Proton Mail Discloses User Data Leading to Arrest in Spain

Update: Proton has confirmed the key details of this case and provided RestorePrivacy with a comment.

Proton Mail has come under scrutiny for its role in a legal request involving the Spanish authorities and a member of the Catalan independence organization, Democratic Tsunami.

Proton Mail is a secure email service based in Switzerland, renowned for its commitment to privacy through end-to-end encryption and a strict no-logs policy. In 2021, Proton Mail faced controversy when it complied with a legal request that led to the arrest of a French climate activist. Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.

The recent case involving the Spanish police this time, highlights privacy concerns and the limits of encrypted communication services under national security pretexts, and brings a long-debated subject to the forefront once again.

The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

This case is particularly noteworthy because it involves a series of requests across different jurisdictions and companies, highlighting the complex interplay between technology firms, user privacy, and law enforcement.

The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.

Like before, Proton Mail’s compliance with these requests is bound by Swiss law, which mandates cooperation with international legal demands that are formalized through proper channels (Swiss court system).

Last year, when we noted that Proton Mail complied with nearly 6,000 data requests in 2022, Proton provided us with an explanation that inbox contents remain secure.

Please note that in all cases email content, attachments, files etc are always encrypted and cannot be read.

Proton statement to RestorePrivacy last year

Looking at Proton’s transparency report, we find that Proton Mail complied with 5,971 data requests last year alone, up slightly from the year before.

Proton Mail complied with 5,971 data requests in 2023.

With so many data requests going on in the background, it is all the more important to safeguard the data you share with various services.

The importance of good OPSEC

This situation serves as a critical reminder of the importance of maintaining stringent OPSEC (operational security). One should always be aware of the potential vulnerabilities that come with linking recovery information or secondary services (like Apple accounts) that may not have the same privacy safeguards as a primary encrypted email service.

For users concerned about privacy, particularly those involved in sensitive or political activities, OPSEC should be a top concern when using privacy tools. It’s advisable to:

Avoid linking recovery emails or phone numbers that can directly tie back to personal identities or primary business activities.
Consider using secondary, disposable emails or virtual phone numbers that offer an additional layer of anonymity.
Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)
Consider purchasing services using an anonymous payment method.
Stay informed about the legal obligations and policies of communication service providers, especially regarding their compliance with international law enforcement requests.

While Proton Mail and similar services offer substantial protections and end-to-end encryption on their email platform, they are not immune to legal and governmental pressures. Users must navigate these waters carefully, balancing the need for security with the potential legal obligations of their service providers.

RestorePrivacy has reached out to Proton Mail for a comment on the case and their exact involvement, but a statement wasn’t immediately available. at the time of publication.

Update: Statement from Proton and additional commentary

Proton has now confirmed the key details of this case and provided RestorePrivacy with the following comment:

We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.

Spokesperson for Proton

In an email to RestorePrivacy, Proton also pointed out that adding a recovery email is optional. While this is true, we have also observed Proton Mail requiring a verification email address for account creation. As tested today, Proton required a verification email when signing up through a VPN service and also Tor.

Proton Mail may require you to provide a verification email when signing up.

In the verification box, Proton states that the email address “will only be used for this one-time verification.” Unlike a recovery email, this verification email presumably does not stay connected to the account.