It’s an advertisement that would have gone well Protonmail encrypted email company. Monday, September 5, the site of the communist organization “Secours rouge” revealed that this company, based in Switzerland, had delivered the IP address, that is to say the identification number of the computer of one of its users, to the Swiss authorities.
This client, a climate activist, is now in the sights of French justice.
Confirmed by Protonmail, this information aroused the misunderstanding of many Internet users. Created in 2013, this company has indeed built its reputation on a promise of respect for the privacy and personal data of its customers.
What is Protonmail criticized for?
On September 1st, the activist website Paris-luttes.info published a long story on the legal measures targeting, for a year, climate activists mobilized against the gentrification of the district of Place Sainte-Marthe, in the 10th arrondissement of Paris. In this case, the site revealed that “
the Youth For Climate collective and its affiliates communicated via a secure email address ”managed by Protonmail. In an attempt to identify the creator of this e-mail address, French police officers sent the Swiss company a judicial requisition.
Transmitted to Europol (the European agency specializing in the suppression of crime) and validated by the Swiss authorities, this request forced Protonmail to transmit the IP address linked to the electronic address which was in the sights of the French police. Passed under the radar, this information was resumed on September 5
by the site “Secours rouge” and by several Internet users, who directly addressed the company on Twitter
and the Reddit forum. However, until Monday, September 5, the Protonmail company assured on its site that “by default”, it did not record “any metadata such as the IP address used to connect”.
Why was the company forced to respond to this demand?
In France, as part of a preliminary investigation, a judicial police officer (OPJ) can request from private actors – such as telephone operators or banks – information relating to some of their customers. “When it comes to a private player established on French territory, the company is required to respond”, explains Alexandre Archambault, lawyer at the Paris bar specializing in digital technology.
But, as was the case in this case, when it comes to a company established in a country other than France, the latter can refuse to respond to this requisition. In the event of a refusal, the police can then rely on international cooperation mechanisms. This is what the French authorities did when they requested Europol. Their requisitions having then been validated by the Swiss authorities, the company was obliged to respond to France’s request.
“Switzerland has ratified the Budapest Convention which aims to fight cybercrime 10 years ago. Thus, service providers established in its territory may be required to transmit information on their users when the request is relayed by the national authorities. But this convention bears its name badly because it is not confined solely to cybercrime, ”continues Alexandre Archambault. Initially used for serious cases in cases of terrorism or child pornography, this cooperation mechanism has been extended over the years to a large number of criminal offenses. In this specific case, it was for example a requisition for a case of damage to property.
How did the Protonmail company defend itself?
As of September 6, the encrypted messaging company communicated by posting a clarification on its website. “We are deeply concerned about this case and regret that legal tools for serious crimes are used in this way,” Protonmail said in the preamble. While the company has confirmed that it has been required to disclose the IP address, it has assured its users that under no circumstances can email encryption be bypassed, “which means emails, documents attachments, calendars, files, etc. cannot be compromised by legal orders, ”reassures the company.
Protonmail also defended itself by explaining that due to the strict confidentiality of its services, it did not know the identity of its users. “At no point were we aware that the targeted users were climate activists. We only know that the Swiss government’s request for data went through channels generally reserved for serious crimes, ”the company adds. Accused of not having sufficiently clarified its conditions of use, Protonmail has since modified them. It now reads: “If you are in breach of Swiss law, Protonmail may be legally obliged to provide your IP address to investigators.”