ProtonMail removed “we do not keep any IP logs” from its privacy policy

ProtonMail offers end-to-end encryption and a stated focus on privacy for its email service—which offers a user interface quite similar to those of more mainstream services such as Gmail.
Enlarge / ProtonMail offers end-to-end encryption and a stated focus on privacy for its email service—which offers a user interface quite similar to those of more mainstream services such as Gmail.

This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service’s policies, which as recently as last week stated that “by default, we do not keep any IP logs which can be linked to your anonymous email account.”

After providing the activist’s metadata to Swiss authorities, ProtonMail removed the section that had promised no IP logs, replacing it with one saying, “ProtonMail is email that respects privacy and puts people (not advertisers) first.”

No logging “by default”

As usual, the devil is in the details—ProtonMail’s original policy simply said that the service does not keep IP logs “by default.” However, as a Swiss company itself, ProtonMail was obliged to comply with a Swiss court’s injunction demanding that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.

That account was operated by the Parisian chapter of Youth for Climate, which Wikipedia describes as a Greta Thunberg-inspired movement focused on school students who skip Friday classes in order to attend protests.

According to multiple statements ProtonMail issued on Monday, the company could not appeal the Swiss demand for IP logging on that account. The service could not appeal because a Swiss law had actually been broken and because “legal tools for serious crimes” were used. ProtonMail does not believe the tools were appropriate for the case at hand, but the company was legally responsible to comply with their use nonetheless.

Break out your Tor browser

In addition to removing the misleading (if technically correct) reference to its “default” logging policy, ProtonMail pledged to emphasize the use of the Tor network to activists. The new “your data, your rules” section on ProtonMail’s front page directly links to a landing page aggregating information about using Tor to access ProtonMail.

Using Tor to access ProtonMail may accomplish what ProtonMail itself legally cannot: the obfuscation of its users’ IP addresses. Since the Tor network itself hides users’ network origin prior to packets ever reaching ProtonMail, even a valid subpoena can’t get that information out of ProtonMail—because the company never receives the data in the first place.

It’s worth noting that the anonymity offered by Tor relies on technical means, not policies—a situation that could serve as a textbook example of a double-edged sword. If a government agency or other threat can compromise Tor nodes your traffic passes through in a way that offers it a way to track origins, there is no policy preventing said government from doing so—or from using that data for law enforcement purposes.

ProtonMail also operates a VPN service called ProtonVPN and points out that Swiss law prohibits the country’s courts from compelling a VPN service to log IP addresses. In theory, if Youth for Climate had used ProtonVPN to access ProtonMail, the Swiss court could not have forced the service to expose its “real” IP address. However, the company seems to be leaning more heavily toward recommending Tor for this particular purpose.

There’s only so much an email service can encrypt

ProtonMail is also careful to point out that although its user’s IP address and browser fingerprint were collected by Swiss authorities acting on behalf of Interpol, the company’s guarantees of email content privacy were not breached.

The service uses end-to-end encryption and deliberately does not possess the key necessary to decrypt a user’s email body or attachments. Unlike gathering the source IP address and browser fingerprint, collecting that data is not possible simply by changing a configuration on the company’s own servers as demanded by a court order.

Although ProtonMail can and does encrypt the email body itself with keys unavailable to the servers processing them, the SMTP protocol requires the email sender, email recipient, and message timestamps to be server-accessible. Accessing the service via Tor or a VPN may help obscure IP addresses and browser fingerprints, but the service can still be legally compelled to provide any of those fields to Swiss law enforcement.

In addition, email subject lines could also be encrypted without breaking the SMTP protocol, but in practice, ProtonMail’s service does not, which means the relevant courts may compel the service to provide that data as well.

Listing image by ProtonMail