Update: Proton has confirmed the key details of this case and provided RestorePrivacy with a comment.
Proton Mail has come under scrutiny for its role in a legal request involving the Spanish authorities and a member of the Catalan independence organization, Democratic Tsunami.
Proton Mail is a secure email service based in Switzerland, renowned for its commitment to privacy through end-to-end encryption and a strict no-logs policy. In 2021, Proton Mail faced controversy when it complied with a legal request that led to the arrest of a French climate activist. Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
The recent case involving the Spanish police this time, highlights privacy concerns and the limits of encrypted communication services under national security pretexts, and brings a long-debated subject to the forefront once again.
The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
This case is particularly noteworthy because it involves a series of requests across different jurisdictions and companies, highlighting the complex interplay between technology firms, user privacy, and law enforcement.
The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
Like before, Proton Mail’s compliance with these requests is bound by Swiss law, which mandates cooperation with international legal demands that are formalized through proper channels (Swiss court system).
Last year, when we noted that Proton Mail complied with nearly 6,000 data requests in 2022, Proton provided us with an explanation that inbox contents remain secure.
Please note that in all cases email content, attachments, files etc are always encrypted and cannot be read.
Proton statement to RestorePrivacy last year
Looking at Proton’s transparency report, we find that Proton Mail complied with 5,971 data requests last year alone, up slightly from the year before.
With so many data requests going on in the background, it is all the more important to safeguard the data you share with various services.
The importance of good OPSEC
This situation serves as a critical reminder of the importance of maintaining stringent OPSEC (operational security). One should always be aware of the potential vulnerabilities that come with linking recovery information or secondary services (like Apple accounts) that may not have the same privacy safeguards as a primary encrypted email service.
For users concerned about privacy, particularly those involved in sensitive or political activities, OPSEC should be a top concern when using privacy tools. It’s advisable to:
- Avoid linking recovery emails or phone numbers that can directly tie back to personal identities or primary business activities.
- Consider using secondary, disposable emails or virtual phone numbers that offer an additional layer of anonymity.
- Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)
- Consider purchasing services using an anonymous payment method.
- Stay informed about the legal obligations and policies of communication service providers, especially regarding their compliance with international law enforcement requests.
While Proton Mail and similar services offer substantial protections and end-to-end encryption on their email platform, they are not immune to legal and governmental pressures. Users must navigate these waters carefully, balancing the need for security with the potential legal obligations of their service providers.
RestorePrivacy has reached out to Proton Mail for a comment on the case and their exact involvement, but a statement wasn’t immediately available. at the time of publication.
Update: Statement from Proton and additional commentary
Proton has now confirmed the key details of this case and provided RestorePrivacy with the following comment:
We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.
Spokesperson for Proton
In an email to RestorePrivacy, Proton also pointed out that adding a recovery email is optional. While this is true, we have also observed Proton Mail requiring a verification email address for account creation. As tested today, Proton required a verification email when signing up through a VPN service and also Tor.
In the verification box, Proton states that the email address “will only be used for this one-time verification.” Unlike a recovery email, this verification email presumably does not stay connected to the account.
Further reading
- ProtonMail Complied with 5,957 Data Requests in 2022 – Still Secure and Private?
- Proton Mail Review
- 10 Best Private and Secure Email Services
This article was updated on May 7, 2024 with the statement form Proton Mail and further discussion on the verification methods.
Pete
Its all fools gold and everyone has a price. Use them all but keep moving. It wont stop you getting hit if you are up to no good and the stasi state wants you, But it beats being a sitting duck for sure.
I dont understand why people have to put their entire life from day to day online and then just leave it there.
“Trust me Im a VPN” hahahaha beam me up scotty.
Must dash gotta change my VPN now in case Im being tailed.
?
One of the reasons that I don’t use this anymore.. Similar thing happeeneed in Tutanota (now called Tuta)…
It’s so obvious…
1) You’re automatically a target, you get a label as “you have something to hide”
2) It’s difficult to trust a closed source software.
3) These situations shows that they have the keys otherwise they wouldn’t be able to read your emails or help gov. to get these people arrested..
4) The guy wh was arrested should sue the company because of their false promises acording to the time they got arrested…
Anonymous
if Proton is serious in its privacy claims then even if they where supposedly forced to comply to the request they should then fight it in the courts, including at the European Courts of human rights, for being forced to provide data for something which is only allegedly related to terrorism and it is a dangerous precedent in the way to dictatorship.
