ProtonMail has come under fire for revealing information about one of its users. The company, based in Switzerland, passed information on a French activist to the authorities at the behest of Europol, who collaborated with the French police.

ProtonMail advocates user privacy and has always maintained that it doesn't log IP addresses by default, but it is bound by law to assist with local regulations.

Now, the company is advising its users to access its services via the Tor network or VPN to ensure that there is no IP address to give the authorities in future cases.

ProtonMail Reveals IP Address of French Activist

The crux of the issue is that despite ProtonMail's long-standing focus on privacy, it must still comply with local laws. In this case, ProtonMail received a request to reveal the IP address of one of its users, who is part of an anti-gentrification group illegally occupying several buildings in central Paris.

The French police issued a request for the information to Europol, which passed the request to the Swiss authorities. As the company is based in Switzerland, once ProtonMail receives a legal request of this nature, they are bound by law to cooperate. ProtonMail was keen to stress that they didn't willingly hand information over to the French police directly, but, as per the ProtonMail Transparency Report, they are obliged to work with these "foreign requests approved by the Swiss authorities" or else face sanctions against the company.

In short, ProtonMail had its hands tied and had to deliver the IP address of the French activist, despite its misgivings about delivering user data to authorities. As per the Transparency Report, ProtonMail does reject data requests where it can and where it believes the data request is illegal. Of the more than 3,500 data requests received in 2020, it rejected at least 750 but is bound to respond when compelled.

ProtonMail: We Have to Comply With the Law

But while ProtonMail is legally required to hand over data it can access, the privacy-focused service advises users that this doesn't have to be the case.

As per ProtonMail's Privacy Policy, if you access ProtonMail using your regular internet connection, on request, it can provide information including IP address, email address, account activity and metadata, total messages stored, last login time, and even unencrypted messages sent to external providers. However, the Transparency Report furthers this, adding that the company may also "be obligated to monitor the IP addresses which are being used to access the Proton Mail accounts which are engaged in criminal activities."

It is this that has caused such pushback from privacy advocates who long considered ProtonMail one of the safest email providers around.

Why You Should Use Tor or a VPN to Access ProtonMail

There are two options to protect against IP monitoring and data logging, both of which ProtonMail advises users to consider.

First, you can access ProtonMail via its Tor Onion site. Due to the network configuration of Tor, assigning an IP address to an individual account is essentially impossible. If the authorities request information on the IP address used to access an account, ProtonMail can only deliver the IP address of the exit node rather than the origin of the request.

Second, ProtonMail advises using its ProtonVPN service. If a user accesses ProtonMail while using a VPN, the company can only give the IP address of the VPN server. The VPN option does come with caveats, though. You must make sure to use a zero-log VPN provider, otherwise, the authorities can compel the provider to reveal any data logs for the account used to access ProtonMail (or other services), revealing the origin IP address in the process.

Neither option is perfect, but it does provide a relatively simple way to add another layer of protection between your user data and any potential data requests (or if you just want to increase your privacy!).

Is ProtonMail Still Safe to Use?

Absolutely. The revelations regarding ProtonMail's data collection and IP monitoring are concerning but, for the most part, understandable. They're operating on Swiss soil, so they are bound by Swiss law, and unless they up sticks to the back end of a country with no regulation or a boat in the middle of the ocean, they must comply with law enforcement.

For regular users, ProtonMail is still an excellent secure and private email provider.