This weekend, news ProtonMail anonymous email service failed turned around the IP address and browser fingerprint of a French climate activist to the Swiss authorities. The move seemed to contradict the company’s own privacy-focused policies, which recently said last week: “By default, we don’t keep any IP records that can be linked to your anonymous email account.”
After providing the activist’s metadata to the Swiss authorities, ProtonMail deleted the section that had not promised any IP registration, replacing it with a phrase that reads: “ProtonMail is an email that respects privacy and puts people (not advertisers) in the first place “.
No “Default” record
As usual, the devil appears in the details: ProtonMail’s original policy simply said that the service does not save IP records “by default”. However, as a Swiss company, ProtonMail was forced to comply with the demand of a Swiss court to start IP address record and browser fingerprint information for a specific ProtonMail account.
This story was operated on by the Parisian chapter of Youth for the Climate, which Wikipedia describes as a Greta Thunberg-inspired movement focused on school students skipping classes on Fridays to attend protests.
According to several statements ProtonMail issued on Monday, it was unable to appeal against the Swiss IP registration claim on that account. The service could not appeal so much because a Swiss law had actually been breached as because “legal tools for serious crimes” were used, tools that ProtonMail believes were not appropriate for the case at hand, but that legally had to be complied with.
Breaks the Tor browser
In addition to removing the misleading if technically correct reference to the “default” registration policy, ProtonMail pledged to encourage activists to use the Tor network. The new “Your data, your rules” section on the ProtonMail homepage links directly to a landing page that groups information about using Tor to access ProtonMail.
Using Tor to access ProtonMail can achieve what ProtonMail cannot legally do: obscure the IP addresses of its users. Because the Tor network hides a user’s network source before packets reach ProtonMail, even a valid citation cannot obtain this information from ProtonMail, because it never receives it.
It is worth noting that the anonymity offered by Tor is based on technical means, not policies, which could be a double-edged sword. If it is a government agency tin compromise the Tor nodes through which traffic passes to track their origins; there is no policy that prevents the government from doing so or using this data for police purposes.
ProtonMail also operates a VPN service called ProtonVPN and notes that Swiss law prohibits the country’s courts from forcing a VPN service to register IP addresses. In theory, if Youth for Climate had used ProtonVPN to access ProtonMail, the Swiss court could not have forced the service to expose its “real” IP address. However, it seems that the company is more inclined to recommend Tor for this particular purpose.
There is only so much that an email service can encrypt
ProtonMail is also careful to note that although its user’s IP address and browser fingerprint were collected by the Swiss authorities acting on behalf of Interpol, the company’s email guarantees content privacy was not violated.
The service uses end-to-end encryption and deliberately does not have the key needed to decrypt a user’s body or email attachments. Unlike the source IP address and the fingerprint of the browser, the collection of this data is not possible simply by changing a configuration on the company’s servers, as required by a court order.
Although ProtonMail can and encrypts the email body itself with keys that are not available to the servers processing them, the SMTP protocol requires that the email sender, email recipient, and message timestamps be accessible to the server. Accessing the service via Tor or a VPN can help obscure browser IP addresses and fingerprints, but the service may still be legally required to provide any of these fields to the Swiss police.
Also, send subject lines by email I could it can also be encrypted without breaking the SMTP protocol, but in practice the ProtonMail service does not, which means that the competent courts may require the service to provide this data as well.
This story originally appeared on Ars Technica.
Bigger cable stories