Security Experts:

ProtonMail Accused of Voluntarily Helping Police Spy on Users

Privacy-focused email service ProtonMail has been accused of voluntarily helping law enforcement spy on users. The company has denied the accusations.

On May 10, Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, had a presentation on cybercrime at an event. Martin Steiger, a Swiss lawyer who had been live-tweeting from the event, claims Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers assistance to law enforcement for real-time surveillance, without requiring an order from a federal court.

Steiger has published a blog post on ProtonMail’s alleged practices — the blog post is available in both German and English — and summarized the obligations of such service providers for cooperating with authorities under Swiss laws.

While ProtonMail provides end-to-end encryption, which prevents the company from reading the actual content of emails, it does have access to metadata. Citing the U.S. National Security Agency (NSA), Steiger pointed out that metadata can be highly valuable to law enforcement and intelligence agencies.

Steiger has highlighted that while ProtonMail uses the fact that it’s based in Switzerland as a marketing advantage, citing strict Swiss privacy laws, the company is actually subject to local surveillance laws, and while it’s not subject to more extensive surveillance obligations, it does voluntarily help law enforcement surveillance operations, based on what Walder allegedly said.

Steiger has pointed to ProtonMail’s transparency report, where the company mentions one case where it conducted real-time surveillance of a user at the request of authorities.

“Every user of ProtonMail (or ProtonVPN) must decide for himself whether the email service is trustworthy,” Steiger said. “The difference between advertising and reality at least speaks against too much trust for ProtonMail.”

Walder contacted Steiger and said he had been misquoted regarding ProtonMail, but the lawyer is confident that he has not misquoted the prosecutor.

In response to Steiger’s blog post, ProtonMail has denied voluntarily offering assistance and has claimed it only helps authorities when presented by an order from a Swiss court or prosecutor.

“ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false,” ProtonMail said.

“Laws are subject to interpretation, and because the relevant Swiss law itself is ambiguous, there are differing interpretations of the law. Steiger’s interpretation is different from the one taken by the Swiss government agency tasked with enforcing the law, whose directives we are legally obligated to comply with. His interpretation, therefore, is just an opinion, and not grounded in legal reality.

“However, we also do not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary. Until a ruling comes down (in one- or two-years’ time), our company policy has consistently been to take the most pro-privacy position, which is indeed the position we have taken in all our court filings,” it added.

Steiger says ProtonMail still hasn’t addressed some of the points from his article, and claims the company threatened to take legal action against him for defamation.

Related: ProtonMail Launches VPN Application for macOS

Related: U.K. Teen Involved in ProtonMail DDoS Attack Arrested

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.