ProtonMail Warrant Canary
Last updated February 21, 2017
This warrant canary is updated whenever a new legally binding request is received, or about to be received if we have advanced warning.
Update: February 21, 2017 – Starting in February 2017, we are switching to quarterly reporting for User Data Access Requests and User Data Retention Requests. The below figures are current up to January, 2017, and in the future they will be replaced by quarterly reports, with the next one due to be released on March 31st, 2017.
In parallel to this change, we are also switching to real time reporting of legally binding data requests.
ProtonMail has received a total of
User Data Access Requests
- 54 requests to access user data
- 5 requests were granted
- 49 requests were denied
- 6 legally binding requests
User Data Retention Requests
- 10 requests to retain user data
- 7 requests were granted
- 3 requests were denied
- 2 legally binding request
To be counted here as a request for information, the request must come through official channels foreign or domestic (either a court order, directly from a government entity, or from legal/security departments of corporations). We do not count unofficial requests such as requests made by private individuals. Legally binding requests are ones from the Swiss courts that we are legally obligated to comply with. Under Swiss data protection regulations, we cannot legally comply with foreign requests that are not supported by a Swiss court order.
In addition to requests to hand over data, we can also receive requests to retain user data. These requests typically come from the Swiss Federal police when they are asked to assist in a domestic or international investigation. In these circumstances, we may be asked to permanently retain a copy of user data to prevent the destruction of evidence in an ongoing criminal investigation. However, this data is only retained, and is NOT handed over to any third parties.
Under Swiss law, ProtonMail can only turn over user data if we receive a request from a Swiss court that is approved by the judge. ProtonMail can only hand over encrypted messages as we do not have the ability to decrypt user messages. Further details are available here.
On an almost daily basis, Proton Technologies AG also receives account deletion requests from both official and unofficial channels. These requests are too numerous to list here and are handled on a case by case basis by our security team. If presented with overwhelming evidence that the account in question is being used for illegal purposes against our Terms and Conditions, we will shut down the offending account immediately. Legality is defined based on Swiss law, and illegal purposes include activities such as phishing, ransomware, identity theft, etc, but not prostitution, tax evasion, gambling, or other activities protected by Swiss law.
- In the 4th quarter of 2015, we received a request from the Swiss Federal Police to retain data for an account that was the subject of a criminal investigation. The data preservation request was made by the US Federal Bureau of Investigation via MLAT agreement. After consultation with counsel, Proton Technologies AG decided to comply with the request and preserve the requested account data. No data was handed over as we have yet to receive a binding court order requesting this data.
- In the 1st quarter of 2016, we received a request for user data from the Ministère public of the Republique et Canton de Genève, originating from the United Kingdom, which was legally valid under la Convention européene d’entraide judiciaire en matière pénale (CEEJ Strasbourg 1959, RS 0.351.1) and the Deuxième Protocole additionnel (Strasbourg 2001, RS 0.351.12). The full facts of the criminal incident was provided to us. Given that a criminal action was clearly involved and in breach of our terms and conditions, we declined to mount a court challenge against the request. Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the second quarter of 2016, we received a request for user data as part of an ongoing investigation into a bomb threat in the United States. We agreed to retain (but not hand over) data on this case, pending the issuance of a Swiss court order requesting this data.
- In the second quarter of 2016, we received a request from Swiss authorities on behalf of German authorities requesting information in a case where a minor was at risk. After consultation with counsel, we learned a binding Swiss court order is inevitable in this case. Therefore, we handed over available data in this case without waiting for a court ruling in order to not hinder the investigation. It is ProtonMail’s policy to always assist authorities in cases involving pedophilia or terrorism.
- In the second quarter of 2016, we received a request from Swiss authorities on behalf of French authorities requesting information on a case involving extortion. Upon our request, Swiss authorities provided to us a copy of the International Letters Rogatory and court order approved by a Paris judge. Upon our request, a Swiss court order was also provided for this data request. Since clear evidence of a crime was provided, and requested paperwork was in order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the fourth quarter of 2016, we received a request from Swiss authorities from the Canton de Vaud, seeking information in a fraud case. After reviewing the relevant court order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received a request from the Swiss Federal Police regarding a cause of fraud which occurred in the Czech Republic. Czech authorities had secured the appropriate Swiss court approvals via an International Letters Rogatory and provided evidence documenting the fraud which had occurred. After reviewing the relevant court order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received a request from the Swiss Federal Police that originated from the government of the Republic of Georgia concerning an alleged cybercrime. After reviewing the relevant court order, our legal team determined the request was excessively broad and we are challenging the request.
- In February 2017, we received notification from the Geneva prosecutor’s office regarding an impending data request from overseas that will come with a valid International Letters Rogatory. The most probable data requester is the US government.