Unpacking the ProtonMail incident

Full disclosure: I have an affiliate link with ProtonMail and ProtonVPN on my website. However, I have not received any compensation from them to write this article, and to my knowledge nobody’s ever even clicked on my affiliate links, meaning Proton has never actually paid me anything. :)

It’s hard to know where to begin this article. I guess I’ll start with the context: For the past year, an activist group was squatting in a number of abandoned apartments in Paris, apparently in protest of gentrification and other class-based poverty and housing issues. I was unable to find more information about the group than this to understand why the French government felt this situation so severe that they had to do what they did, but apparently that was the French government’s position.

One of the activists was using a ProtonMail email address for public correspondence, so the police decided to try to use this information to find the owner of the account. They then involved Europol – according to Wikipedia, Europol is the European Union’s police force, a law enforcement agency established in 1998 to handle criminal intelligence and combat “serious international organized crime” like terrorism and drug trafficking. It’s also important to note that Europol has no executive powers: they cannot make arrests and basically rely on the country they’re working with to do the dirty work.

It was with this in mind that the French police, knowing the email address and knowing that ProtonMail is a Swiss company, went to Europol and sought their help in forcing Switzerland to comply in helping to unmask the owner of this email account. This is where this week’s overblown scandal begins.

Let’s start with the unarguable facts: ProtonMail, for those who stumbled onto this article, is a popular encrypted email provider, probably the most popular in the world. According to Wikipedia, they have over 50 million users as of 2020. While it’s likely that some of those accounts are duplicates (by the way, that’s against their Terms of Service if you’re one of those people with duplicate accounts), that’s still a ton of users. ProtonMail is based in Switzerland, and as such they are only required to listen to Swiss authorities. This is why France went to Europol: alone, they couldn’t force ProtonMail to comply with any kind of request for user data. Europol, however could pressure Switzerland, who in turn could force ProtonMail to comply.

Another unarguable fact is that ProtonMail claims not to log user IP addresses by default. However, once Europol stepped in and the Swiss cooperation began, ProtonMail was forced to do this. Therefore, when the activist next logged into their ProtonMail account, Proton logged the IP address and device details and turned those over to Swiss authorities, who passed it along accordingly and ultimately this led to the identification and arrest of the activist.

Europol headquarters building

This immediately threw the privacy community into a fit. "ProtonMail said they don’t log IP addresses, but then they did! They can’t be trusted! They lied! They’ll turn over user data!" As usual, however, I think this is an unjustified reaction. I don’t think everyone freaked out for no reason, but rather for the wrong reasons.

Let’s start by correcting the misunderstandings: first off, the logging. Notice I said that ProtonMail doesn’t log IP addresses by default. Now, I truly understand how this could’ve been confusing to most people. For some weird reason I can’t explain, my brain is wired strangely and I pay attention to weird details others don’t. Not like the shoes you’re wearing or the books on your shelf, more like the words you use – or don’t use. As such, when I read that ProtonMail doesn’t log IP addresses by default, my brain read that as “they don’t do it for everyone or all the time, but they will under certain circumstances.” I never bothered to see what circumstances those would be, but I assumed “a lawful order” would be one. Proton has since changed their website to be less misleading and more transparent by removing that claim, as well as some other wording tweaks.

Now let’s unpack that “lawful order” bit. Why would I assume that Proton would comply with a lawful order? Because I’m not a psychopath. Did you know that in the military, there are lawful and unlawful orders? For example, “Go clean that toilet” or “stay late to finish up this project” are lawful orders. “Go murder this village full of innocent civilians” or “don’t report that I was doing drugs” are not lawful orders, and you cannot be arrested for disobeying those orders. The same is true in civilian life. When the cops come to my door and say “let me in,” that’s not a lawful order and I can tell them get off my lawn. But when they have a valid warrant, that is a lawful order, and if I tell them to piss off they can break my door down and come in by force and they won’t get in trouble for it.

