Update: On May 15, 2024, we made some minor adjustments to clarify statements concerning the nature of Proton's involvement in the case.
Last week's news of Proton Mail disclosing a user's recovery email to the Spanish police that was used to identify and arrest a pro-Catalan protester is likely to have unsettled activists in Europe and beyond.
Proton Mail is an encrypted and secure email app and is hugely popular among journalists and dissidents alike who stand by the company's promise to protect their privacy. However, as part of a terrorism investigation, the Swiss-based privacy firm was required by law to hand over the recovery email address of the Democratic Tsunami's activist to the Guardia Civil.
This recovery email address was an Apple iCloud address, and Apple then handed over identifying information connected to this account to law enforcement. Had the activist not used a recovery email with their Proton Mail account, no other data would have been available for Proton to hand over.
Talking to TechCrunch, Proton spokesperson Edward Shone said: "Proton has minimal user information, as illustrated by the fact that in this case, it was data obtained from Apple that was allegedly used to identify the terrorism suspect."
It's worth mentioning that the firm's other products—including Proton VPN, which features in TechRadar's best VPN guide—were not affected by this incident, as they are not governed by the same BÜPF legislation around telecommunications.
However, considering this isn't the first time Proton has been compelled to release user data to law enforcement, discussion has flared up concerning the limitations of encrypted apps.
So, is Proton Mail still a safe choice for activists? Well, this very much depends on how you use the platform. I have contacted Proton for comment and am waiting for a reply at the time of publishing, so here is everything we know.
Beware of metadata
As I mentioned above, Proton Mail is one of the go-to email providers for journalists, human rights defenders, protesters, and any other user who might be the target of online surveillance. That's because Proton Mail seeks to minimize the personal data the company can access by encrypting users' communications.
Encryption refers to the process of scrambling data into an unreadable form. As the company explains in a blog post, emails sent between Proton Mail users are always end-to-end encrypted, meaning that the system uses cryptographic keys to encrypt the data on the sender's device and decrypt it only when it reaches the intended recipients. Zero-access encryption is also applied to messages you store on Proton's servers, while TLS encrypts your emails in transit.
All this means that Proton, for instance, won't be able to share the content of emails you send or receive because the company itself cannot access it. This is also true for all your stored messages.
The issue is that encryption does not guarantee anonymity. Proton is one of the more transparent privacy providers and does not make outlandish claims on its website. However, it still has access to some identifiable information, known as metadata, including email addresses and IPs. Police officers know that and they are used to force companies to hand these details over to them.
Let's take a closer look at the Spanish case. As court documents obtained by TechCrunch reveal, the Guardia Civil sent legal requests through Swiss police to Wire, a Swiss encrypted messaging platform, and Proton. Wire shared the email address the suspect used to sign in for its service—a Proton Mail one.
Proton had just one, albeit valuable, piece of information related to that account: an iCloud email address used as a recovery email. From here, Apple provided the Spanish police with all the details to successfully identify the pro-Catalan protester, meaning their full name, two home addresses, and a linked Gmail account.
"Proton provides privacy by default and not anonymity by default," Shone stated, "because anonymity requires certain user actions to ensure proper [operational security], such as not adding your Apple account as an optional recovery method, which it appears was done by the alleged terror suspect."
He also added: "Proton does not require a recovery address, but in this case, the terror suspect added one on their own. We cannot encrypt this data as we need to be able to send an email to that address if the terror suspect wishes to initiate the recovery process."
Everyone hating on @ProtonPrivacy and saying to cancel subscriptions is missing the point entirely.This case actually proves how powerful Proton Mail is, not the opposite. Europol brought a court order to Proton, and the most Proton could provide was the user's recovery email… pic.twitter.com/kuvTc0jqfeMay 7, 2024
Other commentators (see the tweet above) took Proton's defense on the matter, reiterating the fact that while no company is willing to go to jail for you, "all companies should limit the info they have on users like Proton has done."
Meanwhile, according to Eva Galperin, the Director of the digital rights advocacy group Electronic Frontier Foundation, the incident is a stark "reminder that metadata matters."
What's certain is that this is the umpteenth example shining a light on the limitations of secure and encrypted apps to fully protect people's anonymity when law enforcement gets involved. For instance, according to Proton's transparency report, the company received only 6,378 legal orders in 2023. The team successfully contested 407 of them, but it had to comply with 5,971.
Worse still, these incidents might become even more widespread as legislators seek to give even more powers to law enforcement. The UK, for instance, is one of the countries looking to boost digital surveillance in 2024.
Steps to take to improve your anonymity
While Proton's case highlights the complex net of law enforcement's powers and companies' duties, it also reiterates a simple fact: using an encrypted app isn't enough to be private online.
As there are online threats that a virtual private network cannot protect you from, a privacy-first email or messaging service won't be able to hide all your digital traces, especially from authorities.
Therefore, if you're an activist, journalist, or another user at high risk of government surveillance, we strongly recommend taking further steps to boost your online anonymity. These include:
- As the Proton incident has just taught us, never link any recovery emails or phone numbers that can directly circle back to your real identity. We advise creating alternative accounts or using burner phone numbers instead, for an extra layer of anonymity.
- It's also advisable to use a secure VPN service every time you access your email or messaging app. NordVPN and Mullvad are my top recommendations when it comes to security.
- While Proton offers a full privacy suite—this includes email, VPN, Drive, Calendar, and password manager—you might want to consider using different providers for each security software to avoid your activities across these tools somehow being linked.
- Opt for an anonymous form of payment to further minimize the personal details you'll share with the provider. Proton Mail, for instance, accepts Bitcoin and even cash.
- Last but not least, consider using also the Tor browser together with your VPN service in case of high risk of surveillance.
