Updated ProtonMail, a provider of encrypted email, has denied claims that it voluntarily provides real-time surveillance to authorities.
Earlier this month, Martin Steiger, a lawyer based in Zurich, Switzerland, attended a presentation in which public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in Zurich, mentioned the company. In a live-tweeted account of the event, subsequently written up on German and recently translated into English, Steiger said he learned that ProtonMail "voluntarily offers assistance for real-time surveillance."
But Walder, the source of the revelation, subsequently contacted Steiger to clarify that he had been misquoted and had only described ProtonMail as a potential provider of assistance.
Steiger maintains that he accurately reported what he heard and points to ProtonMail's own Transparency Report, which describes enabling IP logging in April in a case of clear criminal misconduct under Swiss law.
The key word here is "voluntary." ProtonMail says that it is obligated to assist authorities, like every other company in Switzerland and elsewhere. "All Swiss service providers are obligated by law to assist law enforcement in criminal cases, and the law requires us to enable IP logging in criminal cases," the company said via Twitter.
ProtonMail back up in Russia after regime chokes access over 'terrorist activity'READ MORE
In an email to The Register, a company spokesperson dismissed Steiger's claims.
"ProtonMail does not voluntarily offer assistance," the company spokesperson said. "We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, end-to-end encryption means we cannot be forced by a court to provide message contents."
Steiger's skepticism about ProtonMail security appears to follow from marketing non sequiturs – "ProtonMail is hosted in a former military command center deep inside the Swiss alps" – that fall short of testable technical guarantees.
He is argument focuses on the fact that message metadata can be as revealing as message contents, and there's some truth to that. It's extraordinarily difficult to communicate securely and anonymously over the internet, particularly if law enforcement authorities have access to relevant service providers. But that problem is not specific to ProtonMail.
The Register asked Steiger to comment but he didn't immediately respond. ®
Updated to add
Protonmail, clearly concerned that its privacy-focused customers might be freaking out a little, has explained its position in a blog post.
PS: ProtonMail has a Tor-based .onion service if you don't want your real public IP address tracked.