Security-centric email service ProtonMail has come under criticism for its role in the arrest of a French activist who was using the platform.
In response to a court order, the company provided law enforcement with the IP address of the individual, who is part of a group that occupies premises in Paris illegally in protest of rising real estate prices and gentrification.
Proton says it did not cooperate directly with French police, but was required to abide by local laws in Switzerland, where the company is headquartered. Swiss police received a request for information from French authorities, via law enforcement agency Europol.
Predictably, the case has given rise to concerns among ProtonMail users who rely on the service to protect their privacy. Although there is an important distinction between privacy-preserving technologies (e.g. VPNs) and security-centric services (like ProtonMail), a common assumption is that the two qualities go hand-in-hand.
In response to criticism of its cooperation with law enforcement, Proton released a statement from CEO Andy Yen, who insists the company’s hands were tied on the issue. He also expressed his distaste for the case against the French activist, and implied that legal tools designed to shield against serious crime had been misused in this context.
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with,” he wrote. “There was no possibility to appeal this particular request.”
“No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law.”
Although he reserved some praise for the protections afforded by the Swiss legal system, Yen also described a worrying increase in requests for information from law enforcement agencies.
As per the company’s transparency report, the number of information requests submitted by Swiss authorities skyrocketed from just 13 in 2017 to more than 3,500 last year.
To shield against court orders of this kind, Yen suggests users obscure their IP address by routing their traffic through VPN services (like ProtonVPN) or Tor browser. This way, any IP addresses provided to Swiss authorities will correspond with the VPN server or Tor relay, revealing nothing about the individual’s location.
ProtonMail has promised to amend its website to better clarify its obligations with regards to criminal investigations.