Proton Mail has come under scrutiny for its role in a legal request involving the Spanish authorities and a member of the Catalan independence organization, Democratic Tsunami.
Proton Mail is a secure email service based in Switzerland, renowned for its commitment to privacy through end-to-end encryption and a strict no-logs policy. In 2021, Proton Mail faced controversy when it complied with a legal request that led to the arrest of a French climate activist. Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
The recent case involving the Spanish police this time, highlights privacy concerns and the limits of encrypted communication services under national security pretexts, and brings a long-debated subject to the forefront once again.
The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
This case is particularly noteworthy because it involves a series of requests across different jurisdictions and companies, highlighting the complex interplay between technology firms, user privacy, and law enforcement. The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
Like before, Proton Mail’s compliance with these requests is bound by Swiss law, which mandates cooperation with international legal demands that are formalized through proper channels (Swiss court system).
Last year, when we noted that Proton Mail complied with nearly 6,000 data requests in 2022, Proton provided us with an explanation that inbox contents remain secure.
Please note that in all cases email content, attachments, files etc are always encrypted and cannot be read.
Proton statement to RestorePrivacy last year
Looking at Proton’s transparency report, we find that Proton Mail complied with 5,971 data requests last year alone, up slightly from the year before.
With so many data requests going on in the background, it is all the more important to safeguard the data you share with various services.
The importance of good OPSEC
This situation serves as a critical reminder of the importance of maintaining stringent OPSEC (operational security). One should always be aware of the potential vulnerabilities that come with linking recovery information or secondary services (like Apple accounts) that may not have the same privacy safeguards as a primary encrypted email service.
For users concerned about privacy, particularly those involved in sensitive or political activities, OPSEC should be a top concern when using privacy tools. It’s advisable to:
- Avoid linking recovery emails or phone numbers that can directly tie back to personal identities or primary business activities.
- Consider using secondary, disposable emails or virtual phone numbers that offer an additional layer of anonymity.
- Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)
- Consider purchasing services using an anonymous payment method.
- Stay informed about the legal obligations and policies of communication service providers, especially regarding their compliance with international law enforcement requests.
While Proton Mail and similar services offer substantial protections and end-to-end encryption on their email platform, they are not immune to legal and governmental pressures. Users must navigate these waters carefully, balancing the need for security with the potential legal obligations of their service providers.
RestorePrivacy has reached out to Proton Mail for a comment on the case and their exact involvement, but a statement wasn’t immediately available. We will update this article as soon as we hear back.
We will start to see more and more strange stuff leaking from Proton soon. This is just the beginning!
To me, Proton is not a company or movement with a mission as they claim it to be. Not even close!
In all so-called privacy sources, Proton is being hyped and pushed into people’s throats as if it is the answer to their prayers about individual privacy. In almost all ‘best private email’ listings (RestoPrivacy included) every website lists them as the top-notch service. Proton is none of them and never will be. And we all will see in the near future that how much this perspective is flawed and misleading. Just wait and see while they are trying and eyeing to be the Google of the privacy space while promoting a false sense of security.
The articles’ main source does not say anything about any recovery emails
The article instead mentions that the Civil Guard used Europol to ask Swiss authorities for the company Wire to identify the person behind the pseudonym ‘Xuxu Rondinaire’, who also used a Proton Mail account. There is no mention of Proton Mail providing a recovery email address directly to the police. Instead, the information request was directed at the Wire messaging service through international police cooperation channels.
False.
“Protonmail gave him the recovery email address associated with the email he used to talk about the Democratic Tsunami. Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number.” (Google Translate)
https://www.vilaweb.cat/noticies/tsunami-democratic-xuxo-rondinaire-mossos/
Highly concerned by the claims of this article. It seems like if you want to safely email someone, you better create that email on Tor with Tails, and only check it via the same method. And even that isn’t bulletproof.
forwardemail dot net is my go to.
ProtonMail seems to be getting a bit too high profile for my likes. And 6,000 data requests complied with? Damn. I’m not even faulting Proton here. And legal requests through the court can’t be ignored, but this all doesn’t sit well with me.
they need to comply with binding legal requests. if they didn’t they no longer exist. that’s true of any service. that doesn’t mean their claims of encryption are untrue, they are clear about the limitations. thinking that your email provider will go to jail for you us laughable