Is ProtonMail Trustworthy?

protonmail logo

Today I was reading an article about a hacker kid who made fake bomb threats and ran a DDoS-for-hire group that attacked protonmail servers at least once. They were also ProtonMail users.

The Problem

It turns out ProtonMail, my encrypted mail service of choice (and vpn) colluded w/ government(s) to catch him.

ProtonMail got angry because he was fsking with them, too.

I'm all for them going after anyone who messes w/ them, but I'm not sure how I feel about working with government(s) to do it, especially considering it seems like they handed over some information related to what they knew about him.

So, I sent ProtonMail an email:

Hey there I was just reading an article about how ProtonMail helped catch some hacker that was causing trouble. The article mentioned that ProtonMail said

"Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities. That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law."

I'm concerned about the bit about "crime". I don't plan on committing any crimes, but my concern is not now but the future. What happens if an unjust law is instated in the U.S.A.? With the way things have been going it concerns me that some day something as innocuous as simply attending a protest could become a crime.

How do I know ProtonMail will have my best interests at heart if a government instates unjust laws?

Thanks for your time.

What We Found

Our friend and freaquent collaborator J did some digging.

I actually went back through ProtonMail's privacy policy a few times. They straight up say in there if you are EFFing with them, they will take you out. This dude was. They also have a WARRANT CANARY page where they put up what info they can about how they react. There are several cases where they have colluded, others where they haven't. Case-by-case international law crap. Sheesh...

>> ProtonMail transparency report <<

Here were some of his favorite excerpts:

In August 2017, we received a request for assistance from the government of Turkey that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government's human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.
In January 2018, we received two requests for assistance from US law enforcement, regarding bomb threats made with ProtonMail. We rendered assistance to Swiss law enforcement working on this case without having yet received a court order, but with the understanding that an approved court was on its way to us. Update: The court order was indeed received soon after we rendered assistance
In March 2018, we received a police request from Austria involving a politician who was accused of sexual harassment. The authorities are trying to identify the person who reported the accusation. Since the person who made the report is likely entitled to certain privacy protections, we have rejected the request even though it was approved by a Swiss court, and have requested that the Geneva prosecutor's office review the facts of the case again and provide Proton legal with additional information.

J also outlined each one for simplicity while we analyze:

  1. [some government] wants info, PM don't like their [history] and said "No." They will go to court if needed.
  2. [some government] wants info, went to Swiss law enforcement first. PM said "Yes." even before a court order was in place.
  3. [some government] wants info, went to Swiss law enforcement first. PM said "No." even though court said to do it.

The ProtonMail Privacy Policy says:

IP Logging: By default, ProtonMail does not keep permanent IP logs. We also don't record your login IP address unless this feature is specifically enabled by the user. However, IP logs are sometimes kept to combat abuse and fraud, and your IP address may be retained if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against ProtonMail infrastructure, brute force attacks, etc).

...and...

The Company is domiciled in Switzerland and all data storage infrastructure is also located solely within Switzerland, and thus governed by the laws and regulations of Switzerland.

At least we know they acted within accordance of their privacy policy. We can't say they caught us by surprise here. It's in the policy. They did not betray anyone, so to speak.

But, something still doesn't feel right.

If you have an account with ProtonMail, they can't see your email content. It's encrypted client-side. However, J pointed out that they could just delete your account.

Like I said in the email, I'm not concerned w/ right now but I am concerned with the possible future. Where is the line drawn? And is it drawn clearly?

J pointed out:

Looking at their warrant canary page, it is super fuzzy!

I mean, what happens if sending encrypted email becomes illegal in the US?

They have _some_ IP logs (although not permanent). Would they give those up?

Like a digital prohibition.

Opinions

These are scary times, which is why I've been working on decentralizing and encrypting everything I can.

I just don't trust where this is all headed, and I would rather have it and not need it than need it and not have it.

I will update if/when I hear back from ProtonMail.

Update:

Here's the canned response I got from ProtonMail:

Please note that all user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.

You can find read a more detailed explanation in the following article: https://protonmail.com/blog/switzerland/.

Our Verdict:

For now, ProtonMail is fine as long as you don't fsck with them yourself. If you do, you probably deserve whatever you get.