Proton Mail recovery email leads to arrest of Catalan activist
Proton is secure, but you still need to be aware of what you disclose
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Update: On May 15, 2024, we made some minor adjustments to clarify statements concerning the nature of Proton’s involvement in the case.
Last week’s news ofProton Maildisclosing a user’s recovery email to the Spanish police that was used to identify and arrest a pro-Catalan protester is likely to have unsettled activists in Europe and beyond.
Proton Mailis an encrypted andsecure emailapp and is hugely popular among journalists and dissidents alike who stand by the company’s promise to protect their privacy. However, as part of a terrorism investigation, the Swiss-based privacy firm was required by law to hand over the recovery email address of the Democratic Tsunami’s activist to the Guardia Civil.
This recovery email address was anAppleiCloudaddress, and Apple then handed over identifying information connected to this account to law enforcement. Had the activist not used a recovery email with their Proton Mail account, no other data would have been available for Proton to hand over.
Talking toTechCrunch, Proton spokesperson Edward Shone said: “Proton has minimal user information, as illustrated by the fact that in this case, it was data obtained from Apple that was allegedly used to identify the terrorism suspect.”
It’s worth mentioning that the firm’s other products—includingProton VPN, which features in TechRadar’sbest VPNguide—were not affected by this incident, as they are not governed by the same BÜPF legislation around telecommunications.
However, considering thisisn’t the first timeProton has been compelled to release user data to law enforcement, discussion has flared up concerning the limitations of encrypted apps.
Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
So, is Proton Mail still a safe choice for activists? Well, this very much depends onhowyou use the platform. I have contacted Proton for comment and am waiting for a reply at the time of publishing, so here is everything we know.
Beware of metadata
As I mentioned above, Proton Mail is one of the go-to email providers for journalists, human rights defenders, protesters, and any other user who might be the target of online surveillance. That’s because Proton Mail seeks to minimize the personal data the company can access by encrypting users' communications.
Encryptionrefers to the process of scrambling data into an unreadable form. As the company explains in ablog post, emails sent between Proton Mail users are always end-to-end encrypted, meaning that the system uses cryptographic keys to encrypt the data on the sender’s device and decrypt it only when it reaches the intended recipients. Zero-access encryption is also applied to messages you store on Proton’s servers, whileTLSencrypts your emails in transit.
All this means that Proton, for instance, won’t be able to share the content of emails you send or receive because the company itself cannot access it. This is also true for all your stored messages.
Proton Mailis a secure email service that promises to offerprivacy by default, not anonymity. Head to ourdedicated pageto learn the differences and all the tips on how to use Proton Mail anonymously.
The issue is that encryption does not guarantee anonymity.
Proton is one of the more transparent privacy providers and does not make outlandish claims on its website. However, it still has access tosomeidentifiable information, known as metadata, including email addresses and IPs. Police officers know that and they are used to force companies to hand these details over to them.
Let’s take a closer look at the Spanish case. As court documents obtained by TechCrunch reveal, the Guardia Civil sent legal requests through Swiss police to Wire, a Swissencrypted messaging platform, and Proton. Wire shared the email address the suspect used to sign in for its service—a Proton Mail one.
Proton had just one, albeit valuable, piece of information related to that account: an iCloud email address used as a recovery email. From here, Apple provided the Spanish police with all the details to successfully identify the pro-Catalan protester, meaning their full name, two home addresses, and a linked Gmail account.
“Proton provides privacy by default and not anonymityby default,” Shone stated, “because anonymity requires certain user actions to ensure proper [operational security], such as not adding your Apple account as an optional recovery method, which it appears was done by the alleged terror suspect.”
He also added: “Proton does not require a recovery address, but in this case, the terror suspect added one on their own. We cannot encrypt this data as we need to be able to send an email to that address if the terror suspect wishes to initiate the recovery process.”
Everyone hating on @ProtonPrivacy and saying to cancel subscriptions is missing the point entirely.This case actually proves how powerful Proton Mail is, not the opposite. Europol brought a court order to Proton, and the most Proton could provide was the user’s recovery email… pic.twitter.com/kuvTc0jqfeMay 7, 2024
Other commentators (see the tweet above) took Proton’s defense on the matter, reiterating the fact that while no company is willing to go to jail for you, “all companies should limit the info they have on users like Proton has done.”
Meanwhile,according to Eva Galperin, the Director of the digital rights advocacy group Electronic Frontier Foundation, the incident is a stark “reminder that metadata matters.”
What’s certain is that this is the umpteenth example shining a light on the limitations of secure and encrypted apps to fully protect people’s anonymity when law enforcement gets involved. For instance, according toProton’s transparency report, the company received only 6,378 legal orders in 2023. The team successfully contested 407 of them, but it had to comply with 5,971.
Worse still, these incidents might become even more widespread as legislators seek to give even more powers to law enforcement. The UK, for instance, is one of the countries looking toboost digital surveillance in 2024.
Steps to take to improve your anonymity
While Proton’s case highlights the complex net of law enforcement’s powers and companies' duties, it also reiterates a simple fact: using an encrypted app isn’t enough to be private online.
As there are online threats that avirtual private networkcannot protect you from, a privacy-first email or messaging service won’t be able to hide all your digital traces, especially from authorities.
Therefore, if you’re an activist, journalist, or another user at high risk of government surveillance, we strongly recommend taking further steps to boost your online anonymity. These include:
We test and review VPN services in the context of legal recreational uses. For example:1.Accessing a service from another country (subject to the terms and conditions of that service).2.Protecting your online security and strengthening your online privacy when abroad.We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
5 must-have Android apps
