ProtonMail is widely touted as the most secure and private email service in the world. Having tested and reviewed the service ourselves, we have been recommending ProtonMail for years. However, the company behind ProtonMail is now in hot water — and at least one of its users has been arrested.
What happened exactly?
Last weekend, news blew up about ProtonMail logging one of its users and providing IP address logs to French authorities. The ProtonMail user was subsequently arrested in France thanks to logs that ProtonMail handed over containing the user’s IP address.
The news gained traction first on Twitter, with various media outlets also picking up the story. The key evidence of what transpired behind closed doors was a court document detailing how ProtonMail provided IP address logs of its user to French authorities.
The backlash has been swift. But should we jump to condemn ProtonMail or is this type of situation inevitable with privacy services? Let’s examine how ProtonMail responded to the situation and put it into context by comparing it to other cases where email and VPN services provided logs to authorities — as well as cases when they did not.
ProtonMail touts Swiss jurisdiction and privacy protection
We place a lot of trust in privacy services to do what they actually say. In the case of ProtonMail, they have boldly touted their privacy and security credentials for years. Not only have they claimed to not keep any IP logs by default, but they also regularly tout their Swiss jurisdiction, which allegedly confers legal independence.
Here is how ProtonMail advertises itself and its Switzerland jurisdiction.
So now let’s compare the reality of this situation with ProtonMail’s claims. We have learned that:
- Switzerland jurisdiction does not mean very much. Governments can simply go through a Swiss court and then ProtonMail will start logging any user that is requested by the court.
- The “extremely limited user information” is enough to find and arrest the ProtonMail user in question, with IP address and device info data.
It is also concerning how ProtonMail responded to this situation and the subsequent website revisions.
ProtonMail quietly scrubs “we do not keep any IP logs” from its website… after getting caught keeping IP logs
When a privacy service’s claims do not line up with reality, trust is eroded and potentially lost forever. While trust is very subjective, ProtonMail’s handling of this situation does not really inspire trust in the organization and its operators.
Using the Wayback Machine, we can see that ProtonMail did some quiet editing to its website in the wake of this logging scandal. Here is the previous version:
In the image above, you can see that the “we do not keep any IP logs” claim is prefaced with the “By default” at the beginning. Now, after the logging fiasco, the homepage reads as follows:
Gone is the claim, “we do not keep any IP logs which can be linked to your anonymous email account.”
In ProtonMail’s defense, it does not seem like anything changed. Technically, they probably did not keep any IP logs by default — but that is the key distinction. With just one quick request through a Swiss court, however, an outside government or agency could quickly get all the logs they needed to find and arrest the ProtonMail user they’re looking for. Case closed.
You can read ProtonMail’s response to the situation here.
Not the first time ProtonMail has logged users
We should also point out that ProtonMail has logged users in the past when ordered to be a Switzerland court. This is detailed on the Transparency Report here.
ProtonMail’s Transparency Report shows numerous cases where they have complied with various court requests for user data.
And similar to the current logging case, ProtonMail did some major site revisions by changing the wording of the Transparency Report after some other cases came to light. This was first noted by Martin Steiger in Switzerland here.
Other email provider’s that have bowed down to logging demands
Before you rush to condemn ProtonMail, you should understand the situation a bit more with some background information. For one, this is nothing new. We have been keeping a close eye on the privacy space for years now, and this is not the first time something like this has happened.
Riseup logs user data for US authorities
Riseup, which is an email and VPN provider based in the United States, was forced to comply with data requests a few years ago:
After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization).
There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary” [warrant canary that warns users about these events].
This appears to be similar to the ProtonMail situation, except that with ProtonMail, the goal was to identify the user with IP address logs.
Tutanota saves unencrypted emails for German authorities
A similar situation unfolded in 2020 with the German email provider Tutanota. In this case, Tutanota was required by a German court to log incoming and outgoing emails for a specific user identified in a German court order. This only affected unencrypted emails for a specific user, as Tutanota explained here.
However, all unencrypted emails that were sent and received by this user would have ended up with the German government, while encrypted emails would have been safely encrypted (and unreadable). The original article explains the case is in German here.
