The privacy-oriented email provider ProtonMail has come under fire for providing Swiss authorities the IP address of a French climate activist.
The service, which prides itself on offering end-to-end security and impossible-to-crack encryption, says it was acting on a request by French authorities through Europol, who asked the Swiss government for their assistance. As ProtonMail is based in Switzerland, it has been able to ignore international demands to give up the private information of its users but is required to obey Swiss laws.
Under Swiss law, the tech company is required to log IP addresses from users in “extreme criminal cases,” according to ProtonMail’s own transparency report.
In a post on Tuesday, Proton CEO Andy Yen said that the company has tried to make it clear that it has to comply with Swiss law.
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with," he wrote. "There was no possibility to appeal this particular request.”
According to TechCrunch, French climate activists took over commercial locations and apartments in Paris’ Place Sainte Marthe as part of a protest around gentrification in the neighborhood by illegally squatting there. The movement quickly took over national headlines. On September 1, the movement claimed that French authorities sent a message through Europol demanding to know who created the ProtonMail address they were using.
Yen says in his blog post that the company’s encryption prevents it from seeing the contents of the email address. The company is also unable to know the identity of its users. So despite divulging the IP address of the person who created the account, the company says it wasn’t aware it was revealing information about the climate activists.
Yen says that in the future, the company will be clearer about how it handles criminal cases and will promote its service through its Tor site and the company’s VPN for users concerned about their privacy.
Proton says that in 2020, the company received 3,572 orders for user information, and complied with 3,017 of those requests. It only contested 750 orders.