Response to false statements on law enforcement surveillance made by Martin Steiger

Earlier today, a Swiss lawyer named Martin Steiger published a factually incorrect article about ProtonMail on his blog, alleging, among other things, that “ProtonMail voluntarily offers assistance for real-time surveillance.”

Martin Steiger’s claim is factually incorrect, and Mr. Steiger is also aware that this claim is false. Not only have we informed him multiple times that his claim is false, but the alleged source of his story, a Swiss public prosecutor, has also refuted these claims (this is hidden at the bottom of Mr. Steiger’s article).

Martin Steiger
Screenshot from Martin Steiger’s blog post

So that there can be no ambiguity: ProtonMail does not voluntarily offer assistance as alleged. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, ProtonMail’s end-to-end encryption means we cannot be forced by a court to provide unencrypted message contents.

ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false.

Laws are subject to interpretation, and because the relevant Swiss law itself is ambiguous, there are differing interpretations of the law. Steiger’s interpretation is different from the one taken by the Swiss government agency tasked with enforcing the law, whose directives we are legally obligated to comply with. His interpretation, therefore, is just an opinion, and not grounded in legal reality.

However, we also do not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary. Until a ruling comes down (in one- or two-years’ time), our company policy has consistently been to take the most pro-privacy position, which is indeed the position we have taken in all our court filings.

User privacy is our highest priority, and whether it is through our technology, open source software, or through our litigation and advocacy, we are committed to protecting the fundamental human right to privacy.

Best Regards,
The ProtonMail Team

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Admin

We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

13 comments on “Response to false statements on law enforcement surveillance made by Martin Steiger

  • Seems to me, if you connect with TOR via the onion site, then end-to-end encryption means that the Swiss government can have whatever information you hold, and be welcome to it.

    Reply
    • That is not correct. End-to-end encryption means that we can never hand over the message contents of end-to-end encrypted emails.

      Reply
  • “We only do so when ordered by a Swiss court or prosecutor” in thus posting conflicts with many parts of https://protonmail.com/blog/transparency-report/ , which refer to complying with “requests” from police. PM examines the requests and decides if it will comply. But these are “requests”, not “court orders”. If police “request” something and PM decides to comply, is that not “voluntary” ?

    Reply
    • This is a misunderstanding of the terminology. A request is a term used to refer to court orders, orders from Swiss prosecutors, or orders from the government agency responsible for coordinating between law enforcement and service providers. Whenever we use the term requests, we are referring to something that is legally binding but includes more than just court orders, as orders can also come from prosecutors or the department of justice. In other words, there is no such thing as a voluntary request, all requests are by definition obligatory to follow.

      Reply
  • ProtonMail-

    Thanks for this clarification. You do important work for activists, journalists and citizens.

    If you work for a government and you know of illegal surveillance activities, it is your duty to report those activities. Please leak those activities using TOR or other anonymizing methods.

    Mike Rogers of the NSA correctly reported illegal spying on a U.S. presidential candidate. You should do the same. We will ALL be better off when illegal surveillance is ended. Follow the good example of your superiors who report these issues. Thank you!

    Reply
  • In other words, ProtonMail’s security is about the same as that of any other email service provider.

    Please remind me again what is the leg-up that ProtonMail has over Outlook, Yahoo, AOL, or Gmail? Just asking for a friend…

    Reply
  • It should be clear to us which meta data you can communicate by court order:

    – IP (
    But if we use the hiden service, I have trouble seeing what you’re going to give).

    – To & From

    – Subject (It is not encrypted between 2 users of protonmail)?

    – Date

    And indeed the lawyer asked a very relevant question.

    Unencrypted content from third-party services (Gmail, Outlook etc.) can be given unencrypted as part of real-time monitoring?

    Reply
    • The term real-time surveillance is misleading and is a carry-over from the days of telephone line wiretapping. As it applies to Internet companies, there are two types of obligation towards law enforcement in Switzerland (and basically every other country for that matter).

      Existing data – this is the sharing of data that a company already possesses, which would be the items in our privacy policy.

      Future data – this is the data that a company can be asked to log for law enforcement purposes. In our case, this is primarily the email access IP logs.

      Our encryption and data collection policies mean we have very little information, to begin with. The information that we can share, is described in detail within our privacy policy.

      Reply
  • Hello,

    I am a paying user of the Visionary Plan.
    I think you lack transparency about the meta information you keep.

    The OpenWhisperSystem Foundation is much clearer on this subject.

    Example of what they transmit to the courts:

    https://signal.org/bigbrother/

    Example of what they do to avoid knowing who is communicating with whom:

    https://signal.org/blog/sealed-sender/

    Because if you can tap your users in real time;
    Do you provide clear data from third party services (such as Gmail / Outlook etc)?

    You do a great job, it’s normal that you comply with the law.

    But you must be totally transparent on the subject and tell us clearly what you are likely to communicate.

    For example, you provide a hiden service (which is great by the way), so you are not able to communicate the IPs of the users using it.

    So you keep in clear between proton users:

    – The subjects
    – Sending time
    – To
    – From From

    And about emails going to other services:

    – The Subjects
    – Sending time
    – The body of the message
    – To
    – From From

    So you are likely to communicate the above elements?

    Reply
    • Hi Jason! We are sorry you feel that way. We always try to answer our user’s questions in a timely manner.

      Reply