Encrypted email service ProtonMail has become embroiled in a minor scandal after responding to a legal request to hand over to Swiss police a user's IP address and details of the devices he used to access his mailbox – resulting in the user's arrest.
Police were executing a warrant obtained by French authorities and served on their Swiss counterparts through Interpol, according to social media rumours that ProtonMail chief exec Andy Yen acknowledged to
The Register.
At the time of writing, the company's website said: "We believe privacy and security are universal values which cross borders."
After data from ProtonMail was handed to the Swiss and then French police, the author of a left-wing political activists' blog in France wrote (
en français) that a group called
Youth for Climate had been targeted:
The police also noticed that the collective communicated via a ProtonMail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. ProtonMail responded to this request by providing the IP address and the fingerprint of the browser used by the collective. It is therefore imperative to go through the tor network (or at least a VPN) when using a ProtonMail mailbox (or another secure mailbox) if you want to guarantee sufficient security.
ProtonMail has said in the past that it does not collect user data and implements end-to-end encryption and repeated that over the weekend, saying: "Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders."