This weekend, news broke that the anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. The move seemed to contradict the company's own privacy-focused policies, which as recently as last week stated, "By default, we do not keep any IP logs which can be linked to your anonymous email account."
After providing the activist's metadata to Swiss authorities, ProtonMail removed the section that had promised no IP logs, replacing it with one saying, "ProtonMail is an email that respects privacy and puts people (not advertisers) first."
No Logging ‘By Default’
As usual, the devil is in the details—ProtonMail's original policy simply said that the service does not keep IP logs "by default." However, as a Swiss company, ProtonMail was obliged to comply with a Swiss court's demand that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.
That account was operated by the Parisian chapter of Youth for Climate, which Wikipedia describes as a Greta Thunberg-inspired movement focused on school students who skip Friday classes to attend protests.
According to multiple statements ProtonMail issued on Monday, it was unable to appeal the Swiss demand for IP logging on that account. The service could not appeal both because a Swiss law had actually been broken and because "legal tools for serious crimes" were used—tools that ProtonMail believes were not appropriate to the case at hand, but which it was legally require to comply with.
Break Out Your Tor Browser
In addition to removing the misleading if technically correct reference to "default" logging policy, ProtonMail pledged to encourage activists to use the Tor network. The new "Your Data, Your Rules" section on ProtonMail's front page directly links to a landing page aggregating information about using Tor to access ProtonMail.
Using Tor to access ProtonMail may accomplish what ProtonMail itself legally cannot: the obfuscation of its users' IP addresses. Since the Tor network hides a user's network origin prior to packets ever reaching ProtonMail, even a valid subpoena can't get that information out of ProtonMail—because it never receives it in the first place.
It's worth noting that the anonymity offered by Tor relies on technical means, not policies—which could be a double-edged sword. If a government agency can compromise Tor nodes that traffic passes through so as to track its origins, there is no policy preventing the government from doing so—or from using that data for law enforcement purposes.
ProtonMail also operates a VPN service called ProtonVPN, and it points out that Swiss law prohibits the country's courts from compelling a VPN service to log IP addresses. In theory, if Youth for Climate had used ProtonVPN to access ProtonMail, the Swiss court could not have compelled the service to expose its "real" IP address. However, the company seems to be leaning more heavily toward recommending Tor for this particular purpose.
There’s Only So Much an Email Service Can Encrypt
ProtonMail is also careful to point out that, although its user's IP address and browser fingerprint were collected by Swiss authorities acting on behalf of Interpol, the company's guarantees of email content privacy were not breached.
The service uses end-to-end encryption and deliberately does not possess the key necessary to decrypt a user's email body or attachments. Unlike the source IP address and browser fingerprint, collecting that data is not possible simply by changing a configuration on the company's own servers as demanded by a court order.
Although ProtonMail can and does encrypt the email body itself with keys unavailable to the servers processing them, the SMTP protocol requires the email sender, email recipient, and message timestamps to be server-accessible. Accessing the service via Tor or a VPN may help obscure IP addresses and browser fingerprints, but the service can still be legally compelled to provide any of those fields to Swiss law enforcement.
In addition, email subject lines could also be encrypted without breaking the SMTP protocol—but in practice, ProtonMail's service does not, which means the relevant courts may compel the service to provide that data also.
This story originally appeared on Ars Technica.