By Aihik Sur and Aroon Deep
Switzerland-based ProtonMail, which claims to be the world’s largest secure email service, complied with a legal request from Europol through Swiss authorities to provide information about activists in France which led to their arrests. This was confirmed by ProtonMail’s founder Andy Yen. The development has sparked off a debate on social media platforms with many ProtonMail users criticising the email service provider for divulging the very details that it claims to safeguard against authorities.
Background: The activists who were arrested were involved with the green movement launched by activist Greta Thunberg and Youth For Climate, involving 130 local groups in France. The NGO has been organising, what it calls, environmental strikes. Recently, it has been protesting against evictions in Maison du Peuple in Nantes, where homeless and those in exile regularly take refuge, a press release by Youth For Climate said.
According to Secours Rouge, a charity founded in France in 1920, the recent arrests revolve around anti-establishment protests held in 2020 and this year.
“During the investigation, the police focused on the collective “Youth For Climate”. In particular, they were able to use photos published on Instagram, even if they were blurred because of the clothes. The police also noticed that the collective communicated via a protonmail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. Protonmail responded to this request by providing the IP address and the fingerprint of the browser used by the collective — Secours Rouge said in a post translated to English.
ProtonMail, like the encrypted messaging service Signal, is one of the few Internet services which advertises absolute privacy from both hackers and government agencies. However, in this case, ProtonMail caved to the authorities’ demands which led to the arrests of the activists.
What does the police request say?
Onestla.tech shared a copy of the alleged police request made to ProtonMail. MediaNama has not been able to independently verify the contents of the request. We have reached out to ProtonMail for a response in regards to the issue, and this report will be updated when we receive a response.
— onestla.tech (@OnEstLaTech) September 5, 2021
We translated a copy of the request made by the Officier De Police Judiciaire and this is what it says —
- French Police had given a request of requisition to Proton Mail. They received a reply on January 26, 2021, asking them to channel their request through Interpol or Europol.
- The request was then sent to the Paris Police Prefecture tasked with international cooperation who then forwarded the request to Europol
- Europol then “informed us that the email address was created (redacted). The IP address associated with the account is as follows (redacted)”
Will continue to challenge unjustified government requests: ProtonMail founder
The police request and ProtonMail’s subsequent compliance in this regard drew a lot of criticism from Internet users.
What's clear is that @ProtonMail just sells lies.
— Soufiane Tahiri (@S0ufi4n3) September 5, 2021
Responding to such criticisms, and thus confirming the allegations made, Andy Yen, the founder and CEO of Proton Mail said that it had to comply with Swiss criminal investigations and that it was legally forced to do so.
“In this particular case, the suspect unfortunately did break Swiss law, and there was simply no possibility to fight the decision made by the Swiss Federal Department of Justice,” Yen said while justifying the information disclosure. He also added that since the order came from the Swiss Federal Department of Justice, there was no scope of making an appeal.
Some thoughts on the French "climate activist" incident. It's deplorable that legal tools for serious crimes are being used in this way. But by law, @ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.
— Andy Yen (@andyyen) September 5, 2021
However, Yen refuted criticisms that ProtonMail “was not fighting for users” and said, “Protecting the privacy of all users is important to us – we’re also activists at heart. To those that say we don’t fight for, it simply is not true. In 2020 alone, we fought over 700 cases.”
However, our commitment to fighting wherever we can remains unchanged, and we will continue to challenge unjustified government requests.
— Andy Yen (@andyyen) September 5, 2021
IT Rules mandate compliance to govt requests in India
India’s Information Technology (Intermediary Guidelines and Digital Ethics Code) Rules 2021, mandates social media intermediaries to:
- Identify originator of a message: Social media companies with more than 5 million registered users in India to enable traceability of message originators on their platforms.
- Proactively identify and take down content: This includes content moderation (through automated mechanisms) of posts that are defamatory, obscene, pornographic, paedophilic, invasive of privacy, insulting or harassing on gender, and other types.
- Publish periodic compliance reports: These reports should be published every month and have details of complaints received, action taken, and “other relevant information”.
- Disable content within 36 hours of government order: The Rules also ask intermediaries to provide information for verification of identity or assist any government agency for crime prevention and investigations no later than 72 hours of receiving a lawful order. They also have to preserve records of disabled content for 180 days, and so on.
It is important to note that when it comes to identifying the first originator of a message, which in parts is similar to what ProtonMail did for the European authorities, end-to-end encryption messaging platform WhatsApp has taken the Indian government to the court challenging the IT Rules. Signal, another end-t0-end encryption messaging platform, has not yet complied with the IT Rules.
- Twitter invests in Sharechat’s $100 million Series D funding round; Sharechat’s policy position on online platform regulation
- NITI Aayog proposes self-regulation of fantasy sports platforms
- Delhi HC dismisses petition seeking licensing and regulation of OTT platforms
Have something to add? Post your comment and gift someone a MediaNama subscription.