From
Dictatorship? I was agreeing with you up until this point. The fact is the world is heading in just the opposite direction.
It’s both amusing and ridiculous how the far right throw around communism and dictatorship. It’s not surprising since they obtain their information from social media and non-credible sources. Even so, they spin whatever facts come their way and seek confirmation bias to suit their beliefs. Much like the earth is flat movement.
Anonymous (the same as before)
I am saying it leads to dictatorship because you are granting to a government the right to establish by itself what is the “truth”. This means its power could come from itself and nothing more.
I am not saying what happened in this case is necessarily proof of dictatorship; I am saying it sets that direction rather than a free society considering the incentives a central government has to gain more power if unopposed which is difficult when its subjective point of view is enforced as objective, which seems to me like the definition of tyranny.
Also, let me remind that the concept of dictatorship or tyranny is unrelated from the post french revolution western political spectrum and dates back millennia.
Finally let me point out that I do not use social media, entirely, and that your analogy to the flat earth theory is an argumentation fallacy (ad hominem or ad anonymous in this case and a false analogy, too) since you are making analogies that have nothing to do with the discussion to discredit the other’s argument instead of arguing yourself. This on the other hand seems very typical of some social media networks users tendency to stick to a certain narrative while supposedly discrediting other point of view in a naïve fashion.
Pericu
Proton hasn’t commented on who was directly handed over the information, but on who can request it: the Swiss courts.
However, the Swiss courts have repeatedly denied requests from Spain trying to prosecute political dissidents, and very specifically they have made their stance clear on this “Tsunami Democratic” case, which is TL;DR “you’re not getting anything from us to help prosecute dissidence, no matter how you label them.”
So it is either a case of the Swiss courts mismanaging this particular request according to their own policy, or Proton straight up omitting or concealing that they handed over the information directly to Spain without the explicit approval of the Swiss courts. There is no wording in Proton’s or Proton’s CEO statements to help shed light to this particular issue, and the doubt alone makes Proton a non-starter for privacy-respecting services. Also, a recovery email is personally identifiable information, core to privacy for 110% of values “privacy” might have, so the artificial split between “we provide privacy via encryption” and “we don’t provide anonymity, use OpSec to keep it” is just a cheap and mind boggling dismissal. Common sense OpSec would now mandate you don’t go anywhere near Proton, as it’s as compromised as anything else.
Amilia
I agree with the few who managed to keep their voices heard amongst all the Proton Mail hype, cheerleaders, and gaslighting. ProtonMail requires a recovery mail option. Some email addresses are not permitted like those from disposable email accounts eg. Gurilla Mail.
And seriously, never sign up for anything without a trusted VPN with a no-logs policy. But now, there’s a worry Proton (like many website)s might start blocking VPN users from signing up. That’s why VPN providers need to step up and hide their service and IP addresses so they are not identified as a VPN IP address.
Ailima
The article literally states that a recovery address is OPTIONAL (and not the default) as does Proton’s statement. Of course, anyone who has signed up for a Proton account would already know this.
Frank
I have noticed that the wifi at some public libraries blocks access to VPN websites like Mullvad.net and Expressvpn.com. The wifi at coffee shops has not blocked access to those sites.
Nikola Miljevski
“The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.”
One can put many people in jail under the pretext of terrorism. For example, people who illegally entered parliament in North Macedonia and physically attacked deputies in year 2017, as was done few year later in the USA, were declared terrorists by the court and given many years in prison.
ProtonMail and other similar services are useless for protection against malicious use of law, because they don’t judge if the request of the authorities is malicious or not, but just answer to the request without objection.
Actually, they are probably not much better than Gmail, except that they may be more transparent of their work.
They may implement better practices in order their employees not to be able to know the recovery email etc, but then they will be closed by the authorities.
Also there is no point of using ProtonMail, Tutanota etc if the person who receives the email does not use the same service, because the email content will easily leak.
All in all, they offer no huge added value in my opinion over older providers.
