this seems to be the reply from protonmail on reddit[0]
>Hi everyone, Proton team here. We are also deeply concerned about this case. In the interest of transparency, here's some more context.
In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. Details about how we handle Swiss law enforcement requests can found in our transparency report:
Transparency with the user community is extremely important to us and we have been publishing a transparency report since 2015.
As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed.
Our legal team does in fact screen all requests that we receive but in this case, it appears that an act contrary to Swiss law did in fact take place (and this was also the determination of the Federal Department of Justice which does a legal review of each case). This means we did not have grounds to refuse the request. Thus Swiss law gives us no possibility to appeal this particular request.
The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used). We will continue to campaign against such laws and abuses.
to me this seems like they did all the could in regards to handling this request.
In other words, your information is safe from the police if the police doesn't want it, but the second they want it, they're getting it and Proton can't do anything about it. The "default" is only useful for hiding your past actions before the police took interest in you, but not for any action since it happened.
I have a protonmail account. When I log in to the interface, I see the body of emails, without providing any key on the client (not that it'd help since the client is a generic browser running their website code). This implies the process exists to recover the body of my emails. Also, I type in the password in their web UI in cleartext - there's no other way to gain access - which means they also have access to my cleartext password and could be forced to disclose it to the third parties. So unless you provide some contrary evidence, your assertion is false.
PM mails are encrypted with PGP at rest, as is metadata. The police can request to log incoming and outgoing mail metadata if available but not retroactively.
Right, if you trust that they only store the encrypted version. But the comment at the top of the thread is talking about logging once the police are interested in you. At that point they can log anything you send to them (or somebody else sends to them), including plaintext emails.
Yes, but it's hardly surprising that criminal investigations tend to evaporate some privacy standards very quickly. ProtonMail doesn't want to get hit by the stick too.
And before anyone suggests that PM should have been more "open/honest" about this, I disagree, the fact that a criminal investigation will do this is well known and mentioning it would be akin to asking your bank to plaster "if the world economy implodes, we might not be able to pay out your account" all over their frontpages.
From what I understood, they don't log ip addresses by default, but can be compelled to legally. They can only provide ip addresses for subsequent logins.
this seems to be the reply from protonmail on reddit[0]
>Hi everyone, Proton team here. We are also deeply concerned about this case. In the interest of transparency, here's some more context.
In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. Details about how we handle Swiss law enforcement requests can found in our transparency report:
https://protonmail.com/blog/transparency-report/
Transparency with the user community is extremely important to us and we have been publishing a transparency report since 2015.
As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed.
Our legal team does in fact screen all requests that we receive but in this case, it appears that an act contrary to Swiss law did in fact take place (and this was also the determination of the Federal Department of Justice which does a legal review of each case). This means we did not have grounds to refuse the request. Thus Swiss law gives us no possibility to appeal this particular request.
The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used). We will continue to campaign against such laws and abuses.
to me this seems like they did all the could in regards to handling this request.
[0]https://www.reddit.com/r/ProtonMail/comments/pil6xi/climate_...