ProtonMail CEO says services must comply with laws unless based 15 miles offshore

protonmail-shot-decrypt.jpg
Image: ProtonMail

Hosted email service provider ProtonMail has responded to criticism about its end-to-end encryption capabilities after French authorities obtained the IP address of a French climate activist who used the company’s services, saying all companies have to comply with laws, such as court orders, so long as they operate within 15 miles of land.

“No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said in a blog post.

First reported by TechCrunch, the data collection performed by French authorities was part of an investigation into a group of climate activists who have occupied a number of apartments and commercial spaces in Paris.

According to ProtonMail, French authorities, with the help of Europol, were able to acquire the IP address through receiving approval from Swiss courts to do so. After Swiss courts issued the legal order, ProtonMail was required to log IP information on a climate activist’s account, which was then provided to French authorities and led to the individual being identified and arrested.

ProtonMail founder and CEO Andy Yen said that while it is not subject to French or EU requests, due to being based in Switzerland, it still must comply with requests from Swiss authorities.

“Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” the company said.

“The internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.”

Yen noted that ProtonMail neither collects the identity of its users nor user data due to it being encrypted — which meant the activist’s emails, attachments, calendars, and files were not accessed by French authorities — as there is no requirement to do so under Swiss laws. 

Certain court orders can compel ProtonMail to delay notifying users about their private data being used in criminal proceedings, however, according to the company’s law enforcement page.

When stating the requirements that ProtonMail must follow under Swiss law, Yen also took the opportunity to criticise the approach taken by French authorities to acquire the IP address.

“We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world,” Yen said.

According to ProtonMail’s most recent transparency report, the number of orders the company receives from Swiss authorities has grown exponentially, rising from 13 in 2017 to 3,572 last year.

Of the 3,572 orders it received last year, 195 of them were foreign requests. 

Related Coverage

READ MORE HERE