Yun Il
The US government increasingly relies on buying data from data brokers about persons of interest (domestic and foreign), without the need for a warrant. This information is usually gathered ffom big tech companies like Google and Facebook. With a warrant, the US authorities can compel any US company to hand over everything they have. Many of these US companies, hold the decryption keys to their user’s data and can decrypt and hand-over anything and everything. This doesn’t just extend to email providers, but includes any digital communications provider (including certain types of public wifi providers). Any free email provider is monetising their users, which is not only a commercial privacy risk, but law enforcement risk. Proton don’t sell user data and they contest legal requests. Looking at their transparency report, they successfully contest around 15% to 20% of these requests each year.
Using a secure VPN with a service like Proton Mail gets you a respectably degree of protection from commercial exploitation, the law, and criminals, but it isn’t a foolproof way to hide from the law (even malicious uses of law). Proton, and any good service provider, will be transparent about what is and isn’t encrypted, whether that encryption is zero-access, and what they can and cannot hand over to law enforcement. Anyone serious about their opsec will take further measures based on their threat model. Protonmail is a good tool, but it is just one tool in the toolbox.
JB
If some countries like Spain consider a roadblock a terrorism case that is all ProtonMail and Swiss authorities are going to get, that this is a terrorism investigation, straight forward dictatorships like China or Iran have their requests for information closely inspected but other countries considered by Switzerland to have high standards of freedom, like the USA or EU countries, are not going to get questioned too much about their legal requests, if they say it is terrorism, then it is terrorism even if it involves shoplifting a tuna can which tin lid could potentially be used to cut the neck of a police officer. The latter details would not be necessary disclosure if Spain makes a legal request to Swiss authorities, just saying that a police officer´s life is under threat should be enough, the whole Swiss privacy laws is all marketing, there isn´t that much difference in between the company being based in Switzerland or Germany.
Vael
Protonmail doesn’t require verification as suggested in the last paragraph, and they never have. I’ve been using the service since their beta and have created many email accounts, and I just now created a new email address through them and there was no verification required.
Alex Lekander needs to update this article again and remove that misinformation in the last paragraph.
Alex Lekander
This is not misinformation, as you can see for yourself with the screenshot. That being said, I have added a few sentences to note that verification is not always required.
Dan
In the screenshot it says the email address used won’t be linked to the account, so this is not the recovery email address from my understanding. The recovery is a different step, and that address is stored., as it may be needed again.
Alex Lekander
Good point Dan. I just tested this through a VPN and also Tor, and found that Proton does require a verification address (screenshot added), but unlike a recovery email, this email presumably does not stay connected to the account.
Frank
Thank you for your article. You are right, that Protonmail requires a recovery email address. Gmail email addresses can be created easily, and used for the recovery address (and then the Gmail address is never used). After the Protonmail account is created, the user can then go into the account settings, delete the Gmail address, and set up a passphrase for account recovery.
But the best question is: is there a better email provider than Protonmail? Maybe Startmail?
Chirstopher
Obviously you have not used this email company since their beta at all as you claimed.
Just because you do not experience a particular process does not mean your process for signing up is valid for everybody in the world. The world does not consist of the us. only you know! And I believe you have not travelled much either to test proton how it behaves in other countries.
Oh! As for the price, yes you are right, it charges the same exorbitant global dollar and EUR amount to all the disadvantaged countries where the currency is too weak and privacy laws are almost non existent relative to the country where Proton emerged.
JB
On the smartphone if you visit the Android marketplace for ProtonVPN, you get different prices depending on location.
Christopher
This is not true. Not everybody uses smartphone hence Android and not everybody would make purchases via Google play and the prices are shown in local currency on Android which is still equivalent of either usd , EUR or CH which is in fact so many times higher than American and Europeans pay. I wrote an article about this debunking Proton ^pricing in details and Proton censored it. I can send it to the editor here if there is any doubt.
Jack
I’ve never had success with virtual phone numbers.
JT
I use TextVerified.com, and it worked with my Proton account.
xuxo rondinaire
Hey, do you know anything about Wire’s role in this? Apparently, Spanish police also questioned Wire (based also in Switzerland) but the press reports I read don’t explicitly say if they provided any sort info or if they did, how much useless it was.
.ANON
Self hosted PGP email servers running on HNS is the only sovereign solution. #PlanH
Sveinn í Felli
Your inbox on Proton is encrypted and unreadable by any 3rd party; in this case it’s the email-addresses and linked phone numbers Proton is obliged to surrender. Which means one has to take other steps in ADDITION to using Proton, most of which are mentioned in the “good OPSEC” list.
