Protonmail exposed as logging IP Addresses contrary to their previous policies

[AlTech]

Summary

Protonmail has been exposed as logging IP addresses despite their misleading messaging on their website and communication channels suggesting otherwise.

 

Essentially what happened is Protonmail was told by a Swiss Court it needed to log the IP addresses of one their user's accounts and use browser fingerprinting to see what browser and device they were using. Initially I found out about this a few days ago but it's being posted now in Tech News cos nobody else has posted it and we now have sources from the likes of ArsTechnica and a few others now that there is further clarification on the situation.

 

Apollogies for somewhat rushing together this post but it got posted slightly before I meant it to be and so I've had to fix it after the fact.

 

Quotes

Quote

This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist's IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service's policies, which as recently as last week stated that "by default, we do not keep any IP logs which can be linked to your anonymous email account."

Quote

As usual, the devil is in the details—ProtonMail's original policy simply said that the service does not keep IP logs "by default." However, as a Swiss company itself, ProtonMail was obliged to comply with a Swiss court's injunction demanding that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.

That account was operated by the Parisian chapter of Youth for Climate, which Wikipedia describes as a Greta Thunberg-inspired movement focused on school students who skip Friday classes in order to attend protests.

According to multiple statements ProtonMail issued on Monday, the company could not appeal the Swiss demand for IP logging on that account. The service could not appeal because a Swiss law had actually been broken and because "legal tools for serious crimes" were used. ProtonMail does not believe the tools were appropriate for the case at hand, but the company was legally responsible to comply with their use nonetheless.

 

 

My thoughts

This felt like a betrayal of what Protonmail stood for and proves even the seemingly great companies like Protonmail can be manipulated to be bad for privacy. Protonmail's solution to this problem of telling people to use Tor when using Protonmail seems somewhat hypocrticial when Protonmail itself doesn't allow new customers to sign up using a Tor onion address and instead must sign up using a clearnet website. At this point it's looking slightly more possible that the conspiracy theories saying this is a honeypot is looking slightly more credible but only slightly.

 

It looks like even Tutanota would not be able to have escaped the same thing in this situation since they have to comply with similar court orders requiring logging to be turned on for accounts at the request of a court order. On the other hand it also looks like Tutanota encrypts more details than even Protonmail so until we get an even more private email service Tutanota seems slightly more private than Protonmail.

 

But as Rob Braxman (a tech privacy guy on YouTube) also frequently says in his YouTube videos: email isn't secure or private. Treating email as non-secure and private is the best way to avoid this kind of situation in the first place but still unfortunate that it had to happen.

 

Sources

https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/

[Skiiwee29]

Honestly surprised no one has posted about this since your SU you did on Sunday regarding this. 

[WhitetailAni]

Quote

According to multiple statements ProtonMail issued on Monday, the company could not appeal the Swiss demand for IP logging on that account. The service could not appeal because a Swiss law had actually been broken and because "legal tools for serious crimes" were used.

Quote

ProtonMail was obliged to comply with a Swiss court's injunction demanding that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.

Unless I'm misreading something, doesn't this mean that this isn't their fault, and instead they were forced to by Swiss law?
It says that ProtonMail was forced to "begin logging", not that they already had logs.

[AlTech]

15 minutes ago, FakeKGB said:

Unless I'm misreading something, doesn't this mean that this isn't their fault, and instead they were forced to by Swiss law?
It says that ProtonMail was forced to "begin logging", not that they already had logs.

Their privacy policies and websites previously didn't state that this was even something that they could be forced to do. People were under the impression that they wouldn't be able to provide logs of any kind and this has been a big shocker for a lot of Protonmail users and non Protonmail users alike.

 

Edit: Also Protonmail didn't explain that it's a lot easier for them to receive legal requests than they led people to believe because legal requests can end up being issued by the Swiss government as a proxy for another country wanting to get information about individuals.

[RejZoR]

1 hour ago, FakeKGB said:

Unless I'm misreading something, doesn't this mean that this isn't their fault, and instead they were forced to by Swiss law?
It says that ProtonMail was forced to "begin logging", not that they already had logs.

Yes, that is the case. They don't log IP's by default, but apparently law can force them to do so. Also "enable fingeprinting" is an overstatement. Browsers literally send out an ID string that says what browser it's connecting to the webpage. You don't need any fingerprinting. It's right there. I don't want to be a smartass here, but if you're a criminal or an activist whose activity might be of concern to someone else, it's kinda your responsibility to mask your IP accordingly. Even if they say they don't log, you can't just assume things. I don't have that issue since my primary reason to use ProtonMail was just getting away from creepy uncle Google, so I don't bother, but if I was using it for activism, I'd probably do something about IP too. After all, IP is the way of communication and you can't do without one. Meaning they'll see it at one point either way.

