Swiss-based, end-to-end encrypted and privacy-focused email provider ProtonMail has been under fire from some media and activists over the company's behavior as it complied with local law.
The case pertains to the disclosure of a user's IP address to Swiss law enforcement, on a warrant resulting from a request that reportedly came from the French authorities, who eventually arrested the person in question.
The target was a user who ProtonMail refers to as a French climate activist, while media reports suggest the person is a member of a group opposed to gentrification of some parts of Paris, who express their beliefs by occupying commercial property, including businesses and apartments.
One of the “occupied” pieces of real estate is rented by a restaurant – Le Petit Cambodge – that was the target of a terrorist attack in the French capital six years ago.
It is this group – the bio of whose apparent Twitter account, @MuArF, reads, “Troll & Anarchy” – that earlier this month said ProtonMail received the request to hand over the IP of one of its members via Europol, and complied.
ProtonMail CEO Andy Yen posted that ProtonMail must comply with Swiss law and that the company is required to respond to the authorities' requests when a crime is committed. He also clarified that ProtonMail was not working with either the French police or Europol.
Since the company also has its ProtonVPN service – and the Swiss law does not allow for logging VPN users' IPs, reports now speculate that the French activist could have removed any possibility of being tracked down had they used both, or a combination of the email service and Tor.
“If they were using Tor or ProtonVPN, we would have been able to provide an IP, but it would be the IP of the VPN server, or the IP of the Tor exit node,” Yen told TechCrunch.
On its website, ProtonMail sought to “clarify” the situation regarding the IP address disclosure, to say there had been no legal avenue for appealing the request.
But the company at the same time stressed that encrypted communication itself taking place on the platform – such as emails, calendars, files and attachments – are immune to legal orders.
ProtonMail also said that Swiss law prohibits sharing data with foreign governments, and that the company complies only with requests coming from Swiss authorities.