Swiss Court Says ProtonMail Isn't A Telecom, Isn't Obligated To Retain Data On Users

from the neutral-good-remains-a-pretty-solid-alignment dept

ProtonMail offers encrypted email, something that suggests it's more privacy conscious than others operating in the same arena. But, being located in Switzerland, it's subject to that country's laws. That has caused some friction between its privacy protection claims and its obligations to the Swiss government, which, earlier this year, rubbed French activists the wrong way when their IP addresses were handed over to French authorities.

The problem here wasn't necessarily the compliance with local laws. It was Proton's claim that it did not retain this information. If it truly didn't, it would not have been able to comply with this request. But it is required by local law to retain a certain amount of information. This incident coming to light resulted in ProtonMail altering the wording on its site to reflect this fact. It no longer claimed it did not retain this info. The new statement merely says this info "belongs" to users and Proton's encryption ensures it won't end up in the hands of advertisers.

Proton's retention of this data was the result of a Swiss data retention law and, more recently, a revocation of its ability to operate largely outside the confines of this law. Terry Ang of Jurist explains the how and why behind Proton's relinquishment of IP addresses to French authorities, which resulted in its challenge of the applicability of the local data retention law.

The company lodged an appeal last month after the PTSS [Swiss Post and Telecommunications Surveillance Service) abruptly revoked Proton’s limited surveillance obligations in September 2020. Before that order, they were only required to provide IP addresses to surveillance departments in situations of “extreme criminal cases.” The company was also protected by article 271 of the Swiss Criminal Code, which means that data submission for surveillance purposes is supposed to be approved by the Swiss government.

But as a result of the sudden policy change, the company was forced to surrender IP addresses of climate activists, leading to several arrests by the French authorities. The company was also subjected to new data retention obligations for future surveillance purposes.

It's these retention obligations that have been challenged. These obligations undercut earlier promises made by Proton to its users -- the ones that resulted in a rewrite of its privacy guarantees as well as its cooperation with French authorities.

Fortunately for ProtonMail and its users, surveillance of the service will go back to being more limited. The Swiss Federal Administrative Court has sided with Proton, finding that it is not a service provider under the definitions included in the data retention law.

The Court on Friday concluded that email services are different from conventional telecommunication providers in Switzerland, and thus, should not be subject to the same kinds of data storage requirements. The Court followed a recent Swiss Supreme Court ruling in April that clarifies the status of instant messaging, video and telephone app services such as WhatsApp, Threema, Zoom and Skype. In that case, the Supreme Court stated that such applications and services are not considered telecom service providers, but classified as “over-the-top” (OTT) service providers.

This should allow ProtonMail to go back to offering users the privacy protections they thought they had until news reports indicated otherwise. But users should be aware that email services generate a lot more data and metadata than encrypted chat services, which means there's more stuff laying around for investigators (and oppressive governments) to demand or utilize should the opportunity arise. But it's still a significant win for the service -- one that also reaffirms that not all communication service providers are telecom service providers, and shouldn't be subject to the same data retention obligations.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data, data retention, email, law enforcement, logging, privacy, ptss, switzerland
Companies: proton mail


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 29 Oct 2021 @ 5:28pm

    So... Zoom is Over The Top?
    I was wondering what that whistling noise was that went by...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Oct 2021 @ 5:29am

    Another promise of privacy ... another lie ... another user betrayed ... another "principle" established. Wash and repeat. Internet companies will never run out of legalistic explanations to give about why they screwed you over this time, and why you're TOTALLY SAFE for the next.

    Rot13 is probably safer than the strongest encrypted site on the planet. Because the strongest encrypted site on the planet will fold and hand over your data, or be hacked or betrayed from inside, or was run by spies from the beginning. But spies might not think of Rot13.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Oct 2021 @ 1:01pm

    Using Tor, combined with a VPN, is the best way to go. All they will get is the Tor exit node you came out of.

    When I am going to post something here that might pique the interest of the Feds, I combine Tor with a VPN.

    Remember, the FBI, Surete, or whatever, can break into the database backend of any website, get the info they need, the the site operators will never know any LEOs were in their database, because popular sever based databases have no logging.

    That is why whenever I post something here that might interest the Feds, I use VPN and Tor, so that I cannot be traced

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.