Eric Mathers
Seems to me that it was a user error if anything. Why would you put a real recovery email address like that? Especially if you’re politically significant and taking the steps to hide your identity anyway. Privacy and anonymity are two different things. And when you’re in govt crosshairs, best to take care.
It’s like wearing a physical disguise, but taking it off or putting it on in front of a CCTV camera.
Hue
Clickbaity. They have to comply and if you want to have proper opsec, their VPN offering is essential. That’s regularly pointed out by them. VPN connections aren’t logged. https://protonvpn.com/support/no-logs-vpn/
James
Yeah but if you’re using ProtonVPN combined with ProtonMail, that’s also bad OPSEC. You’re putting all your eggs in one basket, which is also not smart. Use a different no-logs VPN than Proton if you are going to use their email service.
Christopher
We will start to see more and more strange stuff leaking from Proton soon. This is just the beginning!
To me, Proton is not a company or movement with a mission as they claim it to be. Not even close!
In all so-called privacy sources, Proton is being hyped and pushed into people’s throats as if it is the answer to their prayers about individual privacy. In almost all ‘best private email’ listings (RestoPrivacy included) every website lists them as the top-notch service. Proton is none of them and never will be. And we all will see in the near future that how much this perspective is flawed and misleading. Just wait and see while they are trying and eyeing to be the Google of the privacy space while promoting a false sense of security.
Bodo
Wow and I thought proton is to be private and no one cand track my data
what's you thread model ?
Proton works well when all you want, like me, is avoid the “free” buisiness model of all those personal data stealing Ad companies (google meta and co).
If you are looking for Anonymity, you have to be much more careful and NEVER provide anything allowing for de anonymizing you.
No one, not a single company, will be able to protect your identity, they all at some point have to follow local rules/laws. So just never give it to anyone.
And that’s a very difficult task.
Also it’s funny to use email for secret stuff and anonymity. that is completely stupid, email is the worst tech for secrets. Just don’t use email.
Bytelabs
The articles’ main source does not say anything about any recovery emails
The article instead mentions that the Civil Guard used Europol to ask Swiss authorities for the company Wire to identify the person behind the pseudonym ‘Xuxu Rondinaire’, who also used a Proton Mail account. There is no mention of Proton Mail providing a recovery email address directly to the police. Instead, the information request was directed at the Wire messaging service through international police cooperation channels.
Alex Lekander
False.
“Protonmail gave him the recovery email address associated with the email he used to talk about the Democratic Tsunami. Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number.” (Google Translate)
https://www.vilaweb.cat/noticies/tsunami-democratic-xuxo-rondinaire-mossos/
myNamesJeff
Highly concerned by the claims of this article. It seems like if you want to safely email someone, you better create that email on Tor with Tails, and only check it via the same method. And even that isn’t bulletproof.
Shaun
forwardemail dot net is my go to.
Bill
Any company that is serious about privacy won’t register as a LLC in Delaware (or the US in general). Companies who do that are more interested in (potentially) securing investors than in privacy. Also I don’t see how being open source really relates to privacy. They also don’t seem to publish any business address or info about the people behind their company on the website (not in their privacy policy nor terms). So with the information I could find on their website right now, forwardemail seems to be more like a honeypot to me..
John Doe
ProtonMail seems to be getting a bit too high profile for my likes. And 6,000 data requests complied with? Damn. I’m not even faulting Proton here. And legal requests through the court can’t be ignored, but this all doesn’t sit well with me.
abcdefg
they need to comply with binding legal requests. if they didn’t they no longer exist. that’s true of any service. that doesn’t mean their claims of encryption are untrue, they are clear about the limitations. thinking that your email provider will go to jail for you us laughable
Don Joe
With over 100 million accounts, 6000 requests is a drop in the ocean.
GatoOscuro
And do any of the 100 million accounts make follow-up requests? No. Then it doesn’t make sense.
Anonymous
if Proton is serious in its privacy claims then even if they where supposedly forced to comply to the request they should then fight it in the courts, including at the European Courts of human rights, for being forced to provide data for something which is only allegedly related to terrorism and it is a dangerous precedent in the way to dictatorship.