ProtonMail has eliminated “we don’t hold IP logs” from its privateness coverage


Enlarge / ProtonMail offers end-to-end encryption and a clear focus on privacy for its email service – which offers a user interface pretty similar to mainstream services like Gmail.

This weekend it became known that the anonymous e-mail service ProtonMail, which focuses on security / data protection, has disclosed the IP address and browser fingerprint of a French climate activist to Swiss authorities. This move apparently violated the policy of the well-known service, which as recently as last week said that “by default we do not keep IP logs that can be linked to your anonymous email account”.

After ProtonMail provided the activist’s metadata to the Swiss authorities, ProtonMail removed the section that had promised no IP protocols and replaced it with one that said, “ProtonMail is a privacy-respecting email Put people (not advertisers) first. “

No logging “by default”

  • The phrase “by default” did a lot of work on the old ProtonMail front page.

  • The new snippet “Your data, your rules” offers a much less specific guarantee for data protection and highlights the optional Tor onion network service from ProtonMail.

As usual, the devil is in the details – ProtonMail’s original policy was simply that the service did not keep IP logs “by default”. However, as a Swiss company itself, ProtonMail was obliged to comply with an injunction issued by a Swiss court requiring the IP address and browser fingerprint information to be logged for a specific ProtonMail account.

This account was run by the Paris section of Youth for Climate, which Wikipedia describes as a Greta Thunberg-inspired movement that focuses on students who skip Friday classes to participate in protests.

According to several statements by ProtonMail on Monday, the company was unable to contest the Swiss request for IP logging for this account. The service could not be called because a Swiss law had actually been violated and because “legal remedies for serious crimes” were used. ProtonMail believes the tools were not appropriate for the case at hand, but the company was legally responsible for complying with their use.

Break out your Tor browser

In addition to removing the misleading (if technically correct) reference to its “standard” logging policy, ProtonMail promised to highlight activists’ use of the Tor network. The new “Your Information, Your Rules” section on the ProtonMail front page links directly to a landing page that gathers information about using Tor to access ProtonMail.


Using Tor to access ProtonMail can accomplish what ProtonMail itself does not legally prohibit: obfuscating its users’ IP addresses. Because the Tor network itself hides the users’ network origin before packets ever reach ProtonMail, even a valid subpoena cannot get this information out of ProtonMail – because the company never gets the data.

It’s worth noting that the anonymity offered by Tor is based on technical means, not guidelines – a situation that could serve as a textbook example of a double-edged sword. If a government agency or other threat can compromise Tor nodes that your traffic is routed through to trace its origin, there is no policy preventing that government from doing so – or using that data for law enforcement purposes.

ProtonMail also operates a VPN service called ProtonVPN, pointing out that Swiss law prohibits the country’s courts from forcing a VPN service to log IP addresses. In theory, the Swiss court could not have forced the service to reveal its “real” IP address if Youth for Climate had used ProtonVPN to access ProtonMail. However, the company seems more inclined to recommend Tor for this specific purpose.

There is only a limited amount that an email service can encrypt

ProtonMail also carefully points out that, although the user’s IP address and browser fingerprint were recorded by Swiss authorities on behalf of Interpol, the company’s guarantees for the privacy of email content were not breached.

The service uses end-to-end encryption and deliberately does not have the necessary key to decrypt a user’s email text or attachments. In contrast to the collection of the source IP address and the browser fingerprint, it is not possible to collect this data simply by changing a configuration on the company’s own servers.

Although ProtonMail can itself encrypt the email text using keys that are not available to the servers processing them, the SMTP protocol requires that the email sender, email recipient, and time stamps the message from the server are accessible. Accessing the service through Tor or a VPN can help obscure IP addresses and browser fingerprints, but the service can still be legally forced to provide any of these fields to Swiss law enforcement agencies.

In addition, email subject lines could also be encrypted without violating the SMTP protocol, but in practice the ProtonMail service does not, which means that the competent courts can force the service to provide this data.

Listing image from ProtonMail