> Unlike competing services, we do not save any tracking information. By default, we do not record metadata such as the IP addresses used to log into accounts.
Notice the sneaky "by default" :)
Reality [2]:
> In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law.
Can the Swiss judiciary ask ProtonMail to serve a different version of the website to a specific user account, which sends the cleartext to a remote server?
Yes, refuse and take it to higher court. The laws protecting privacy and these survalance laws contradict each other. The large providers in Switzerland are staying quiet but eventually will need to deal with this fact and laws will need to be changed.
That sounds great in theory, but in practice, you really start to question how far you'll go for your client when there are clear indications that something illegal is happening.
Presumably to not hang advertising on the back of a feature they can't really provide is the other side of that coin.
I wonder if they could do something like the canaries we see in other legal respects (not a lawyer); log in and get an account-specific banner in your inbox telling you they've never enabled IP logging for your account.
I might be very wrong here but I thought canaries were legal because they were generalized. A specific person couldn't be alerted that they were a target, they'd just know someone using the service was a target.
> I thought canaries were legal because they were generalized.
The theoretical legal basis is typically that the government can't compel you to speak against your wishes, or at least can't compel you to lie.
That said, this is untested and controversial, and many lawyers believe that the discontinuation of a warrant canary could be interpreted as a violation of the gag order. Courts often frown upon technical workarounds, and interpret around them.
>Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.[1]
lavabit had access, they were shut down when they refused to share the encryption keys with law enforcement. the only legal way around this in the US is to host your own email and encrypt everything at rest. as an individual you aren't obligated to reveal passwords the same way a business would be in this case.
it might be an interesting idea to build a system that decrypts a small email server per user using their login credentials they interact with that system only and forward mail to the provider MTA for sending. there are still leaks here, and the provider could be compelled to reveal the user key to law enforcement, but the data would only be visible until after the user is authenticated.
I admittedly assumed that, as the grandparent comment spoke of a judicial order. However, there linked page indicates that in some cases, they have indeed complied with mere requests by authorities as well.
When you sell such a sensitive product, which could be used for example by swiss account tax evasion whistle blowers, maybe you should disclose on the front page that you can be compelled to log IP addresses and advice users to plan around that.
> In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. Under no circumstances will ProtonMail be able to provide the contents of end-to-end encrypted messages sent on ProtonMail.
To be fair, I don't know if this provision was added after they had reported the instance in their transparency report.
However, I think at some point the customer should use a bit of common sense. Anyone who believes that a government may compel a company to start IP-logging their mail should be considering that in their threat model when they are looking for an e-mail provider. I don't think it needs to be plastered on the front page - especially not with advice on how to circumvent government authorities lawful requests.
"Can the Swiss judiciary ask ProtonMail to serve a different version of the website to a specific user account, which sends the cleartext to a remote server?"
'By default' is of course legalese. If a user can turn on the IP logging feature, you can too. And you did in at least one case according to your own transparency report:
'In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.'
Your latter example seems legitimate. I think there is a clear difference between complying with a judicial request/order about a specific user and enabling logging by default. If one wants more than that, then one better own the bare metal of a mail server. In any case, I expect legitimate companies to comply with the law.
> Unlike competing services, we do not save any tracking information. By default, we do not record metadata such as the IP addresses used to log into accounts.
Notice the sneaky "by default" :)
Reality [2]:
> In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law.
Can the Swiss judiciary ask ProtonMail to serve a different version of the website to a specific user account, which sends the cleartext to a remote server?
[1] https://protonmail.com/security-details
[2] https://protonmail.com/blog/transparency-report/