Connect with us

Hi, what are you looking for?


Email Security

ProtonMail (Wrongly?) Criticized for Disclosing User IP to Authorities

Blaming ProtonMail misses important lessons of the case, as request from authorities ticked the necessary requirements under Swiss law

Blaming ProtonMail misses important lessons of the case, as request from authorities ticked the necessary requirements under Swiss law

ProtonMail, a privacy and security-focused email provider based in Switzerland, has been strongly criticized for providing the IP address of a customer to Swiss authorities, ultimately leading to the arrest of a climate activist in France. But simply blaming ProtonMail misses the important lessons of this case.


French authorities were aware that a group ‘of interest’ (the Youth for Climate collective and associated groups) used the jmm18[@] email address. According to police reports, the climate group had hardened its interests along general anti-capitalist lines, and were taking part in illegal squatting and damage to property.

Since Switzerland is not part of the EU, the French police could not demand that the Swiss authorities obtain and hand over the IP address of the email user. Instead, it approached Switzerland via Europol. Switzerland acquiesced with Europol, and required ProtonMail to deliver up the IP address. Since the request ticked all the necessary requirements under Swiss law, ProtonMail had no option but to obey.

It should be stressed that ProtonMail cannot deliver the content of its end-to-end encryption – this is solely about the user’s IP address.


Advertisement. Scroll to continue reading.

ProtonMail is not happy with the events. It published a blog titled Important clarifications regarding arrest of climate activist on September 6, 2021, commenting, “We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way.”

Several points stand out in this blog – most importantly that ProtonMail had no alternative but to comply with the Swiss court order. ProtonMail does not know the identity of its users. “We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.” It did not know that the target of observation was a group of French climate activists – for all ProtonMail knew, it could have been a gang of international terrorists.

Noticeably, the blog provides no information on the details of the case. However, it directs readers to the ProtonMail transparency report, and the ProtonMail privacy policy. The former states, “ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.” The latter includes, “If permitted by law, we will always contact a user first before any data disclosure.”

It is possible that ProtonMail was required to monitor the IP or IPs used by the email address over a period of time, while simultaneously under a gagging order not to disclose the fact. Only after an arrest could matters be made public.

Lessons to be learned

SecurityWeek talked to European privacy activist and advocate Peter Sunde Kolmisoppi. He works on projects designed to help people protect their privacy (such as, a privacy aware domain service with both VPS and VPN), but also encourages groups and political entities on increasing the right to privacy. He is a co-founder of The Pirate Bay and the founder of Flattr and

Sunde does not blame ProtonMail for what happened, but that doesn’t mean he is not angry at what did happen. The primary problem, he suggests, is that ProtonMail is “based in a country that has a government that can control their actions. That’s the main flaw. A lot of activists, technologists and hosters have this idea that certain countries are ‘bulletproof’ when it comes to privacy. That’s certainly not the case.”

This is the first lesson to be learned – to recognize that all companies are subject to the laws of the country where they reside, irrespective of their own principles and preferences.

He believes the solution here would be to decentralize the service – something eminently feasible given todays’ global public cloud. “The basic problem here is again that we’ve centralized things. Organizations, services – e-mail is among the easiest of all services to have decentralized – and trust.” But ProtonMail is what it is, and alternative ideas are irrelevant to the current situation.

“It’s not the fault of ProtonMail, he says, it’s the fault of the authorities. And I’m sure that ProtonMail will take lessons from this to improve their threat model.” ProtonMail has started to stress the availability of its onion service to allow users with heightened threat conditions to gain the additional protection of Tor, and provides clear access to its own VPN, ProtonVPN, on the home page.

Swiss law treats VPN different to email. “Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data,” wrote ProtonMail in its blog. The implication is that the French authorities may not have been able to secure the IP address had the activists been using ProtonMail with Tor and VPN as well as ProtonMail.

This is the second lesson – when using any service, be aware of the additional security protection that may be available, and use it.

Sunde’s anger is directed against the authorities rather than ProtonMail. It seems that the route taken to get the IP address was originally intended for just the most serious of crimes – not to be used against climate activists (although in fairness we don’t really know what else the authorities were hoping or expecting to find).

“Switzerland is not part of the EU, so we’re not sure why Switzerland nor the EU looked at this as a case as important enough to go to these extreme measures,” he told SecurityWeek. “There should have been many people that could have stopped this insanity.”

He continued with the third lesson to be learned: “In general, I would say that people should not trust any single entity/provider to protect any secret communication, because most of these organizations can be forced to do things, or there can be backdoors or security issues with other things. An app for secure chat is great but it will ultimately come down to if your computer/phone is secure – and it is not.”

Finally, wearing his activist hat, he added, “I think we need to shame both the Swiss and EU authorities for allowing this ridiculous thing to happen; and hopefully this situation will lead to better decisions on what they will do in the future.”

It is worth also adding that although there is no direct comparison, the primary argument that has led the European courts to issue the Schrems II ruling has been the ability of the NSA to obtain European personal information. In this instance, the French authorities obtained personal information of European residents through the cooperation of Europol and the Swiss authorities.

Related: ProtonMail Accused of Voluntarily Helping Police Spy on Users

Related: ProtonMail Opens Encrypted Email Service to Public

Related: ProtonMail Launches Tor Hidden Service

Related: ProtonMail Launches VPN Application for macOS

Related: Russia Blocks Swiss-based ProtonMail Over Wave of Bomb Threats

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...