[Taf the Ghost]

An intelligence agency could log at the intercept points of the nodes. I don't see this as that big of an issue. It's more that a questionable use of the Swiss Laws happened that should be more of a worry.

[Vishera]

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

[RejZoR]

16 minutes ago, Vishera said:

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

Apparently the issue was they deployed measures and activated laws used for worst terrorist acts to enable surveillance of said person that did a rather minor crime. Apparently France has been regularly abusing it and that's what's worrying people more. Blaming ProtonMail for obeying the law is just stupid. Blaming France for abusing said laws to get their way, well, that's something that should be done.

[Zodiark1593]

48 minutes ago, Vishera said:

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

For a knowledgeable criminal, this revelation with Protonmail is an inconvenience. Use of public wifi points (or simply “borrowing” a poorly secured one) provides a physical dead-end. Devices (both Windows and mobile platforms( have MAC spoofing enabled by default, limiting options for narrowing down a specific device. And via further protection with HTTPS (which conceals web contents), you’re facing the prospect of finding and detaining everyone at that particular hotspot that has used Protonmail. Protonmail can only see the IP, not the MAC address of the specific device. Of course, the browser is also being regularly wiped. 
 

Email itself is hardly a secure platform, so important data is likely to be encrypted offline  (7-zip is a common application that can do this) before being sent. This forces outsiders into having to perform a brute force attack. The aim being that the password can outlast whatever statute of limitations there is, or your life (whichever comes first). 
 

Using a layered approach, you needn’t a government blessing to achieve strong privacy, even if something gets compromised in the chain. Thinking the process through is important though. 

[captain_to_fire]

But it’s only IP addresses right? Proton Mail didn’t hand over the email contents to authorities nor did they unlocked the email contents.

[AlexGoesHigh]

4 hours ago, Vishera said:

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

They weren't pursuing an actual criminal (IMO) with this order, they were pursing climate activists catering to high schoolers in France to skip class on Friday to attend protests for climate change, the court forced protonmail to track freaking activist, not drug dealers, trafficker's or even ilegal porn distribution, just bloody activist!

 

Now it could be said that promoting civil disobedience is illegal and therefore criminal, but FFS, this is like the least criminal thing they could pursue, and fucked over a company and its user over this? its bullshit.

 

No wonder being a journalist over certain topics puts a target on one's back like a if it were a drug dealer.

[Vishera]

1 hour ago, AlexGoesHigh said:

Now it could be said that promoting civil disobedience is illegal

As long as the activist doesn't harm anyone physically or mentally, whatever he/she said is suppose to be protected under freedom of speech.and expression.

[LAwLz]

10 hours ago, FakeKGB said:

Unless I'm misreading something, doesn't this mean that this isn't their fault, and instead they were forced to by Swiss law?
It says that ProtonMail was forced to "begin logging", not that they already had logs.

2 hours ago, Fooshi said:

TL;DR: They logged the IP of a certain account because the Swiss government told them to. Otherwise, they don't.

 

Fake outrage.

Doesn't really matter whose fault it is or why they started logging.

The end result is that you can never be sure whether or not Protonmail is logging your activities, and therefore should be treated as logging your activities.

 

 

8 hours ago, RejZoR said:

Also "enable fingeprinting" is an overstatement. Browsers literally send out an ID string that says what browser it's connecting to the webpage. You don't need any fingerprinting. It's right there.

What do you mean "an overstatement"? Just because your browser has a fingerprint does not mean it is used for anything.

It's like saying "what do you mean the police collected fingerprints? Everyone has a fingerprint so it's right there. What an overstatement to say the police collects fingerprints just because they look at peoples' fingers and then archive whose fingerprint looks like what".

Yes your browser has a fingerprint, but it's how that data is collected and what it is used for that matters.

 

 

8 hours ago, Taf the Ghost said:

An intelligence agency could log at the intercept points of the nodes.

What do you mean? 

 

 

8 hours ago, Vishera said:

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

This is a horrible and extremely stupid opinion to have.

We don't know what crime that has been committed.

We don't know if the person is innocent or not.

We don't know if this has happened more than once.

Even if he is a criminal, this sets a very dangerous precedence where it can be abused.

Even if you are a criminal, you have some rights, and they certainly shouldn't be "taken away for good".

