ProtonMail hands info to government but says it’s not Google
ProtonMail, a managed email service popular with the crypto community, surrendered a user’s information to Spanish authorities, leading privacy rights advocates to claim it had violated its sworn promise to protect user data.
ProtonMail is based in Switzerland and uses privacy and security themes in all of its corporate messaging. Like Switzerland’s once-enviable numbered bank accounts, ProtonMail made allusions to Swiss privacy, pseudonymity, and jurisdictional legal protections from the power of certain subpoenas. As a result of this marketing campaign, it attracted many crypto users who wanted a private email service.
In this instance, the user was a member of Mossos d’Esquadra, a police force in Catalonia. Spanish authorities identified him via subpoenas to ProtonMail and Apple.
The secure email service provided police with a recovery email address that revealed the pseudonym ‘Xuxo Rondinaire.’ Alongside information from Apple related to that recovery email and pseudonym, Spanish authorities believe he assisted the Democratic Tsunami movement.
ProtonMail’s decision to cooperate with Spanish law enforcement came under immediate fire. The email service admitted to the disclosure while simultaneously boasting that its privacy-centric infrastructure meant that the recovery email address was the only information that it gave to authorities.
Other free email services like Google’s Gmail, it said, would have turned over more information, such as the recipients or actual content of emails.
Ideas for using ProtonMail going forward
In response to the news, some users suggested better practices for anyone wishing to remain at the Swiss email service. Given the obvious reality that ProtonMail might surrender backup email addresses to law enforcement, users can supplement their privacy by adding a completely anonymous and unrelated private recovery email. They also recommend using a non-ProtonMail VPN to access the service.
ProtonMail, interestingly, complied with 5,957 data requests in 2022. So although its latest disclosure of the ‘Xuxo Rondinaire’ recovery email address in response to an anti-terrorism law enforcement request gained media attention from the crypto community, the company has made thousands of other disclosures throughout its history.