Similar to the ProtonMail case, this was a specific court order targeting one individual who was using Tutanota’s service for (alleged) illegal activities. In other words, the courts did not force a blanket policy that affects all of the service’s users.
When logging requests are denied (with VPNs)
When putting the current logging situation into context, it’s also important to examine when logging requests are denied. We have written about different examples of this in our no logs VPN guide. This includes cases where ExpressVPN, Private Internet Access (PIA), and OVPN have all successfully denied government requests for user data.
As one example, we’ll take a look at a recent case with OVPN, a Swedish-based VPN service that has successfully fought back against logging demands. The VPN was ordered by a court to log users who were accused of violating copyright laws by downloading movies. They were being sued by a group called the “Rights Alliance” on behalf of the movie industry.
Rather than comply with the request, OVPN lawyered up and went to court to fight for its users. And they won the case, proving that they are a truly no logs VPN service that takes their users’ privacy seriously.
To summarize the verdict, the Rights Alliance and their security experts have not been able prove any weaknesses in OVPN’s systems that could mean that logs are stored. OVPN therefore wins the information injunction as our statements and evidence regarding our no log VPN policy have not been disproven. The movie companies also need to pay OVPN’s legal fees which amounts to 108,000 SEK (roughly $12,300 at current exchange rate).
While the nature of an email service and VPN service are very different, this case does show that there are examples when privacy companies successfully fight back against demands for user data.
However, there are other VPNs that bow down and comply with these demands, as we have seen with PureVPN logging users for the FBI, as well as with IPVanish, which is based in the US.
Should people still use ProtonMail?
While this latest logging fiasco (and ProtonMail’s website revisions) will probably shake many peoples’ trust in the service, ProtonMail itself remains secure and private compared to most other options. With most free email services, such as Gmail and Yahoo, your inbox is wide open for data collection and advertising exploitation.
Conversely, ProtonMail keeps your inbox encrypted and secure at rest, without giving others access. Sure, they may be forced to log user IP addresses, but there is a simple solution for that (see below). Additionally, you can be certain that advertisers are not collecting the content of your inbox to hit you with targeted ads.
Nonetheless, if you now want to seek out alternatives to ProtonMail, see our guide on private and secure email services. We’ll still be recommending ProtonMail because nothing has really changed. The same goes for Tutanota.
Be smart and always use a VPN (and other privacy tools)
We’ve said this before and we’ll say it again. Everyone reading this should be using a VPN when going online. A VPN is simply basic protection that will hide your IP address and geographic location when you go online. This is something everyone needs in today’s world of mass surveillance and tracking.
Had the ProtonMail user in question been using a good VPN, and also implementing basic OPSEC, he probably would never have been arrested. ProtonMail would have logged the user’s IP address, but that would have only led investigators to a VPN server in some random data center, rather than the user in question.
In addition to using a secure browser and a VPN, we also recommend using a good ad blocker that can effectively block ads and trackers on all browsers. There is also the option to combine both VPN and ad blocker, which is especially effective in many circumstances, while also being easy to use. See our VPN ad blocker guide for additional information.
Consider using an encrypted messenger for really private communications
Lastly, this is a good opportunity to repeat another piece of advice that we have been saying for years:
If you really need privacy, don’t bother using email. Instead, use a good encrypted messaging service.
Email is simply an outdated method of communication that is leaky and contains lots of private data. By contrast, there are some great privacy-focused encrypted messaging systems, from Signal to Telegram and Wickr. We have also been impressed with Session, which takes privacy to another level and keeps no metadata whatsoever.
Check out our guide on the best encrypted messaging services to learn more.
Hi Sven,
A fantastic article. Fair and balanced with great analysis. I have read through the comments and the RP community have spoken well. I too feel a sense of disappointment with PM.
Your sight is a fantastic resource for people. The comments show that privacy is of great importance to many people for noble reasons.
Thanks for keeping us informed and educated.
Regards,
BoBeX
Just use Tor, easy and free, and protonmail offers a great onion service.
Honestly…I don’t see this as a big deal as such things are to be expected & if anything, I’d call it a victory.
Consider this: imagine Protonmail & other providers were so blatant as to deny any kind of cooperation with western governments. All they’re going to do is drive the legislators to laws that cast wide nets, which may in the end, neutralise the very thing we’re trying to protect.
