ProtonMail, the popular Swiss-based email service, said it was required to register the IP address of one of its customers after receiving a legal order that could not be refused. This is a worrying incident for users of this service, as ProtonMail had been characterized by its anonymity and anti-government intervention policies.
In a subsequent post on Reddit, those responsible for the email platform acknowledged that the authorities have found a way to obtain legal orders to access the affected resources.
It all seems to have started in mid-2020, when a group of activists identified as Youth for Climate forcibly seed some public squares and buildings in Paris, France. This protest was aimed at preventing real estate companies from arbitrarily increasing rental prices in certain areas, in an attempt to raise their profits and attract prestigious businesses.
Protest organizers reportedly used an email address from ProtonMail, something that was noticed by real estate companies and French police, who even tried to disrupt the protest and investigate some organizers. A recently published report claimed that police in France received help from Europol to contact the Swiss government and request the delivery of information related to the identity of the protest organizers.
A spokesman for ProtonMail confirmed that the company received a legal order to turn over the requested information, sent by the Federal Department of Justice in Switzerland. This order forced the company to register the IP address used by the owner of a specific account, used to disclose information about the protest in France.
The spokesman assures that this decision was irrefutable and that the contempt would have been a worse decision: “There were no legal possibilities to resist or fight against this request; Swiss law also requires notifying the affected user of the ongoing investigation, although this order specified that the user should not be notified until the authorities deemed it necessary.”
Finally, the spokesperson points out that email and VPN services are treated in a particular way in Switzerland, so the authorities will not be able to access more information using the same court order. Either way, this incident has left users of this service with serious doubts about the security of ProtonMail.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.