An activist is a person who advocates or practices activism, meaning that he/she uses or supports strong actions in support of campaigns to bring about political or social change.
Among other reasons, this is why activists are often targets of the authorities. Governments worry that activists can disrupt existing situations that they think are under control.
In the world where digital communication takes place, people can communicate through social media networks, as well as messaging apps. But many still use emails.
And this time, ProtonMail, a popular end-to-end encrypted email service, is found to have logged the IP addresses of at least one of its users.
ProtonMail is obliged to comply with Swiss law, as the company is based on Geneva.
Switzerland’s law requires tech companies to notify the person whose data is being requested by the government. The thing here, CEP Andy Yen didn’t specify if ProtonMail followed through in this case.
He also declined to comment because of "for privacy and legal reasons."
Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities.
— Andy Yen (@andyyen) September 5, 2021
The news was revealed when the French police who wanted to get information about an activist, sent a request to the Swiss authorities through the Europol, and ProtonMail complied.
When the company came under fire, Andy Yen clarified on Twitter that the company only coordinated with the Swiss authorities, and not with the French police or Europol.
He said that ProtonMail is not under obligation to provide details with the French.
However, all reports indicate that the French police managed to arrest the climate activist fighting against gentrification, with the help of ProtonMail.
It should be noted that In the ongoing case, ProtonMail delayed the notification by up to eight months, and kept logging IP address and other details of the activist in question.
Yen and ProtonMail remained quiet because they may be under legal obligation to not disclose the details.
What ProtonMail can tell, is that it can provide metadata information about the account, including IP address, email address, and recipient emails. The company however, cannot read or share email contents because of its end-to-end encryption protection.
We have always openly disclosed our obligations in criminal cases in our transparency report which has been updated since 2015: https://t.co/jJYLOVULFl
— Andy Yen (@andyyen) September 5, 2021
The news of the privacy-focused ProtonMail in giving up its user's IP address has been a concern at the international security community.
Over the years, many government agencies had increased their amount of data requests sent to email services.
In 2020, it is revealed that governments sent 3,572 such requests to ProtonMail, which was double of the 1,465 requests they sent in 2019. In 2017, ProtonMail only received 13 orders.
While it's very common for governments around the world to request user data, ProtonMail is a privacy-oriented service. The company markets itself as a privacy-first email service.
The company said that it only log IP addresses in "extreme criminal cases," which is a bit too far for just an environmental activist, reports said.
At this time, ProtonMail also delivers its service through Tor.
Using email through Tor should prevent governments from asking because people's real IP addresses cannot be tracked when passing through Tor. ProtonMail faced criticism for not specifying that clearly on its website.
In response, Yen said that the company will promote this option more prominently.
@ProtonMail has given its Privacy policy a slight but essential refresh on Sept. 6.
"If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation."
https://t.co/tFlnS6UAzY pic.twitter.com/gZ9ODgFugm— Open Terms Archive (@OpenTerms) September 7, 2021