There’s a lot to unpack in that last sentence that I can’t really get into here. There’s information about the scope of warrants – what you can and can’t do with them – and arguments about the state and their authority. There’s also appeals, and we should mention those because those apply to this story. Sometimes, you can appeal a decision. That’s one reason death penalties are so slow in the US (for better or worse), because the convicted person has multiple chances to appeal their sentence or even their case. Once again, there’s a lot of nuance there that falls outside the scope of this article. Here’s why I bring up the appeals process: you can’t always appeal. Sometimes it’s just not an option: for example, when a cop stops you on the side of the road and tells you to take a field sobriety test, you don’t get to appeal his command. You either do it, or resist and suffer the consequences. Sure, you can challenge the results either way after the fact, but you have no ability to appeal on the spot, so you have to do whatever you’re going to do in the moment. Likewise, if you lose the appeal, you have to comply. If you appeal your conviction and it doesn’t get overturned, you’re still in jail. You can’t just go home and call it square cause you think it’s unfair.

Why am I explaining appeals? Because this is exactly the situation Proton claims to have found themselves in. According to their own statement, there was no option to appeal the data demand from the Swiss authorities. Now, clearly Swiss laws don’t always come with this caveat, as ProtonMail has a long and proven track record of pushing back against Swiss orders they felt were unjustified, which is another point we should remember as we examine this story.

Okay so where are we? Well, assuming Proton’s word can be trusted, here’s what we know:

  • ProtonMail poorly worded their website
  • ProtonMail will log data if required to by a lawful order
  • Even when they appeal they still have to obey lawful orders if they lose the appeal.

There’s some additional things that warrant pointing out.

  • ProtonMail fixed their website as soon as the confusion became a problem
  • ProtonMail pushes back on lawful orders when possible
  • Only the IP address and device information was captured, not any actual content. (Metadata absolutely matters, but this is still worth noting for perspective)

So in my opinion, I think we’re being unfair to Proton. They didn’t lie intentionally (or at all, in my opinion), and they obeyed lawful orders. You know who doesn’t obey lawful orders? Criminals. And criminals get shut down and go to jail. You can’t honestly expect a legitimate company to refuse to comply with the law. They did their best to fix the confusion as soon as they saw it was an issue, which was a little too late but still I appreciate the swift response (still waiting on CTemplar to officially acknowledge their “catastrophic data loss” incident). And, as I mentioned, the data itself was safe. Again, metadata is crucial but I do think that’s still worth noting that they haven’t been proven to be lying about their security.

Earlier in the article, I said that I thought our anger as a community was misplaced. I don’t think we should be mad at Proton. I think we should be mad at the governments. Being mad at Proton for obeying a legal order is like being mad at the taxi driver for following the speed limit when you’re in a hurry. It’s asinine, entitled, and out of touch with reality. You should be mad at the people who made that stretch of highway a 40mph zone despite being in a rural stretch of land.

29 mile-per-hour speed limit sign, courtesy of thethruthaboutcars.com

We should be mad at the French government for feeling the need to cross international lines and get Europol and Switzerland involved in what was clearly a domestic issue – and not even a serious one, at that. I’d understand if they were tracking a serial killer or a kingpin, but a freaking activist? Who was squatting in an abandoned building? Surely there are better uses of their international resources. We should be mad at Europol for agreeing to help with such an asinine request. We should be mad at Switzerland for forcing ProtonMail to track their users and hand over data they knew was leaving the country. Proton’s users pick Proton because they – we – have faith in Swiss privacy laws. For them to knowingly betray that trust was the epitome of unethical government that we privacy advocates are always so concerned about. This doesn’t shake my faith in Proton specifically, but rather in Swiss laws, which means I’m more likely to take my business elsewhere where my data is more respected and protected. Sure, I’m just one person, but I can’t be the only one who feels this way.

Look, I like ProtonMail. I disclosed my affiliate link at the top of the article, but I don’t like them because I have an affiliate link. I have an affiliate link because I like them and I believe in them. When I started my website, I swore that I would always stay true to my morals: I would never recommend a service I wouldn’t be willing to use myself or suggest to someone I love. And likewise, I would never take money from a service that doesn’t share my value for privacy and security. I’m not defending ProtonMail because I’m a fan, I’m defending them because I genuinely think they were in the right here (at least 90%, I’ll admit the wording thing could’ve been better). Any regular DT readers know that I’m not afraid to call out a company I like when they do bad things. It is that in spirit that I beg my readers: be angry, but at the right people. Demand better laws, demand more honest politicians, and demand privacy be valued. Don’t blame those who abide by the law for bad laws.

Article submitted to decentralize.today by The New Oil blog's Nate Bartram. You can catch up with Nate and find more of his work on his website at thenewoil@xyz