Lets face facts: Most criminals who’ll use products such as E2E email like Protonmail & VPN’s, likely screw up in their efforts to remain anonymous & get caught anyway & most socially liberal democracies know this.
Obviously the Aussie government is the outlier, but even their efforts are likely to be for nowt in the end.
Sometimes it’s best to gave an adversary something, by giving them nothing, that they likely would’ve got anyway.
Agreed. Only the IP of the culprits are exposed in this case. If you are innocent, you have nothing to worry about.
@Ayumu Uehara
It’s not about if you are innocent or not, it’s about lies. You simply shouldn’t lie if you want to sell any good product. Proton obviously lied and betrayed their customers and they have not paid the service for that.
Not related but can you cover ExpressVPN being bought by Kape?
Yep, I have some things to say on that but am still doing some research. Look for an article to drop in the coming days….
Protonmail Seems to me a honeypot
Don’t trust people and their claims, trust the open source code you can audit yourself. Did you find any vulnerability?
@Benz: ExpressVPN was just bought by Kape Technologies…who now owns four VPN services and counting and several VPN review sites (!), in addition to other suspect software companies. Kape is also now cooperating with mobile provider 3 Hong Kong to provide PIA VPN services to subscribers there.
@ everybody: To be fair, Proton has always made it clear that they could be compelled to comply with Swiss legal demands. They also wrote after this incident, that they would be updating the info on their website: [https]://protonmail.com/blog/climate-activist-arrest/
Still, it might be better to look at another service if you think a different one can’t be forced by a court to log your server time.
“It is a solid choice for law-abiding people wanting a private email service.”- I generally agree with this statement, but keep in mind that there are law abiding people wanting to perform checks and balances on their government whose character profiles’ can be hampered by Proton’s initially deceitful TOS followed by Proton’s editing of said TOS AFTER customer signup with no “grandfathering in” of previous stronger, yet still weak TOS. I think the most disappointing thing here is that Proton didn’t even try to dispute the issue(s) in court. Big PRO for companies who have such as OVPN.
“I would not use both ProtonVPN and ProtonMail. That’s putting all your eggs in one basket.”-This should be common sense, but I always see people doing LAZY, stupid things. First off, you can not have your pie and eat it too; meaning don’t expect security with speed. You need a router-based VPN serving (preferably paid here for speed) a computer that boots with the routers VPN IP details. That computer also needs to have a completely flushed previous IP/DNS characteristics ect. Then you need to use a second VPN providers “software” (preferably paid for speed) on said computer to mask the initial IP and your entry IP. Then you need to install Linux on a Virtual Box or similar software. Do all of your torrent client software AND torrent downloading within Virtual Box. You are now safe for downloading torrents.
As far as email, download a third separate free VPN client software while connected to router VPN AND the second software based VPN. Unplug ethernet and restart computer clearing all IP/DNS ect. Records. Delete second VPN software and install third VPN software. Then plugin ethernet and download TOR (NO GOOGLE!!!!) within the virtual Linux installation and MAKESURE to verify the software’s file checksum. Use installed TOR to create a “free” Protonmail account and only use this account within the above said VPN order. Make sure you only email other “Protonmail” users doing the same exact procedure on the other side. This is for “critical emails,” and you should create new Protonmail accounts for each and every email you intend to send (delete old account with same VPN server) using a different pre-TOR VPN server. Never use the same pre-TOR VPN server as you do with your torrent client and do torrenting and TOR tasks within separate VirtualBox installations. And DO NOT use full screen within the TOR browser!
This is a quick summary, and I could go on and on about extra little details. Personally, I think this is a more secure method than Tails where you can’t create virtual OS installations. Also, Tails requires Nand style flash which due to wear leveling retains data. For VB based TOR use a mechanical HDD and perform a seven pass DoD 5220.22-M wipe (or equivalent) after every use. Do so with the HDD taken out and placed into another computer that never accesses the internet. The purpose of the virtual OS is to not see VPN#1’s entry IP into VPN#2. The point is to have a plan, don’t ignorantly think that you can pay for a single VPN AND have it handle everything without leaving a few bread crumbs behind, and understand that privacy and speed do not coexist.
