The private testing has started!

Blog Are Proton services still trustworthy?

Proton is one of the pioneers to offer secure and end-to-end encrypted email service. However, they recently provided US security and law enforcement agencies with their users' data.

ProtonMail logo lock in the middle of the image

According to the latest post on the Hacker News on Ycombinator, ProtonMail is cooperating with the US authorities.

ProtonMail is one of the pioneers that offers secure and end-to-end encrypted email service, is based in Switzerland, and owns over 1 million users.

In Hacker News, Hammock stated that ProtonMail provided US security agencies and law enforcement agencies with its users' data.

It happened because a user used ProtonMail to send threatening emails. The case involved threats to the immunologist Anthony Fauci and others in NIH. In a series of emails, the defendant threatened to kill Fauci and his family. As written by the US Department of Justice, the defendant used an email account from ProtonMail. Based on the data sent by ProtonMail to the US through legal aid, the defendant used multiple user accounts on ProtonMail.

According to the defendant's statement, he switched to ProtonMail because he believed he was protected by Swiss data protection laws and end-to-end encryption. Nevertheless, the sender can be identified in the data exchange from ProtonMail.

ProtonMail funder's reply

Andy Yen, the funder and CEO of ProtonMail replied on his Twitter.

A lot of incorrect information is out there regarding @ProtonMail and alleged cooperation with US authorities. Some clarifications:

1) ProtonMail does not give data to US authorities. That's illegal under article 271 of the Swiss Criminal Code.

2) ProtonMail only complies with legally binding orders from Swiss authorities. This means that the legal standard is that Swiss law is broken (not US law or any other law)

3) In the case with Fauci, the Swiss government opted to assist US authorities in their investigation as Swiss law was also broken (sending death threats is highly illegal)

4) The only information obtained from ProtonMail was the date that the account was created, as that was all that was available.

5) Under no circumstances can the encryption be bypassed. Please don't use ProtonMail to break Swiss law - it's illegal.

Let's take a look at how do other users think about the ProtonMail case

There are some discussions below Hammock's post. Some users replied with their personal views.

Santosh87: What do people expect? To break national and international law and expect law enforcement to simply give up? Nothing on the Internet is untraceable if there is enough infrastructure for surveillance. You can hide under layers, but those layers can be peeled back too. Powerful nation-states will not simply stand by and allow perfect anonymity on the Internet, now that it has become a critical part of daily life.

Toto444: This has never been a secret, or am I missing something? ProtonMail claims that their emails are end to end encrypted and that they won't sell your data to advertisers nor answer random government requests. They have always told us they are going to collaborate in cases of serious crimes.

Renaud: I don't understand the issue. ProtonMail is subjected to the Laws of Switzerland. These laws require that foreign requests be first approved by Swiss authorities, which is already huge protection from rogue actors, as it shields the company from having to comply with most requests.

Once it's passed that hurdle, though, ProtonMail has to comply (although they seem to do some due diligence and reject some of these requests, or at least ask for reconfirmation1).

Even if they cooperate, ProtonMail can only send limited information about the account2.

That limited information was apparently enough to correlate with other mail services used by the accused, and LEA managed to get more incriminating information from these, including email content.

Mail services often send/receive un-encrypted emails to/from other regular systems like Gmail. That means there is an inherent weakness that can be exploited. Swiss law has more stringent requirements than other jurisdictions on what can be collected. But it's not a free pass to illegal activity.

Know your provider and its limits and take appropriate measures if you need more protection.

Our opinion

There is a treaty between Switzerland and the US. In this case, the Swiss government chose to assist US authorities in the investigation. The Swiss laws bind ProtonMail, not the laws of the US.

There is no clear evidence that ProtonMail has breached Swiss laws or misused the user's data.

Ready to join Liverado? Start your free 14-day trial today.