Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

ProtonMail Accused of Voluntarily Helping Police Spy on Users

Privacy-focused email service ProtonMail has been accused of voluntarily helping law enforcement spy on users. The company has denied the accusations.

Privacy-focused email service ProtonMail has been accused of voluntarily helping law enforcement spy on users. The company has denied the accusations.

On May 10, Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, had a presentation on cybercrime at an event. Martin Steiger, a Swiss lawyer who had been live-tweeting from the event, claims Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers assistance to law enforcement for real-time surveillance, without requiring an order from a federal court.

Steiger has published a blog post on ProtonMail’s alleged practices — the blog post is available in both German and English — and summarized the obligations of such service providers for cooperating with authorities under Swiss laws.

While ProtonMail provides end-to-end encryption, which prevents the company from reading the actual content of emails, it does have access to metadata. Citing the U.S. National Security Agency (NSA), Steiger pointed out that metadata can be highly valuable to law enforcement and intelligence agencies.

Steiger has highlighted that while ProtonMail uses the fact that it’s based in Switzerland as a marketing advantage, citing strict Swiss privacy laws, the company is actually subject to local surveillance laws, and while it’s not subject to more extensive surveillance obligations, it does voluntarily help law enforcement surveillance operations, based on what Walder allegedly said.

Steiger has pointed to ProtonMail’s transparency report, where the company mentions one case where it conducted real-time surveillance of a user at the request of authorities.

“Every user of ProtonMail (or ProtonVPN) must decide for himself whether the email service is trustworthy,” Steiger said. “The difference between advertising and reality at least speaks against too much trust for ProtonMail.”

Advertisement. Scroll to continue reading.

Walder contacted Steiger and said he had been misquoted regarding ProtonMail, but the lawyer is confident that he has not misquoted the prosecutor.

In response to Steiger’s blog post, ProtonMail has denied voluntarily offering assistance and has claimed it only helps authorities when presented by an order from a Swiss court or prosecutor.

“ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false,” ProtonMail said.

“Laws are subject to interpretation, and because the relevant Swiss law itself is ambiguous, there are differing interpretations of the law. Steiger’s interpretation is different from the one taken by the Swiss government agency tasked with enforcing the law, whose directives we are legally obligated to comply with. His interpretation, therefore, is just an opinion, and not grounded in legal reality.

“However, we also do not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary. Until a ruling comes down (in one- or two-years’ time), our company policy has consistently been to take the most pro-privacy position, which is indeed the position we have taken in all our court filings,” it added.

Steiger says ProtonMail still hasn’t addressed some of the points from his article, and claims the company threatened to take legal action against him for defamation.

Related: ProtonMail Launches VPN Application for macOS

Related: U.K. Teen Involved in ProtonMail DDoS Attack Arrested

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.