My personal opinion- stay away from “politically correct” VPN providers. Stick with VPN providers with staff who have a legitimate FU attitude and are not afraid to show it. LZ with AIRVPN comes to mind…
A necessary evil- on one hand, no one want to keep having their VPN IP address black listed and no one wants to promote attacks of other networks such as DDoS attacks or using a tool such as Masscan… but such methods are the only way I see possibly to check the integrity of VPN service providers. I am undecided here… this is like a catch 22- VPN providers need to not stick with the IP “set it and forget it” approach and instead host certain servers that keep wiping and reconfiguring IP often to flush blacklisted IP’s. In theory, “Secure Core” should accomplish this but it doesn’t…
Great, now some overpaid cck sucka in a black suit just added a few nasty remarks to my NSA character profile, but I don’t care IF what I said helps even one privacy minded individual out there…
I like ProtonMail, but I’ve always felt skeptical about their claims regarding resisting censorship, as these matters will always become political, and the fact that there are financial ties to U.S. govt’ agencies. I’ve used both their email and VPN for almost a year (Different accounts, different payment methods [Don’t bundle!]) and I’ve been satisfied with both, tho ProtonVPN is slow to grow. I’ll agree that secure messaging is the way to go (Team SESSION here!). The more decentralized the better. For email CTemplar is still my go-to, despite their recent data loss incident.
I wish I could ditch the need to use different services for different purposes and this recent incident with ProtonMail has dropped it down my threat model, and highlights my desire to switch over to services like UtopiaP2P. Given what I’ve seen recently in the West I do not feel that legal guarantees are worth much these days.
Does it mean that if when i signed up for Protonmail, i did not use a VPN, that IP address is forever logged by Protonmail? So even if I start using protonvpn now, some day the Chinese government can request the Swiss government force Protonmail to disclose who I am from that first initial contact?
And also, does it mean that if I have a “reset password” email, that is also visible and discloseable by protonmail to the authorities?
“IP address is forever logged by Protonmail”
I don’t know about ProtonMail’s website logging policies.
I would not use both ProtonVPN and ProtonMail. That’s putting all your eggs in one basket.
Read their privacy policy. https://protonmail.com/privacy-policy
IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation. This obligation however does not extend to ProtonVPN (see VPN privacy policy here). Additional details can be found in our transparency report.
If the payment is not anonymous then the VPN can’t be anonymous either, and can be trusted.
Why someone should contract Proton VPN when there is many other solutions as Mullvad VPN which is really anonymous and even cheaper?
In Mullvad, when you sign up, you don’t provide any email or personal data, you just get an id registration number and you can pay using Cash or even criptos. This website has a responsability regarding informing the best ways to obtein privacy to their readers. If you don’t have conflict of interest with Proton VPN, there is no argument to recomend proton VPN who register all you payment info.
Privacy is a matter of facts, no matter of trust. Google, Facebook etc…they ask us to trust…..as Proton VPN….but Mullvad VPN (there are more) … you can contract them and they don’t know who you are as you pay anonymously.
Hi Daniel, you are repeating one of the biggest misunderstandings in the privacy community, and then using your misunderstanding to promote a VPN that you apparently like. Anonymous payments do not matter with VPNs. If a VPN is going to log, like ProtonMail did, then they will get your source IP address, regardless of whether you use an anonymous payment or not. It doesn’t matter! (Note that if you are using multiple VPNs, then they still won’t get your source IP address, or your destination traffic, including website history.)
Similarly, if a VPN does NOT log, it again does not matter whether you use an anonymous payment or not.
And think about your adversary. Let’s say it’s a state adversary for some kind of criminal investigation, such as the case with ProtonMail. If they know you purchased a VPN with your credit card on September 9th, what does that matter? How does this information make any difference? They can’t use that information to decrypt your traffic, which is getting mixed with thousands of other VPN users every minute of every day, so who cares. And even if your adversary got your VPN username and password, it still doesn’t matter, because that also can’t decrypt and de-anonymize your traffic with that info. Instead, it would just mean that the FBI agent could use your VPN account without having to purchase a subscription. A password and username just provides authentication and access to a VPN service. It’s not an encryption key. It doesn’t matter outside of getting access to the service.
