Proton Mail Discloses User Data Leading to Arrest in Spain

Unfortunately, we don’t live in a world where only criminals, terrorists, etc. are monitored, arrested and put under pressure.
Journalists, activists and whistle-blowers suffer the same.

Full disclosure - I’ve been using Proton as my primary email provider for more than a year at this point, so I am going to be biased in their favor. Having said that, this seems like an issue of bad OPSEC and someone not fully understanding what their threat model actually is. Not even getting into the whole “morality vs legality” angle, but this person knew well enough that their government would find their actions to be objectionable that they willingly chose an email provider that markets itself as being a private solution, but took no additional measures to actually preserve their privacy past that.

First of all, the fact that they’re choosing email of all things to communicate about things their government considers terrorism is an awful choice. There’s already an excellent article in the Privacy Guides knowledgebase that explains this much more eloquently than I ever could, but email is an inherently insecure medium, and something like Signal would’ve been a much better choice for secure E2EE communications. In this vein, I am fully confident that any other private email provider, such as Tuta or Mailbox.org, would provide similar information if given a lawful court order. But let’s say that the people this person was communicating with just refused to use anything other than email for some reason, and a secure email platform like Proton was the best choice.

Issue two: this person set a recovery email that linked directly to an Apple ID that was linked to their actual identity. Realistically, this is a mic drop moment. For someone giving correspondence to an organization that their government considers terrorists, this is inexcusably negligent. Even for the mandatory verification email upon account signup, which is not the same as an optional recovery email, there are temporary mail services such as 10 minute mail that could be used for this purpose. Of course, we could easily make the argument that Proton should encrypt this information, but realistically this shouldn’t have been an issue at all because the recovery email is voluntary additional information. This person’s email should’ve been treated like a burner account, and linking PII to a burner account is, again, inexcusably negligent.

We could get even more granular, talking about the importance of using a trusted VPN or Tor, using the email itself on burner devices, etc. But in the end this is really just a massive OPSEC failure. In a perfect world Proton wouldn’t be legally obligated to give out information to potentially hostile governments, but Proton is a business at the end of the day, one that is primarily designed for people who want a privacy-respecting Gmail alternative that doesn’t scrape their personal emails for information to sell to advertisers. They won’t go out of their way to protect you if the Swiss courts decide that you’ve done something illegal.

Well, I do think it is notable that Tuta does not have the option for a recovery email (AFAIK). While you were careful not to be specific to this scenario, the outcome may have been different at Tuta. I could entirely see an end user not understanding why their recovery email does not have the same protections their emails do.

Statement update from Proton

We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.

The time that email services were shutting down just to protect their users is over. (see lavabit)

Now it is just the time to protect their business model.

I am sad to say this because email is one of the few things left of the good old decentralized internet, but ppl should just better use any encrypted messenger instead.

If all companies would be like Lavabit, NSA & friends would just have to send one request to whatever company they don’t like to do business anymore. Good times.

So all private email providers should not follow the law and get shut down until only Gmail and other providers are left who do follow the law? Great strategy.

Say it with me class…

“Your service provider isn’t responsible for your opsec and your ignorance of the their documented unencrypted metadata isn’t their problem”

They used to require phone verification if you register proton mail with a VPN or Tor

You don’t really need to shut down the company, you can fight it in court like OVPN or just doesn’t have any logs in their servers like Mullvad.

The main issue is Proton Mail is it’s base Switzerland does have mandatory data retention for emails.

They removed Monero and cash as payment options Update to Accepted Payment Options | OVPN.com

Tuta is my Proton recovery email and proton is my Tuta recovery email.
Thus creating a self referencing loop.

I’ve set up 4 accounts. 2 this year and no phone #'s were needed.

Best way to use private tools: not doing criminal things. That is, simple as that. They are clmpanies, the law apply to them, what do you expect? Do you expect to the CERN scientist going to jail because someone is doing bad things with an email account?

No that’s false, they ask for email no phone

Maybe I am misinterpreting what you are implying here, but it sounds like you are saying you feel it would’ve been a better outcome if Proton completely shutdown and ended service for all users like Lavabit did rather than complying with a court order to share with LEO a voluntarily provided and optional recovery e-mail for a single user being investigated for an alleged serious crime?

This is not at all comparable to the Lavabit case. I have a lot of respect for Ladar Levison (Lavabit’s founder) for standing up for his values and his users, even when it harmed (killed) his business. But in that case, what he was being forced to do would’ve undermined the privacy and security of all users (and probably still killed his business eventually) shutting down wasn’t just the principled choice, it was also the least-worst practical choice. That is not at all the case in this Proton scenario, and Proton and most other reputable private email services that came after lavabit have been specifically engineered to prevent situations like what happened to Lavabit, in large part due to to lessons learned from the Lavabit case.

It seems downright crazy to me to talk about literally shutting down Protonmail for everyone as if it is the more moral choice, compared to minimally complying with a court order to share one piece of info on one individual which the individual could’ve just not provided to proton in the first place or used a burner e-mail address.

A VPN is not E-mail. These are very different contexts. A recovery e-mail couldn’t be used for account recovery if Proton didn’t keep record of it. Remember, this is an optional feature used for account recovery, not just information that Proton arbitrarily and unnecessarily holds on to.

To be completely fair, there are good arguments against Proton’s behavior here.

1. They don’t make it clear anywhere during the process to add a recovery email how that data is stored. It is not unreasonable for a non-tech person to assume everything is encrypted at an encrypted email service, so Proton is not helping people make good opsec decisions.

   Even a simple line like “share a recovery email address with Proton” would be an improvement. “Set account recovery methods” is less obvious.

2. Proton uses dark patterns to get people to add a recovery email to their account. The statement they published after this story broke makes it sound like adding a recovery email is an exception to their “privacy by default,” when in fact they really push for having a recovery email to be the norm.

None of this changes anything about Proton’s service and how good it is, but all products can be improved.

It’s the same story as for the French activist, they’ve gone from “we don’t record your IP address” to “at the request of the authorities, we record”.

Proton is still fooling people, they could have specified that the recovery email address is not encrypted and can be communicated, just like the phone number for that matter, it’s all ambiguous.

No need to shut down, just remove the word “private” when you promote your service or limit the metadata you store incase you need to provide info to the law enforcements, like what signal does for example.