ProtonMail denies that it spies on users for government agencies

The popular privacy-focused email service ProtonMail has been accused of offering voluntarily real-time surveillance assistance to law enforcement.

The popular privacy-focused email service ProtonMail made the headlines because it has been accused of supporting real-time surveillance carried out by law enforcement.

On May 10, while Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, was giving a presentation at an event when the Swiss lawyer Martin Steiger live-tweeted from the event that Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers support to law enforcement.

Steiger said that ProtonMail offers voluntary support for real-time surveillance without requiring an order from a federal court.

“Email service provider ProtonMail, based in Switzerland, offers assistance for real-time surveillance: Voluntarily!” reads the post published by Stieger.

Steiger pointed out the company provided metadata and so-called secondary data that could be used by law enforcement and intelligence agencies for surveillance purposes.

“Metadata or secondary data that is available must be provided. On the other hand, ProtonMail, as a provider of derived communication services, has in principle no obligation for real-time surveillance. Art. 26 para. 4 SPTA provides such obligation only for providers of telecommunications services such as Swisscom or UPC.” continues the post.

“There is currently no evidence that ProtonMail is a provider of derived communications services with more extensive surveillance obligations. ProtonMail would therefore not have to voluntarily provide assistance for real-time surveillance.”

Steiger pointed out that ProtonMail the company is subject to Swiss local surveillance laws, but it’s not subject to more extensive surveillance obligations.

According to the transparency report published by the company, ProtonMail could conduct real-time surveillance for the authorities and it also mentions a current case:

“In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“s.

Walder said that Steiger has misunderstood his speech, but the lawyer believes that the situation is exactly the one he described in the post.

ProtonMail denied Steiger’s claims and published a post to clarify that it only supports authorities when presented by an order from a Swiss court or prosecutor.

“ProtonMail does not voluntarily offer assistance as alleged. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, ProtonMail’s end-to-end encryption means we cannot be forced by a court to provide unencrypted message contents.” reads the blog post.

“ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false.”

According to ProtonMail, Steiger’s interpretation of the law is different from the one taken by the Swiss authorities.

The company clarified that it does not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary.

ProtonMail threatens to take legal action for defamation pursuant to art. 174 of the Swiss Criminal Code.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – privacy, surveillance)

[adrotate banner=”5″]

[adrotate banner=”13″]