Updated on 13.03.2019
From time to time, ProtonMail may receive requests for assistance from law enforcement authorities. As a strict general rule, ProtonMail only complies with legally binding requests that have been approved by Swiss authorities. Moreover, under article 271 of the Swiss Criminal Code, it is an offence to comply with foreign requests that have not been approved by the Swiss authorities. Therefore, ProtonMail only complies to two types of requests: (1) requests from the Swiss authorities and (2) foreign requests that have been duly instructed and validated by Swiss authorities through an international legal assistance procedure and determined to be in compliance with Swiss law.
All data requests are also checked by our internal abuse and legal team. In the event that we have questions about the legality of a request under Swiss law, ProtonMail will always request further clarification from Swiss authorities. If doubts persist and the request appears not to be compliant with legal requirements, ProtonMail will contest the request to the extent permitted by law.
ProtonMail may also sometimes act upon other types of requests. If presented with overwhelming evidence that the account in question is being used for illegal purposes against our Terms and Conditions, the offending account will be suspended immediately. Legality is assessed on Swiss law, and illegal purposes include activities such as phishing, ransomware or identity theft. No data is handed to third parties during this process unless a qualifying data request is also received.
- In the 4th quarter of 2015, we received a request from the Swiss Federal Police to retain data for an account that was the subject of a criminal investigation. The data preservation request was made by the US Federal Bureau of Investigation via MLAT agreement. After consultation with counsel, Proton Technologies AG decided to comply with the request and preserve the requested account data. No data was handed over as we have yet to receive a binding court order requesting this data.
- In the 1st quarter of 2016, we received a request for user data from the Ministère public of the Republique et Canton de Genève, originating from the United Kingdom, which was legally valid under la Convention européene d’entraide judiciaire en matière pénale (CEEJ Strasbourg 1959, RS 0.351.1) and the Deuxième Protocole additionnel (Strasbourg 2001, RS 0.351.12). The full facts of the criminal incident was provided to us. Given that criminal action was clearly involved and in breach of our terms and conditions, we declined to mount a court challenge against the request. Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the second quarter of 2016, we received a request for user data as part of an ongoing investigation into a bomb threat in the United States. We agreed to retain (but not hand over) data on this case, pending the issuance of a Swiss court order requesting this data.
- In the second quarter of 2016, we received a request from Swiss authorities on behalf of German authorities requesting information in a case where a minor was at risk. After consultation with counsel, we learned a binding Swiss court order is inevitable in this case. Therefore, we handed over available data in this case without waiting for a court ruling in order to not hinder the investigation. It is ProtonMail’s policy to always assist authorities in cases involving pedophilia or terrorism.
- In the second quarter of 2016, we received a request from Swiss authorities on behalf of French authorities requesting information on a case involving extortion. Upon our request, Swiss authorities provided to us a copy of the International Letters Rogatory and court order approved by a Paris judge. Upon our request, a Swiss court order was also provided for this data request. Since clear evidence of a crime was provided and requested paperwork was in order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the fourth quarter of 2016, we received a request from Swiss authorities from the Canton de Vaud, seeking information in a fraud case. After reviewing the relevant court order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received a request from the Swiss Federal Police regarding a cause of fraud which occurred in the Czech Republic. Czech authorities had secured the appropriate Swiss court approvals via an International Letters Rogatory and provided evidence documenting the fraud which had occurred. After reviewing the relevant court order, Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received a request from the Swiss Federal Police that originated from the government of the Republic of Georgia concerning an alleged cybercrime. After reviewing the relevant court order, our legal team determined the request was excessively broad and we are challenging the request.
- In February 2017, we received notification from the Geneva prosecutor’s office regarding an impending data request from overseas that will come with a valid International Letters Rogatory. The most probable data requester is the US government. Update: The request is from the US Department of Justice in a case of extortion against a prominent advisory firm. After reviewing the relevant evidence forwarded by US authorities, criminal intent was apparent, so Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In March 2017, we received a request from the Geneva prosecutor’s office regarding a data request from overseas that came with a valid International Letters Rogatory. The request came from the German government, investigating an account with links to ISIS. However, we were unable to provide the data requested by the German government as we did not have access to the data requested.
- In April 2017, we received a request from the Swiss Federal Police about an information request coming from a former Soviet republic (not Russia) regarding a case with an immediate threat of bodily harm to innocent civilians. Proton Technologies AG decided to comply immediately with the data request, to the extent that it is possible, given our cryptography, with the understanding that a valid Swiss court order will be immediately delivered to our office as soon as possible.
- In May 2017, we received a request from US authorities in a US tax and money laundering case. We have informed US authorities that the request must pass through the Swiss Federal Police and be approved by a Swiss court before we will respond. Update: After contesting the validity of the warrant with assistance from lawyers from the EFF, the US government has decided not to pursue the search and seizure warrant.
- In July 2017, we received a request for assistance from British police in the case of the kidnapping of Chloe Ayling. In light of the fact that we were able to verify that the kidnappers were, in fact, using a ProtonMail account, and the fact that the first 48 hours are the most critical in kidnapping cases, we rendered assistance to law enforcement without a court order, but with the understanding that a court order would be furnished to us retroactively. We delayed disclosure on our transparency report at the request of police until the victim was successfully rescued. Update: The court order was indeed received soon after we rendered assistance
- In August 2017, we received a request for assistance from the government of Turkey that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government’s human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.
- In January 2018, we received two requests for assistance from US law enforcement, regarding bomb threats made with ProtonMail. We rendered assistance to Swiss law enforcement working on this case without having yet received a court order, but with the understanding that an approved court was on its way to us. Update: The court order was indeed received soon after we rendered assistance
- In March 2018, we received a police request from Austria involving a politician who was accused of sexual harassment. The authorities are trying to identify the person who reported the accusation. Since the person who made the report is likely entitled to certain privacy protections, we have rejected the request even though it was approved by a Swiss court, and have requested that the Geneva prosecutor’s office review the facts of the case again and provide Proton legal with additional information.
- In May 2018, upon the request from the top law enforcement officer from an EU country in a case involving terrorism with an imminent threat, we disabled an account and rendered assistance, with the assurance from Swiss authorities that a court order was on its way to us. We did indeed receive the court order. Per our standard procedure for cases like this, we will attend the court hearing to learn details from the relevant authorities about this case and to ensure that all applicable due process was followed.
- In January 2019, we discovered evidence that a data request from an EU country in Eastern Europe may be improperly targeting a whistleblower that exposed corruption involving a high ranking politician. As a result, we are opposing the assistance request from the Swiss prosecutor’s office.
Aggregated statistics of all requests by authorities that we have received in 2017 and 2018 are provided below:
|Year||Requests by Swiss authorities||Foreign requests approved by Swiss authorities||Contested requests||Requests complied to|
Foreign requests approved by Swiss authorities:
In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.