Last week's news that Proton Mail released users' recovery emails to Spanish police that were used to identify and arrest pro-Catalonia protesters is likely to upset activists in Europe and beyond.
Proton Mail is an encrypted and secure email app that is extremely popular among journalists and dissidents alike who support the company's promise to protect privacy. However, the Swiss-based privacy company was required by law to hand over personal data it held about Democratic Tsunami activists to the Guardia Civil as part of a terrorism investigation.
This isn't the first time either. In 2021, Proton shared details of a French climate activist's IP address with Europol officials.
Understandably, concerned commentators have criticized such actions, questioning whether it's time to retire the app altogether. Some people warn against using Proton products altogether. The company also offers Proton VPN, which is featured in TechRadar's Best VPNs guide, along with other security tools, but none of these security tools are subject to this incident as they are not subject to the BÜPF telecommunications law. was not affected by.
So is Proton Mail still a safe option for activists?Well, this very much depends how You use the platform. I have contacted Proton for comment and am awaiting a response at the time of publication. So here's everything we know.
As mentioned above, Proton Mail is one of the go-to email providers for journalists, human rights defenders, protesters, and other users who may be subject to online surveillance. This is because Proton Mail attempts to minimize the personal data it has access to by encrypting your communications.
Encryption refers to the process of scrambling data into an unreadable format. As the company explains in a blog post, emails sent between Proton Mail users are always encrypted end-to-end. That is, the system uses the encryption key to encrypt the data on the sender's device and only decrypts it once it reaches the intended recipient. Zero-access encryption also applies to messages you store on Proton's servers, and TLS encrypts emails in transit.
All this means that, for example, you cannot share the contents of emails you send or receive, as Proton itself does not have access to it. This also applies to all stored messages.
The problem is that encryption does not guarantee anonymity. Proton is one of the most transparent privacy providers and doesn't make outlandish claims on its website.However, you can still access Several Identifiable information called metadata, such as email addresses and IP addresses. Police officers know this and it is used to force companies to hand over these details.
Let's take a closer look at the Spanish case. As revealed in court documents obtained by TechCrunch, the Guardia Civil sent legal requests through Swiss police to Swiss encrypted messaging platforms Wire and Proton. Wire shared the email address (from Proton Mail) that the suspect used to sign into their services.
All Proton had was one piece of information, albeit valuable, related to that account. That's the iCloud email address used as your recovery email. From here, Apple provided Spanish police with all the details to identify the pro-Catalan protesters: full name, two home addresses, and a linked Gmail account.
Proton spokesperson Edward Shone told TechCrunch, “As evidenced by the fact that the data allegedly used to identify the terrorist suspect in this case was obtained from Apple, Proton uses minimal user information. “I have it,” he said.
”Proton offers privacy rather than anonymity by default By default, anonymity requires appropriate user action. [operational security]This appears to be due to the terrorist suspect's failure to add an Apple account as an optional recovery method. ”
He added, “Proton doesn't need a recovery address, but in this case the terrorist suspect added his own address.We need to make sure that the terrorist suspect can send email to that address if they wish.'' Therefore, this data cannot be encrypted.” Start the recovery process. ”
People who hate @ProtonPrivacy and tell you to cancel your subscription are completely missing the point. This case actually proves how powerful Proton Mail is, not the other way around. Europol issued a court order to Proton, but all Proton could provide was the user's recovery email… pic.twitter.com/kuvTc0jqfeMay 7, 2024
Another commenter (see tweet above) defended Proton on this, saying that while no company wants to go to jail for you, “all companies should do what Proton did. He reiterated the fact that “information about users should be limited.”
meanwhile, According to Eva GalperinThe director of digital rights advocacy group the Electronic Frontier Foundation said the incident was “another reminder that metadata matters.”
What is certain is that this is one of countless examples that highlights the limitations of secure, encrypted apps to fully protect people's anonymity in the event of law enforcement involvement. about it. For example, Proton's transparency report shows that the company received just 6,378 legal orders in 2023. The team successfully challenged 407 of them, but had to comply with 5,971.
Worse, these incidents could become even more widespread as legislators seek to give law enforcement even more power. The UK, for example, is one of the countries looking to tighten digital surveillance in 2024.
Using encrypted apps is not enough
The Proton case highlights the complex intertwining of law enforcement powers and corporate obligations, but also suggests that using encrypted apps alone is not enough to protect your privacy online. The simple fact that there is no such thing is also repeated.
Privacy-first email and messaging services can't hide all your digital footprints, especially from authorities, because there are online threats that virtual private networks can't protect against.
Therefore, if you are an activist, journalist, or other user at high risk of government surveillance, we strongly recommend that you take additional steps to increase your online anonymity. These include:
- As the Proton incident taught us, Do not link your recovery email or phone number directly back to your real identity.. For added anonymity, we recommend creating an alternate account or using your burner phone number instead.
- We also recommend that you use secure VPN Service provided every time you access your email or messaging app. When it comes to security, NordVPN and Mullvad are my top recommendations.
- While Proton offers a complete privacy suite that includes email, VPN, Drive, calendar, and password managers, we recommend that you consider the following: Use different providers for different security software This is to avoid linking activity between these tools in any way.
- please choose anonymous payment method To further minimize the personal information we share with our providers. For example, Proton Mail accepts cash as well as Bitcoin.
- Last but not least, please consider Using Tor Browser with a VPN Services when surveillance risk is high.
We test and review VPN services for legitimate recreational use. for example:
1. Accessing the Service from another country (subject to the terms of use for that Service).
2. Protect your online security and enhance your online privacy while abroad.
We do not support or condone illegal or malicious uses of VPN services. The consumption of paid pirated content is not authorized or endorsed by Future Publishing.