Similarly, it does not matter if you sign up with your email. Once again, an adversary knowing you use a VPN does not matter, assuming you are using a good VPN service. And we also recommend VPNs that have a proven track record of no logging, such as OVPN mentioned in the article. Nonetheless, it is still possible to just purchase a VPN with a new secure email service or even a burner email address.
People falsely think of VPNs like an email service that has lots of personal information on you stored on various servers. This is not the case with a VPN that is simply encrypting real-time traffic. Then people go around in comment sections and forums spreading nonsense about the importance of anonymous payments with VPNs, but this is largely pointless. Furthermore, it could keep people from even using a VPN if they can’t figure out how to purchase it “anonymously”.
So if signing up for a no logs vpn, I don’t necessarily have to pay cash?
That would make it easier. So why does OVPN suggest paying cash for “privacy” if payment doesn’t matter?
Just trying to understand.
No, I don’t think it matters.
OVPN gives that option for the privacy paranoid I guess.
@Sven,
Ok. Well, it makes sense. I will do a quick search but I am about ready to switch over everything. Thanks for the help.
I can agree that it doesn’t matter how you pay for the service. But we saw with the Protonmail case that you can’t trust even the Privacy policies anymore. They just edit it when they need to. That means that these documents are not enough for the customers. And that is where the major problem is, it’s all about trust really. Also, don’t ever use email or SMS as a 2FA, use audited 2FA apps instead.
Bronco,
Ageis is what I use for 2FA.
I agree. Docs change as needed, sadly but as it goes, the goal is to find a service that was built with no logs from the get go.
Sessions is one example.
You made good points regarding the payment.
But then why should a reader of you blog trying with Protonmail, when there is a lot of VPNs with less or 0 cases of “legal IP logs”(as you mentioned OVPN). If an activist is reading your blog, if he trust proton he could be in danger.
Do you have any info about Mullvard VPN, do they have cases of legal requirement and tracking IPs for goverments?
I don’t have any info on Mullvad and logging cases.
Emails are necessary evil today. There is obviously no such thing like secure and private email, at least not out-of-the-box. To open or register any account, in most cases, you need an email. Now how is that private and secure then?
This could have been done better, comparing Proton Mail to US based services is rather lame. I used Proton VPN and email for two years and had a number of privacy issues with them, such as them uploading error data from users with no opt out or notice unless you read release notes, then holding my email hostage when my VPN expired and refusing to return it to the free status it was before bundled with the VPN. They decided whether you had a good enough reason for leaving them, arrogant clowns. Plus, their VPN became slower and slower as time progressed. I just deleted my account, a backdoor they apparently overlooked. They were very disorganized, there are much better options IMO.
I think the real message here is to use encrypted communications if you want privacy. It’s a pain to convince others to sign up even for Signal, a really simple to use secure messenger since they don’t know what it offers. Not sure what this guy did but if you’re doing iffy stuff and communicating about it online, at least learn why encryption is a good thing.
Tutanota’s description of end to end encrypted email goes on for a paragraph or two before they mention that both parties have to have a key for it to work. Signal’s wording is much clearer. Those new to the subject could easily overlook tiny but important details. Seems the more “professional” looking a provider’s site is, the more important looking glossy photos and claims of superiority, the closer one should inspect before deciding to use or not.
Hi Sven
I have been a PM user since 2015 but last year I cancelled the service due to mistrust. There where a lot of things that got my alarm clock ringing. The heavy activism from PM – Hong Kong and Belarus.
You say there is nothing to worry about. Look at the numbers! I had NO idea that it was SO bad. They have complied with 3017 request in 2020!!!! Ctemplar had none. Tutanota have 1 (maybe a bit more). It’s insane – it’s around 10 request a day. What the fuck is this company getting at? The comply with some orders (typically from the US) but not from Turkey – because they don’t like the human rights in Turkey? Are PM a judge now? How can they comply with some but not others without a question?
My main concern is that this company is driven by the CIA like Crypto AG was for decades. This is really bad!
