Encrypted email provider ProtonMail has drawn criticism from users after it gave a French climate activist's IP information to French police, who subsequently arrested them.
According to TechCrunch, which first reported the story, French police sent a request for information on a group of people occupying buildings near Paris's Place Saint Marthe to Swiss authorities via Europol.
A story published by the activists on French anticapitalist website Paris Luttes on September 1 claims Proton provided police with IP information relating to users who accessed a ProtonMail address used by the group.
In a response to the incident, titled "Important clarifications regarding arrest of climate activist," Switzerland-based ProtonMail confirmed it had handed over the information after a "legally binding" request from Swiss authorities.
Proton says law forced its hand
In the statement, Proton CEO Andy Yen stressed that the service's end-to-end encryption could not be bypassed, meaning the contents of emails could not be accessed by authorities. However, the company is subject to Swiss law, meaning user identifiers like IP addresses could be obtainable by court order.
"if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address," he said.
In his response published on Monday, Yen stated that at the time of the request, ProtonMail was not aware it was related to climate activists. The company's privacy policies mean it does not know the identities of its users, Yen said.
"We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way," he said.
While Swiss law can compel email providers to log user data, the same rules do not apply to VPNs, which ProtonMail's parent company Proton Technologies also offers.
Data requests on the rise
According to ProtonMail's "Transparency Report," which tracks demands for user data from authorities, the company complied with 3,017 such orders last year.
In the same year, ProtonMail said it contested 750 orders. Swiss authorities approved 195 foreign requests for user data in 2020, up from 13 in 2017, according to the company's data.
Among the official requests for data it says it has challenged are a request for the data of an investigative journalism group in June 2020 and a January 2019 request from "an EU country in eastern Europe" targeting a government corruption whistleblower.
In his statement, Yen said users with "certain threat models" should use the company's "onion site", which offers anonymity via the Tor browser.
For the French activists, another solution was more attractive. At the bottom of the September 1 article they advertise a new email address, provided by a competing secure email service provider.