from the neutral-good-remains-a-pretty-solid-alignment dept
ProtonMail presents encrypted e mail, one thing that implies it is extra privateness acutely aware than others working in the identical enviornment. However, being situated in Switzerland, it is topic to that nation’s legal guidelines. That has brought about some friction between its privateness safety claims and its obligations to the Swiss authorities, which, earlier this 12 months, rubbed French activists the fallacious method when their IP addresses had been handed over to French authorities.
The issue right here wasn’t essentially the compliance with native legal guidelines. It was Proton’s declare that it didn’t retain this data. If it actually did not, it might not have been in a position to adjust to this request. However it’s required by native regulation to retain a certain quantity of knowledge. This incident coming to gentle resulted in ProtonMail altering the wording on its website to mirror this reality. It now not claimed it didn’t retain this information. The brand new assertion merely says this information “belongs” to customers and Proton’s encryption ensures it will not find yourself within the arms of advertisers.
Proton’s retention of this information was the results of a Swiss information retention regulation and, extra lately, a revocation of its skill to function largely outdoors the confines of this regulation. Terry Ang of Jurist explains the how and why behind Proton’s relinquishment of IP addresses to French authorities, which resulted in its problem of the applicability of the native information retention regulation.
The corporate lodged an enchantment final month after the PTSS [Swiss Post and Telecommunications Surveillance Service) abruptly revoked Proton’s limited surveillance obligations in September 2020. Before that order, they were only required to provide IP addresses to surveillance departments in situations of “extreme criminal cases.” The company was also protected by article 271 of the Swiss Criminal Code, which means that data submission for surveillance purposes is supposed to be approved by the Swiss government.
But as a result of the sudden policy change, the company was forced to surrender IP addresses of climate activists, leading to several arrests by the French authorities. The company was also subjected to new data retention obligations for future surveillance purposes.
It’s these retention obligations that have been challenged. These obligations undercut earlier promises made by Proton to its users — the ones that resulted in a rewrite of its privacy guarantees as well as its cooperation with French authorities.
Fortunately for ProtonMail and its users, surveillance of the service will go back to being more limited. The Swiss Federal Administrative Court has sided with Proton, finding that it is not a service provider under the definitions included in the data retention law.
The Court on Friday concluded that email services are different from conventional telecommunication providers in Switzerland, and thus, should not be subject to the same kinds of data storage requirements. The Court followed a recent Swiss Supreme Court ruling in April that clarifies the status of instant messaging, video and telephone app services such as WhatsApp, Threema, Zoom and Skype. In that case, the Supreme Court stated that such applications and services are not considered telecom service providers, but classified as “over-the-top” (OTT) service providers.
This should allow ProtonMail to go back to offering users the privacy protections they thought they had until news reports indicated otherwise. But users should be aware that email services generate a lot more data and metadata than encrypted chat services, which means there’s more stuff laying around for investigators (and oppressive governments) to demand or utilize should the opportunity arise. But it’s still a significant win for the service — one that also reaffirms that not all communication service providers are telecom service providers, and shouldn’t be subject to the same data retention obligations.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team