Good points. I think the large numbers are also due to the fact that ProtonMail is a huge service compared to most others in the secure email space, and more users probably means a lot more legal requests.
An increase of 1250% (orders from swiss authorities) from 2018 to 2020 is high – I would say. To think they had an increase in customers of 1250% in the same period of time is a bit crazy. It’s alarming when an email provider gets 10 orders per day. That’s an insane amount for such a small company like PM. I will call it a bombardment. They simply log a lot of users every day without telling them about it. When governments think that PM is an illegal place to be – it’s not a good place to be at all. PM telling very little about what they are doing about the orders are a concern too. I really do think they can read all the mails – even the encrypted ones. I really don’t think the courts would be interested in an IP address of an email customer at least not 3500 times a year.
Thanks for covering this story.
Just a question: does anyone happen to know the timings of all this? When did the Swiss court ask PM to log the user’s IP? And were they given a gag order about it?
To me it feels a bit dirty that they changed their wording on the website without explicitly pointing it out.
When it comes to Protonmail app (or others similar services) in Android, is it enough to use a good VPN to keep us anonymous? Or are there other issues when using a smartphone?
Smartphones are really challenging because it is difficult to control all communication channels. Nonetheless, for a smartphone, I’d still recommend a good VPN, ad blocker, and secure browser.
Smartphones are pretty much visible because of their unique IMEI and phone number. Google/Android tracks both as well as network data, so…
@Sven,
I am really sad by this as you know we have discussed PM a lot with some very strong debates.
But, I am also willing to eat humble pie when I am wrong and here is that time.
At present I am looking at other emails and VPN’s and have narrowed it down.
Email: CTemplar
VPN: OVPN or Perfect Privacy.
Unless you see something I don’t, CTemplar and Iceland seems to be stronger than swiss laws. Would you recommend them?
On VPN’S I am wanting ease of use and apps for my Linux, Android and VM. The ease factor has me leaning toward OVPN as well as the time their customer service has taken to answer questions.
But Perfect Privacy seems more technical. Plus Sweden is EU. Which do you prefer? I have also ruled out Express and Nord as they just didn’t sit right with me.
Thanks.
P.S. Sessions has been flawless for me and I can’t recommend them enough.
Hi J.M. I still think ProtnMail is a great option, for the record, and nothing has really changed in that respect. It is a solid choice for law-abiding people wanting a private email service.
But to your question, yes, I do think Iceland is a better jurisdiction than Switzerland. However, that being said, I’ve seen recent complaints about issues with CTemplar losing all emails due to a system failure. So they are definitely still working out the bugs.
They may be and I will not argue that.
Personally I don’t want there to even be a remote possibility of a log, IP, and tracking and this comes from a law abiding individual.
As for CTemplar, I saw that but I am very limited on options so I am willing to try. Will see.
Between OVPN and Perfect Privacy, which do you suggest? I have never used either.
Thanks.
I’m liking OVPN right now quite a bit. Mullvad is another good option in Sweden I’ve been testing lately, will hopefully get a review up soon.
@Sven,
Thanks. I will look at them once more but I am going to give them a shot.
Appreciate it.
You should take a look at ivpn.net. That would be my choice next time.
I have been a Ctemplar user for about a year. There is still some bugs – but at least they have not complied with ANY court order yet. They are transparent with that on their website – you can actually see when (if) they get a request.
Good to know about CTemplar.
I am willing to deal with bugs if I can remain private and secure.
For IVPN I will look at them. Who do you use now?
I have used ExpressVPN for a year now. I’m on iOS and Windows and ExpressVPN is the best thing you can use on iOS/iPadOS. I have never had better VPN for iOS than ExpressVPN. I have previously used a lot of different VPNs. PureVPN, Torguard, Surfshark, NordVPN etc.
But ExpressVPN is most for people who stream movies and use it for that. IVPN is not good at that I should mention. ExpressVPN doesn’t allow me to use other DNS (they removed that option). I can only use their own protocol “lightway”.
IVPN is for the user who wants to customise their own VPNs behaviour. There are so many options – I have never seen an VPN with this degree of customising.
I would only trust OVPN, Mullvad and IVPN.net. But before you sign up for 1,2 or 3 years you should buy a weeks license.