Published on: May 16, 2024
Police were able to track down and arrest a pro-Catalan activist because he provided a recovery email for his Proton Mail account, which Proton doesn’t mandate.
Proton Mail is widely considered the preferred email service for those seeking to shield their communications, including journalists and activists. The company provides end-to-end encryption, ensuring that only the sender and receiver can read the contents of an email, effectively keeping it hidden from any third parties, including Proton Mail itself.
Additionally, Proton Mail doesn’t log or share personal data with third parties unless compelled by Swiss law, where it’s based.
Switzerland has a reputation as a safe haven for data privacy, but even within this framework, there are exceptions, and Swiss law compels certain Swiss-based firms to cooperate with law enforcement, like in the case of the Catalan activist.
Proton Mail had to share the user’s recovery email under legal obligation as part of an investigation into alleged terrorism activities linked to the Democratic Tsunami, a group of activists.
The Guardia Civil, a Spanish law enforcement agency, submitted legal requests to both Wire, an encrypted messaging service, and Proton through Swiss police. Wire, which is also based in Switzerland, disclosed that the suspect had used a Proton Mail address to register for its platform.
Proton Mail then shared the user’s recovery email address linked to Apple’s iCloud, which is the only information the company had on the user. Using this iCloud email address, Apple was able to provide the Spanish police with comprehensive details necessary to identify the pro-Catalan protester, including their full name, two residential addresses, and a Gmail account connected to the iCloud.
“Proton has minimal user information, as illustrated by the fact that in this case it was data obtained from Apple that was allegedly used to identify the terrorism suspect,” Proton spokesperson Edward Shone said.
“Proton does not require a recovery address, but in this case the terror suspect added one on their own. We cannot encrypt this data as we need to be able to send an email to that address if the terror suspect wishes to initiate the recovery process,” the spokesperson continued.
“This information can in theory be requested by Swiss authorities in cases of terrorism, and this determination is generally made by the Swiss Federal Office of Justice. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper [operational security] such as not adding your Apple account as an optional recovery method, which it appears was done by the alleged terror suspect,” the statement reads.
It’s important to note that this incident didn’t impact Proton’s other products, such as Proton VPN, because they aren’t subject to the same BÜPF legislation — this law doesn’t apply to VPN services, allowing them to operate without the same data disclosure requirements.