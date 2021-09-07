Proton mail may log ips after all...

Proton Logs IPS

Written by Jeff Stone
Sep 7, 2021 | CYBERSCOOP
ProtonMail, the encrypted email service that’s built a reputation for safeguarding user data, said it had no choice but to provide details about an activist to French authorities, amid mounting questions about the privacy protections in the popular mail client.

Swiss-based ProtonMail is an end-to-end encrypted service that markets itself as a tool that encrypts messages and other user data before the company accesses it. It’s a technique that, for more than 50 million users, aims to provide additional layers of protection than are available with more common email options, such as Gmail.

A French police report published on Sept. 2 appears to show that police used ProtonMail to collect the IP address, a specific number that pertains to an individual computer, of an unnamed French activist who was demonstrating against real estate gentrification in Paris. The case appears to undercut ProtonMail’s assurance that it does not log the IP addresses of unique users.

While the exact circumstances of the case remain murky, ProtonMail founder and CEO Andy Yen said in a series of tweets that the email firm was the subject of a legal order from a Swiss court. ProtonMail does not collect user IP addresses by default, Yen said, but “only if Proton gets a legal order for a specific account,” the company wrote in a Sept. 6 statement.

French police obtained a Swiss court order by transmitting their request through Europol, at which point ProtonMail began logging details on the IP address in question, according to TechCrunch. Authorities reportedly arrested the activist after obtaining more details about the IP address.

“We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way,” the company said.

“There was no possibility to appeal this particular request,” the statement went on.

The French request did not call on ProtonMail to provide any email message data, which is encrypted in a way that the company maintains it would be unable to provide.

ProtonMail received more than 3,500 orders from Swiss courts in 2020, up from 17 in 2017, according to its transparency report.

If it was court ordered, and such orders are legal in the country they operate in, then there's not much they could have done aside from moving their HQ and/or servers.

Something else to keep in mind when choosing your "privacy oriented" company: even if they truly are putting in their best effort towards privacy, and doing a good job, if the jurisdiction they operate in allows courts to force them to do what they want, your data is only safe as long as they aren't interested in it.
 
Any secure service that keeps no logs isn't a secure service, how can they guarantee something they arent monitoring? But any business must follow the laws of the country they operate in and they will comply with all legal requirements made of them, they might make them file a crapload of paperwork but in the end, they will comply.
 
Zarathustra[H]

Zarathustra[H]

Nobu said:
If it was court ordered, and such orders are legal in the country they operate in, then there's not much they could have done aside from moving their HQ and/or servers.
While that is true, if they were serious about being as private as they claimed, they would not have logged IP addresses, this way there would have been nothing for them to disclose in response to the court order.
 
I think they are Swiss based to optimise that aspect has much has they can. Europol when transnational on this one, to make Swiss police involed.
 
Zarathustra[H] said:
While that is true, if they were serious about being as private as they claimed, they would not have logged IP addresses, this way there would have been nothing for them to disclose in response to the court order.
They way I read it, they do not log IP addresses by default. They did in this case because of a court order.
 
Zarathustra[H] said:
While that is true, if they were serious about being as private as they claimed, they would not have logged IP addresses, this way there would have been nothing for them to disclose in response to the court order.
They do not log or store apparently (at least that the claim), they can be forced to do so and they start doing so once forced if I understand this:
https://protonmail.com/blog/transparency-report/
ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.

  • In April 2019, upon the order of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.
 
Zarathustra[H] said:
While that is true, if they were serious about being as private as they claimed, they would not have logged IP addresses, this way there would have been nothing for them to disclose in response to the court order.
I get the impression that the order was to begin logging, not to provide past logs which as you say, they wouldn't have been able to in the first place.
 
