When you sign up for a free email account, that service comes at the cost of your privacy. Agreeing to the terms and conditions means your provider can track as much as they want, from financial records to private messages. Tap or click here to find out how much your email provider is collecting on you.
If you want to avoid this type of invasive surveillance, you may look for email providers that prioritize privacy. For a long time, ProtonMail has been considered one of the safest email providers around. Many users believed it didn’t keep user records.
Recently, the company handed over sensitive customer information to French law enforcement officials following a legally-binding request. This leaves customers wondering how this is possible.
Many activists, journalists and privacy experts use ProtonMail for its end-to-end encrypted services. If you’re not familiar with encryption, it’s a security tool that disguises the content of your messages.
This way, creepy third parties can’t peek through your private emails. Only someone with a specific digital code can open the emails you send.
People who seek anonymity have flocked to ProtonMail in the past. That’s because it does not collect IP addresses by default. But the fact that Swiss law compelled it to reveal this data to authorities has users concerned.
“By default, we do not keep any IP logs which can be linked to your anonymous email account,” its website used to say. According to MSN, the company reworded this section of its website.
ProtonMail U.S. Communications Manager Matt Fossen said the company made these changes for clarity. “It quickly became apparent that a lot of people didn’t understand what we meant, so we made some website changes to make things clearer,” he said.
While investigating a climate activist, French police found their email address, which was with ProtonMail. Officials told ProtonMail to cough up the IP information behind this address. That led to multiple arrests.
In a blog post, ProtonMail CEO and founder Andy Yen explains that his company’s hands were tied. “Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.”
Electronic Frontier Foundation’s director of cybersecurity Eva Galperin told the Daily Beast that when a service says privacy-first, people often skip over reading details in the terms of service.
“If you take a look at ProtonMail’s marketing and advertising, you will see that they advertise themselves as a privacy protecting mail service … they make a very big deal out of the fact that they don’t log IPs,” Galperin told The Daily Beast.
That claim has now been removed from ProtonMail’s website. According to the policy, the company may share the following with Swiss authorities: last login time, email address, subject lines, sender or recipient email addresses, and IP addresses of incoming messages.
Fossen says ProtonMail “fights very hard against requests that we feel are inappropriate or invasive.” You can see a running list of such requests here.