September 17, 2021
ProtonMail Passes Over IP Logs... Should Users Be Worried?
Over a week has passed since the scandal involving ProtonMail, or rather its decision to pass IP logs of climate activists to the Swiss government.
Now that the fog of war has settled a bit, I can put my two cents in. While a lot of privacy-minded users are disappointed with ProtonMail, it’s hardly news to people who know how the Swiss laws work. ProtonMail found itself booked into the corner by building their identity on promises they really couldn’t live up to.
Not because they are a bad service provider. Simply because they knew they had no choice but to succumb to the pressure from Europol, but continued to lead the “Anonymous. No Logs” narrative until now.
You Can’t Sit On Two Chairs At The Same Time
Of course, it would be extremely naive to think that such a big email service provider would risk its own well-being to protect random people under criminal investigation.
ProtonMail likely had no clue that they were passing the logs of climate activists either. Not that it would change their course of action, but they would prepare better for the media backlash. It’s one thing when you help authorities lock up drug dealers and human traffickers, and completely different when you help catch people who want to fix the world climate situation.
A lot of people were wrongfully assuming that they’re immune from law enforcement by using a service that is a registered entity in a European country with a strict legislative framework.
That’s a real surprised Pikachu face moment right here. One thing that shouldn’t surprise anyone is the fact that people don’t read privacy policies. And who can blame them, when the company under question can edit the policy written in legalese as they see fit.
That’s all in the disclaimer. Policies are written to protect the company, not consumers.
ProtonMail Removed “We Don’t Keep Any IP Logs” Part
A change in the policy can be subtle, but it’s not the case with ProtonMail.
It changed its policy from "by default, we do not keep any IP logs which can be linked to your anonymous email account" to "ProtonMail is email that respects privacy and puts people (not advertisers) first."
Which sounds a bit like hot air to me, but some might think that the following message implies that now ProtonMail keeps IP logs by default. Thing is, ProtonMail always kept IP logs, but those were stored to let you see whether your account was hacked into.
That data collection can be disabled in the settings. In their blog post about the incident ProtonMail claimed that they’re updating their website to ensure nobody is misleading anyone.
Nobody likes being lied to, right?
I think Swiss laws deserve more hate than ProtonMail, and that users of the service should consider their threat model before choosing an email platform. If someone is wanted in Switzerland, they might want to anonymize their IP when connecting to ProtonMail. If you’re outside of Helvetia, you might be safe. There’s no way to tell for sure...
ProtonMail still encrypts your emails, and can’t know what’s inside of them, which is way better than what other popular email providers can offer you. But on the other hand, ProtonMail is powerless against court orders, which come in bigger numbers every year. For all the flack Microsoft gets on the privacy front, they do a better job of reviewing law enforcement requests.
So let’s not consider “swiss law” a “feature” and agree that ProtonMail, or any other security-oriented company for that matter, is able to change the trend of surveillance-motivated laws.