtonMail handed over the details of an account belonging to an individual using the pseudonym ‘Xuxo Rondinaire.’
This individual is suspected of being a member of Catalonia’s police force, also known as Mossos d’Esquadra, and allegedly used their insider knowledge to support the Democratic Tsunami movement.
The requests were made under anti-terrorism laws, though the primary activities of the Democratic Tsunami were protests and roadblocks, raising concerns about the proportionality and justification of such measures.
Social media users criticized the move, stating that it essentially renders encrypted messages pointless as one security expert said, “whatever we know about you that isn’t encrypted end-to-end is fair game.”
This is your regular reminder that metadata matters.
In this case, the activist was deanonymized via the backup email for the Protonmail account that he used to set up Wire, which was an iCloud account linked to his real identity. https://t.co/sxGfCaAwIy
— Eva (@evacide) May 8, 2024
Climate activist exposed by protonmail.
– Sure, your email is secure, but whatever we know about you that isn't encrypted end-to-end is fair game when the government hands us a subpoena https://t.co/mYqVWf9A9H— Christoffer Jerkeby (@Kuggofficial) May 13, 2024
In 2021, ProtonMail came under scrutiny for complying with a legal request that resulted in the arrest of a French climate activist. Under Swiss law, ProtonMail was obligated to provide the individual’s IP address to Swiss authorities, who subsequently shared it with French police. ProtonMail’s compliance with these requests is governed by Swiss law, which requires cooperation with international legal demands when properly channeled through the Swiss court system.
Why did Proton Mail reportedly provide user data?
Speaking to the advocacy group Restore Privacy, the messaging company said: “We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases.”
A spokesperson stated that the Proton had “minimal user information,” pointing out that data about the suspect was obtained from Apple. They added: “Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method.
“Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.”
On its website, it states: “Under Swiss law, we’re required to cooperate with law enforcement agencies on criminal investigations within the framework of Swiss laws and privacy regulations.”
ReadWrite has reached out to Proton for comment.
Featured image: Canva / Proton