ProtonMail shows that encrypted email service has some holes as an activist found out
Proton Mail's Privacy Limits Highlighted by Activist Data Leak
Proton AG, the company behind the encrypted email service Proton Mail, found itself in hot water in April, 2024 after it complied with a Spanish police request for information about a user — a Catalan pro-independence activist. This incident sparked controversy, highlighting the harsh realities of privacy tech.
Encryption is celebrated for its promise of security, but it turns out that a significant portion of (unencrypted) metadata is left behind. Things like the email subject, sender address, dates and times of emails, recovery address are all unencrypted metadata that could be more damning than the actual emails.
The ideal scenario for privacy tech enthusiasts would be a company outright rejecting legal requests, but this is unrealistic and potentially self-destructive. If Proton took this path, it would face overwhelming legal challenges, possibly leading to its downfall, reducing the number of viable encrypted email options. Proton complied with nearly 6,000 legal requests in 2023, a fact that, once understood, led to a more rational response from the community, acknowledging the complexities involved.
Some argue that the activist's exposure was due to poor operational security (opsec), specifically for opting into a recovery email. However, blaming the user isn't constructive; the real question is how we can enhance privacy protections.
Encryption is essential, but it's a starting point. Given the metadata problem of email, one must consider alternatives with less exposure. Anonymous messenger apps with password protected Zip files are alternatives.
In conclusion, legal compliance by companies like Proton is inevitable. One should consider all email systems to be compromised by the authorities. Consider using password protected Zip files to ensure end-to-end encryption. Anonymous messenger apps are an alternative to email systems.