Last week's news that Proton Mail helped Spanish police identify and arrest a pro-Catalan protester is likely to have sent chills through activists in Europe and beyond.
Proton Mail is an encrypted and secure email app, and is very popular among journalists and dissidents who live up to the company's promise to protect your privacy. However, as part of a terrorism investigation, the Swiss-based privacy company was required by law to hand over personal data it had on the Democratic Tsunami activist to the Civil Guard.
This is not the first time either. In 2021, Proton shared the IP address details of a French climate activist with Europol officials.
Unsurprisingly, concerned commenters have criticized such behavior, wondering whether or not it's time to get rid of the app for good. Some even warn against using Proton products altogether. The company also offers Proton VPN, which is listed in TechRadar's best VPN guide, along with other security tools, none of which were affected by these incidents.
So is Proton Mail still a safe option for activists? Well, this depends a lot on as you use the platform. I've contacted Proton for comment and am awaiting a response at the time of publication, so here's everything we know so far.
As I mentioned above, Proton Mail is one of the go-to email providers for journalists, human rights defenders, protesters, and any other users who may be subject to online surveillance. This is because Proton Mail seeks to minimize the personal data that the company can access by encrypting user communications.
Encryption refers to the process of encoding data into an unreadable format. As the company explains in a blog post, emails sent between Proton Mail users are always end-to-end encrypted, meaning the system uses cryptographic keys to encrypt data on the sender's device and decrypt it only when it arrives. to the intended recipients. Zero-access encryption also applies to messages you store on Proton servers, while TLS encrypts your emails in transit.
All this means that Proton, for example, will not be able to share the content of the emails you send or receive because the company itself cannot access them. This also goes for all your stored messages.
The problem is that even this level of encryption cannot completely guarantee complete anonymity, since the computer still has access to some identifiable information, known as metadata, including email and IP addresses. Police officers know this and are used to forcing companies to hand over this data to them.
Let's look more closely at the Spanish case. As court documents obtained by TechCrunch reveal, the Civil Guard sent legal requests through Swiss police to Wire, a Swiss encrypted messaging platform, and to Proton. Wire shared the email address the suspect used to log into their service: a Proton Mail one.
Proton had only one piece of information, albeit valuable, related to that account: an iCloud email address used as a recovery email. From here, Apple provided the Spanish police with all the details to successfully identify the pro-Catalan protester, that is, his full name, two addresses and a linked Gmail account.
Speaking to TechCrunch, Proton spokesperson Edward Shone said: “Proton has minimal user information, as illustrated by the fact that, in this case, it was data obtained from Apple that was allegedly used to identify the suspect in terrorism”.
He also added: “Proton does not require a recovery address, but in this case, the terrorism suspect added one on his own. We cannot encrypt this data as we need to be able to send an email to that address if the terrorism suspect wishes. . to start the recovery process.”
All the @ProtonPrivacy haters who say cancel subscriptions are completely missing the point. This case actually shows how powerful Proton Mail is, not the other way around. Europol served a court order on Proton, and the most Proton could provide was the user's recovery email… pic.twitter.com/kuvTc0jqfeMay 7, 2024
Other commenters (see tweet above) defended Proton on the matter, reiterating the fact that while no company is willing to go to jail for you, “all companies should limit the information they have on users as they have.” made Proton”.
Meanwhile, according to Eva Galperíndirector of the digital rights advocacy group Electronic Frontier Foundation, the incident is a stark “reminder that metadata matters.”
What is certain is that this is the umpteenth example that sheds light on the limitations of secure and encrypted applications to fully protect people's anonymity when law enforcement intervenes. For example, according to Proton's transparency report, the company received only 6,378 legal orders in 2023. The team successfully challenged 407 of them, but had to comply with 5,971.
Worse, these incidents could become even more widespread as lawmakers seek to grant even more powers to authorities. The United Kingdom, for example, is one of the countries seeking to boost digital surveillance in 2024.
Using encrypted applications is not enough
While the Proton case highlights the complex web of law enforcement powers and companies' duties, it also reiterates a simple fact: using an encrypted app is not enough for online privacy.
Because there are online threats that a virtual private network can't protect you from, a privacy-first email or messaging service won't be able to hide all of your digital traces, especially from authorities.
As Shone told TechCrunch about the Spanish case: “Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure adequate [operational security]such as not adding your Apple account as an optional recovery method, which appears to have been done by the alleged terrorist suspect.”
Therefore, if you are an activist, journalist, or other user at high risk of government surveillance, we strongly recommend that you take additional steps to increase your anonymity online. These include:
- As the Proton incident has just taught us, never link any recovery email or phone number that can go directly back to your real identity. We recommend creating alternative accounts or using disposable phone numbers for an extra layer of anonymity.
- It is also advisable use a Secure VPN service every time you access your email or messaging app. NordVPN and Mullvad are my top recommendations when it comes to security.
- While Proton offers a complete privacy suite (including email, VPN, Drive, Calendar, and password manager), you may want to consider using different vendors for each security software to prevent your activities through these tools from being linked in any way.
- Opt for a anonymous payment method to further minimize the personal data you will share with the provider. Proton Mail, for example, accepts Bitcoin and even cash.
- Last but not least, consider also using the Tor browser together with your VPN service in case of high surveillance risk.
We test and review VPN services in the context of legal recreational uses. For example:
1. Access a service from another country (subject to the terms and conditions of that service).
2. Protecting your online security and strengthening your online privacy when abroad.
We do not support or tolerate illegal or malicious use of VPN services. Future Publishing does not endorse or approve the consumption of paid pirated content.