ProtonMail Shows Why Your Data Won't Ever be Private Under Any "Orderly" Jurisdiction

This week news broke that a French climate activist was arrested after ProtonMail provided information on the suspect’s ProtonMail account (jimm18@protonmail.com) to Swiss law-enforcement. They handed data over to Europol, which in turn forwarded that information to the French authorities. Simultaneously, ProtonMail deleted their we don’t log your IP boast from their website and quickly ran a PR post made up of poor excuses in order to try to save face. The statements made there are basically nothing more than …

Hey, we still love you, check our transparency report to see how much we care, but make sure to use a different service, that you should probably be donating to instead of paying us (namely Tor), in order to actually be anonymous on our platform. Oh, and always remember: Swiss laws aren’t that bad, you could be worse off. ¯\_(ツ)_/¯

The news proved once again what many privacy-minded people (including myself) have been warning about repeatedly:

• Switzerland is not a neutral jurisdiction that operates independently from EU (or US, or CN, …) influence
• Switzerland is neither a silver bullet for privacy and was successfully pressured by the EU as well as the US to get rid of other privacy/secrecy laws before
• That Swiss Criminal code article 271 which ProtonMail mentions in their PR statement doesn’t really matter in most cases, simply because other states can nevertheless get their hands on customer info through Europol -> the Swiss government
• What happened to Tutanota might very well happen to ProtonMail
• Europe has a track record of using, funding and monetizing privacy-invasive technology with no remorse, while on the other hand trying to paint itself privacy-friendly with GDPR bs which – let’s be honest for once, Europe, shall we? – was solely put in place to hurt foreign tech companies and give an advantage to their own, left-behind tech industry

Europe, as well as the US are jurisdictions in which a complex web of regulation, foreign relations and interests interacts heavily with topics like privacy.

Take the ProtonMail situation. If you’re a French citizen, who’s using a service that’s not headquartered in France, but in a different jurisdiction that has strong ties to France or the EU – which France is the second most influential member of – then you can be pretty sure that this jurisdiction will play ball if your country decides to prosecute you. In case of ProtonMail, Switzerland heavily depends on its EU partners and is very unlikely to turn its back on them. Hence, it’s not actually that surprising to see Switzerland pressuring ProtonMail into handing out user data to their French neighbors.
It’s not even just something specific with ProtonMail or privacy: Have a bank account in Switzerland and beef going on with Leader Xi? No more bank account for you. Studying in Switzerland and late-night-tweeting how the CCP disturbs your qi? No more PhD for you. Whenever there’s pressure from a valued partner, companies and institutions will (have to) bend.

The fallacy is to believe that any industrialized nation that maintains interdependent relations with others will ever be able to protect an individual’s data no matter what. No European member would have simply acted like “Nope sry won’t tell you, still friends though ok? Thnxbye!”. If a country allows for services under its jurisdiction to operate without storing IP logs or providing any other insightful metadata on their users, it will only allow to do so for as long as the service is irrelevant enough to slip under its radar and won’t make too much trouble or until there is either internal pressure (policy) or pressure from other countries it depends on.

With the current ProtonMail situation, it was probably a little bit of both. ProtonMail became a household name and therefor isn’t as irrelevant anymore as it was a few years back. On the other hand, France and the EU are important partners for Switzerland that even contributed to ProtonMail’s funding. Believing that ProtonMail is able to operate as one of Europe’s largest mail providers without logging important metadata and blindly trusting that it won’t spill the beans when the hands that feed them kindly ask is nothing but naive.

But let’s assume for a moment that the French activist was to use a similar service to ProtonMail, but one that would be operating from, let’s say Russia. Obviously, his data then wouldn’t be private at all, as it could be accessed by the FSB at any time – otherwise our fictional ПротонMail service would probably not be allowed to operate in first place. However, my uneducated guess is, that French authorities would have had a harder time to get their hands on the info, based on how relations between the two countries are right now. His data certainly wouldn’t have been private, but nevertheless it might have not gotten to the point of him being arrested so easily.

The EU has proven over and over, that law and order can be executed easily throughout the bloc, due to well-funded implementations and the lack of actual privacy within the system. If there’s a law, there’s a process authorities can execute upon. If there’s no law, the apparatus will nevertheless use its power to get hold of the desired information, no matter whether that’s formally legal or not. Nations like France and Switzerland can exercise power within their reach by using not only legally sound paths, but also a multitude of rather dubious ways – especially if you’re being perceived as a thread to an influential relation or sector of a country or simply calling a European politician a “dick” on Twitter.

Unfortunately, companies operating within such frameworks usually don’t have much of a choice to avoid being the pawn. They have to play by the rules that are set by their governments. If they don’t, the people who run the company will be individually held accountable for the actions of their customers, even if they haven’t done “anything wrong” themselves.
Hey there, Kim Dotcom!

Because the government knows who is behind ProtonMail, they’re able to politely ask them to hand out the info or otherwise be held accountable for non-compliance. And since the people in charge at ProtonMail certainly don’t feel like being held accountable for their customers’ wrong-doing, they prefer to pass the baton and follow the rules imposed by their jurisdiction.

There are ways to run an operation like ProtonMail with a lower risk of the company behind it being forced to hand out user data, though. From a privacy perspective, offshore jurisdictions – which are usually only known as tax havens – can provide an interesting basis for that purpose. They often have fewer incentives to actively cooperate with foreign governments and enjoy constitutional guaranteed privacy for their companies. Besides, there is usually a lot less funding available for their own Orwellian apparatus.
It only makes sense that businesses which have a need for privacy – like for example The Pirate Bay, CTemplar, Njalla and others – incorporate in jurisdictions that are harder to reach for the governments of their owners and those of their customer base.

Part of the reason why, for example, a company on Nevis can afford to keep its mouth shut about its clients and their data is because Nevis, on the other hand, can afford to keep its mouth shut about its clients. With the island’s own corporate registry not knowing who a business is owned by, it is barely possible to pressure company owners individually. Even suing the company itself can become a rather tedious task in such jurisdictions, with members not being legally responsible for company obligations, high legal bonds and many more hurdles. As an example, judgment from outside of Nevis won’t be recognized by courts in Nevis, meaning that a won lawsuit against a Nevis-based company under e.g. US or European jurisdiction can not simply be enforced within Nevis.
Additionally, offshores usually have fewer regulations for financial transactions, making it easier for companies there to accept anonymous payments, which in turn can ensure better privacy for their users.

The reason why your data won’t ever be private under any “orderly” jurisdiction is simply because their whole frameworks aren’t built for privacy in first place and individual companies do not have the power to change that. No matter how much Apple would like to encrypt their customer’s backups, when mom tells them to not, they won’t. No matter how much Tutanota wants to protect their user’s data, when the Vaterland wants access they give them. And judging by what is happening globally it doesn’t seem to get any better. Under claims of terrorism, drugs and child abuse more and more governments, as well as corporations scrapped privacy protections and continue to do so even more aggressively in the wake of a global pandemic and social unrest.

If you want your data to be truly private, it requires a lot more effort than simply signing up on a fancy landing page that’s promising you not to store your IP or telling you schwifty things about encrypted mail. Make sure you understand the legal frameworks under which a company operates as well as your individual legal situation, before blindly trusting some poster child company to keep your data private. Better take care of it yourself in first place. Avoid mail at any cost and if you have to use it, secure it yourself. Use state of the art encryption and strong passwords. Use cash or anonymous crypto-currency for payments. Donate to Tor and use it when in doubt. Don’t trust in any company and especially not governments and their laws to protect your privacy.

Stay safe.