• The Swiss messaging company Protonmail, which has built its reputation on the protection of the privacy of its customers, confirmed having transmitted to the Swiss authorities the IP address of one of its users, an activist for the climate, as part of a French judicial inquiry.

  • International cooperation agreements ratified by both Switzerland and France have forced the company to respond to this request.

  • The company defended itself by explaining that it could not know the identity of this user or his status as a climate activist.

This is an ad that encrypted email company Protonmail would have done well.

Monday, September 5, the site of the communist organization "Secours rouge" revealed that this company, based in Switzerland, had delivered the IP address, that is to say the identification number of the computer of one of its users, to the Swiss authorities.

This client, a climate activist, is now in the sights of French justice.

Confirmed by Protonmail, this information aroused the misunderstanding of many Internet users.

Created in 2013, this company has indeed built its reputation on a promise of respect for the privacy and personal data of its customers.

  • What is Protonmail criticized for?

On September 1, the activist site Paris-luttes.info published a long story on the legal measures targeting, for a year, climate activists mobilized against the gentrification of the district of Place Sainte-Marthe, in the 10th arrondissement. from Paris. In this case, the site revealed that "the Youth For Climate collective and its affiliates communicated via a secure email address" managed by Protonmail. In an attempt to identify the creator of this e-mail address, French police officers sent the Swiss company a judicial requisition.

Transmitted to Europol (the European agency specializing in the suppression of crime) and validated by the Swiss authorities, this request forced Protonmail to transmit the IP address linked to the electronic address which was in the sights of the French police.

Passed under the radar, this information was taken up on September 5 by the site "Secours rouge" and by several Internet users, who directly challenged the company on Twitter and the Reddit forum.

However, until Monday, September 5, the company Protonmail assured on its site that "by default", it did not record "any metadata such as the IP address used to connect".

  • Why was the company forced to respond to this demand?

In France, as part of a preliminary investigation, a judicial police officer (OPJ) can request from private actors - such as telephone operators or banks - information relating to some of their clients.

"When it comes to a private player established on French territory, the company is required to respond", explains Alexandre Archambault, lawyer at the Paris bar specializing in digital technology.

But, as was the case in this case, when it comes to a company established in a country other than France, the latter can refuse to respond to this requisition.

In the event of a refusal, the police can then rely on international cooperation mechanisms.

This is what the French authorities did when they asked for Europol.

Their requisitions

having then been validated by the Swiss authorities, the company was obliged to respond to France's request.

“Switzerland ratified the Budapest Convention, which aims to fight cybercrime 10 years ago.

Thus, service providers established in its territory may be required to transmit information on their users when the request is relayed by the national authorities.

But this convention bears its name badly because it is not confined solely to cybercrime, ”continues Alexandre Archambault.

Initially used for serious cases in cases of terrorism or child pornography, this cooperation mechanism has been extended over the years to a large number of criminal offenses.

In this specific case, it was for example a requisition for a case of damage to property.

  • How did the Protonmail company defend itself?

As early as September 6, the encrypted messaging company communicated by posting a clarification on its website.

"We are deeply concerned about this case and regret that legal tools for serious crimes are used in this way," Protonmail said in the preamble.

While the company has confirmed that it has been required to disclose the IP address, it has assured its users that under no circumstances can email encryption be bypassed, "which means emails, documents attachments, calendars, files, etc.

cannot be compromised by legal orders, ”reassures the company.

Protonmail also defended itself by explaining that due to the strict confidentiality of its services, it did not know the identity of its users.

“At no point were we aware that the targeted users were climate activists.

We only know that the Swiss government's request for data went through channels generally reserved for serious crimes, ”the company adds.

Accused of not having sufficiently clarified its conditions of use, Protonmail has since modified them.

It now reads: "If you are in breach of Swiss law, Protonmail may be legally obliged to provide your IP address to investigators."

By the Web

WhatsApp: What to know before accepting or rejecting the new terms of use

Society

Spying on Yahoo! accounts: is it really possible to have a tamper-proof mailbox?

  • By the Web

  • Justice

  • E-mail

  • Private life

  • Swiss

  • Personal data

  • Encryption

  • Investigation

  • Social networks