A new service known as ProtonMail quickly became the go-to encrypted email service for privacy-conscious web users. However, after a supposed privacy breach that saw multiple arrests by French police, angry users have been raising questions online about just how secure ProtonMail really is. Does ProtonMail log user data? Did ProtonMail break their privacy policy?
Why Did ProtonMail Hand Over Users’ Data?
For context, a green-friendly group known as “Youth for Climate” has been occupying residential and commercial properties since 2020 as part of its activities. Unfortunately for them, the group drew unwanted attention from French authorities recently, when they occupied a Cambodian restaurant in Paris known as Le Petit Cambodge. The premises suffered heavy damage in the terrorist attack of 2015 that took place in Paris, and their squat in the building didn’t go unnoticed. Following the trespassing, French police wanted to uncover the identities of these group members communicating via ProtonMail. They submitted a request via Europol to obtain users’ data from the Switzerland-based company. As it transpires, the request was granted. It seems that Swiss authorities took control of the investigation, issuing the request to ProtonMail directly.
Did ProtonMail Violate their Privacy Policy?
ProtonMail relented to the request and handed over the data requested from them. However, it didn’t go unnoticed by angry users on the web. People have questioned why the company had stored users’ details in the first place. After all, the homepage is appealing to any privacy-conscious internet user. It talks about data protection under Swiss law and end-to-end encryption. What it doesn’t specifically mention, however, is anything about data logging.
The answers, it seems, lie in the company’s privacy policy, which contains crucial information that isn’t available on the homepage. According to the company’s privacy policy, the following applies to IP logging: This, according to ProtonMail’s CEO Andy Yen – is the reason why the company took action. He said: This is a very specific statement, and it seems to tie back to the Transparency Report that ProtonMail published on September 6 in relation to this incident. This report refers to such requests as “foreign requests approved by Swiss authorities.” Put everything together, and one thing is clear: ProtonMail is firm on the fact that they were acting in line with their privacy policy. Essentially, foreign governments or investigative agencies could ask Swiss authorities to request ProtonMail to release user information. And this incident proves that they would have to comply.
Our Thoughts
Based on the above, it would seem that the company acted in line with their privacy policy. However, the whole incident is a stark reminder that encrypted, anonymous services aren’t always completely safe – or anonymous. One thing that’s worth noting is that the privacy policy excludes ProtonVPN – another service that the company offers – from this clause. Indeed, when you use a VPN, you’re cloaking your IP address, making you harder to track. This is why we always recommend that you use a VPN whenever you connect to the internet. The best VPNs, like ExpressVPN and NordVPN, cloak your identity and don’t log your data.