Hey guys,

Please see below an extract from a news article from the register, outlining how proton mail is in hot water again for sharing sensitive user data with law enforcement.

___

INFOSEC IN BRIEF Encrypted email service Proton Mail is in hot water again from some quarters, and for the same thing that earned it flack before: Handing user data over to law enforcement.

Proton, which offers several services it touts as being secure and safe, includes an end-to-end encrypted email product. Ostensibly designed for the privacy conscious, Proton claims to be unable to read the content of email and attachments, be free of trackers and ads, and have the “highest standards of privacy.”

Be as that may, there is still user info Proton has access to and can be pressured to divulge. In 2021, the Switzerland-based vendor provided Swiss police with the IP address and device details of a netizen the cops were trying to identify. That individual – a French climate activist – was later arrested after Proton shared the same data with French police.

Shortly after that kerfuffle, Proton removed the claim that it didn’t track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities.

In this latest instance, Proton handed over an account’s recovery email address information to Spanish police concerning a suspect believed to be supporting Catalonian separatists. Spanish cops handed the recovery address to Apple, which was reportedly able to identify the individual associated with the account.

Proton told advocacy outfit Restore Privacy it was well aware of the case, but its hands were tied under Swiss laws against terrorism.

“Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect,” a Proton spokesperson protested. “Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method.”

When we reached out to Proton it directed us to a Twitter thread from its CEO Andy Yen, in which he says much the same.

To paraphrase Chen: Sure, your email is secure, but whatever we know about you that isn’t encrypted end-to-end is fair game when the government hands us a subpoena.

____

You can draw your own conclusions/

All the best,

Stephen