ProtonMail Updates Its Policy After Providing Data to an Activist
This weekend, news breaks that anonymous email service ProtonMail turned your an IP address of a French climate activist and fingerprint in the browser of the Swiss authorities. The move seems to contradict the company’s own privacy -focused policies, which last week stated, “By default, we do not store any IP logs that could be linked to your anonymous email account.”
After providing the activist’s metadata to Swiss authorities, ProtonMail removed the section promising no IP logs, replacing it with one that said, “ProtonMail is an email that respects privacy and prioritizes the people (not the advertisers). “
No Logging ‘By Default’
As always, the devil is in the details – ProtonMail’s original policy simply stated that the service would not store IP logs “by default.” However, as a Swiss company, ProtonMail is obliged to comply with the Swiss court’s requirement that it starts logging the IP address and fingerprint information of the browser for a specific ProtonMail account.
That account is run by the Parisian chapter on Youth for Climate, described by Wikipedia as a Inspired by Greta Thunberg movement that focused on school students skipping classes on Friday to attend protests.
As with many statements ProtonMail issued on Monday, it failed to appeal Switzerland’s demand for IP logging on that account. The service cannot appeal both because of a Swiss law that has actually been violated and because it uses “legal tools for serious crimes – tools that ProtonMail believes are not appropriate in the case being prepared, but that it should to be followed legally.
Destroy Your Tor Browser
In addition to removing misleading or incorrect technical references to the “default” logging policy, ProtonMail has promised to encourage activists to use Tor network. The new “Your Data, Your Rules” section on the front page of ProtonMail directly links to a landing page that contains information about using Tor in enter ProtonMail.
Using Tor to access ProtonMail can enforce what ProtonMail itself legally cannot: interfere with the IP addresses of its users. Because the Tor network hides the origin of a user’s network before the packets reach ProtonMail, even a valid subpoena cannot retrieve that information from ProtonMail – because it has never received it before. .
It should be noted that the identification of the name offered by Tor is dependent technically, not rules – that could be a double -edged sword. If a government agency or other threat potential compromise the Tor nodes that traffic passes to track sources, there is no policy preventing the government from doing so – or from using that data for law enforcement purposes.
ProtonMail also operates a VPN service called ProtonVPN and pointed out that Swiss law prohibits the country’s courts from forcing the VPN service to log IP addresses. In theory, if Youth for Climate used ProtonVPN to access ProtonMail, a Swiss court would not force the service to disclose the “real” IP address. However, the company seems to be more reliant on recommending Tor for this specific purpose.
There Is Much More An Email Service That Can Be Encrypted
ProtonMail is also careful to point out that, even if the IP address and browser fingerprint of its user are collected by the Swiss authorities working for Interpol, the company’s email guarantees indoor Privacy is not violated.
The service uses end-to-end encryption and intentionally no key is needed to decrypt a user’s email body. Unlike the source IP address and fingerprint of the browser, the collection of that data is not possible simply by changing a company’s own-trusted servers as required by the court order.
Even if ProtonMail can and will encrypt the body of the email with keys that are not available to the servers that process it, the SMTP protocol requires the sender of the email, the recipient of the email, and the timestamps of the message to be accessible to server. Accessing the service through Tor or a VPN can help cover up IP addresses and browser fingerprints, but the service can still be strongly forced to provide any of the law enforcement fields. Switzerland.
In addition, email subject lines potential also encrypted without breaking the SMTP protocol-but in practice, the ProtonMail service does not, which means that the relevant courts may force the service to provide the data as well.
This story originally appeared Ars Technica.
More WIRED Stories