[RejZoR]

@LAwLz

It's browser agent. Every browser advertises one.

[LAwLz]

13 minutes ago, RejZoR said:

@LAwLz

It's browser agent. Every browser advertises one.

Fingerprinting is typically more than just the browser agent (since that's fairly useless in and of itself, not unique enough) but I don't get your point. Again, it's like saying "it's a fingerprint, everyone has one".

Like I said before, what matters is what it is used for. In this case, it was logged and stored to track someone. 

[Beerzerker]

2 hours ago, Vishera said:

As long as the activist doesn't harm anyone physically or mentally, whatever he/she said is suppose to be protected under freedom of speech and expression.

That is IF they have those rights where they are. 
Certainly not in the US so you can't apply US laws/rights in this case.

[AlTech]

7 hours ago, captain_to_fire said:

But it’s only IP addresses right? Proton Mail didn’t hand over the email contents to authorities nor did they unlocked the email contents.

No but in theory there's nothing stopping them from getting Email subject lines as well as receipient and sender email addresses since those aren't encrypted on Protonmail.

[tikker]

I don't see how this is manipulation. They got a court order and have to abide law (enforcement) just like any other legitimate entity. Yes I agree that their terms are the classic misleading T&C speak. That, I think, is more the actual issue here; the vagueness. However, did they have, use or hand over logs and information from before the court order? If not, then they haven't broken their promise.

 

Of course they have to abide by a local court order. We citizens need to respect the law and court, what makes people think a company doesn't? Few have the power (and customer base I guess) like Apple to simply say no to the FBI and whatnot. The question whether this person did or did not break the law aside, a VPN isn't some magic I'll help you break the law and hide you from it button.

 

What may be a bit of a gray area to me is the fact that they do have to notify you that your data is shared, but that that notification "can be delayed":

Quote

Here the company reiterates that Swiss law “requires a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding” — however it also notes that “in certain circumstances” a notification “can be delayed.”
 

Per this policy, Proton says delays can affect notifications if: There is a temporary prohibition on notice by the Swiss legal process itself, by Swiss court order or “applicable Swiss law”; or where “based on information supplied by law enforcement, we, in our absolute discretion, believe that providing notice could create a risk of injury, death, or irreparable damage to an identifiable individual or group of individuals.”

“As a general rule though, targeted users will eventually be informed and afforded the opportunity to object to the data request, either by ProtonMail or by Swiss authorities,” the policy adds.

So, in the specific case, it looks likely that ProtonMail was either under legal order to delay notification to the account holder — given what appears to be up to eight months between the logging being instigated and disclosure of it — or it had been provided with information by the Swiss authorities which led it to conclude that delaying notice was essential to avoid a risk of “injury, death, or irreparable damage” to a person or persons
 

https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/

 

[JZStudios]

11 hours ago, Vishera said:

You are ignoring an important detail.

 

It's only for a specific account that was used to commit crime.

They are trying to find the criminal.

 

The moment a crime is committed the right to privacy,and freedom of movement are taken away for good.

 

I hope they catch the criminal.

Okay, but what if it turns out they're after the wrong guy? Like when SWAT busts into the bedroom of an old married couple instead of the drug den across the street? It happens frequently.

https://reason.com/2015/08/03/swat-team-liable-for-wrong-house-flash-b/

[Whispre]

I'm not sure why so many are so surprised by this... I signed up for Protonmail about 3 months ago... while researching and reading their terms/faq's etc... I saw it stated clearly that they do not log IP info by default but will for specific users start doing so if required by law. That the logging starts AFTER the request.

 

Nothing they've done goes against their already stated policies. Yes they changed a couple statements to make it more clear, but this was already a written/communicated policy before this happened.

[Fasterthannothing]

Umm use a VPN like everywhere this isn't rocket science.

[Mark Kaine]

On 9/9/2021 at 4:55 AM, AluminiumTech said:

Their privacy policies and websites previously didn't state that this was even something that they could be forced to do. People were under the impression that they wouldn't be able to provide logs of any kind and this has been a big shocker for a lot of Protonmail users and non Protonmail users alike.

 

Edit: Also Protonmail didn't explain that it's a lot easier for them to receive legal requests than they led people to believe because legal requests can end up being issued by the Swiss government as a proxy for another country wanting to get information about individuals.

I don't think so, I remember reading exactly this when signing up years ago, as it is required by law...

 

There is no "privacy" on the internet,  it was never designed to be either. 

 

 

You do have a point that what they're advertising and what they are required to do ,by law, is somewhat misleading even if they tell you about it in the  *fineprint*