Updated on Aug. 2, 2019
From time to time, ProtonMail may receive requests for assistance from law enforcement authorities. As a strict general rule, ProtonMail only complies with legally binding orders that have been approved by Swiss authorities. Moreover, under article 271 of the Swiss Criminal Code, it is an offence to comply with foreign requests that have not been approved by the Swiss authorities. Therefore, ProtonMail only complies to two types of orders: (1) orders from the Swiss authorities and (2) foreign requests that have been duly instructed and validated by Swiss authorities through an international legal assistance procedure and determined to be in compliance with Swiss law.
ProtonMail is not required to store communications metadata or IP information, as we are exempted under the Swiss Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and its accompanying ordinance. Therefore, ProtonMail can apply a policy of collecting as little user information as possible to protect user privacy. To know exactly what kind of metadata your use of ProtonMail creates, please refer to our Privacy Policy. Upon receiving a judicial order, ProtonMail is obliged to provide any user information readily available that would help identify a user that is subject to a criminal investigation that has been validated by Swiss authorities. In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. Under no circumstances will ProtonMail be able to provide the contents of end-to-end encrypted messages sent on ProtonMail.
All data orders are also checked by our internal abuse and legal team. In the event that we have questions about the legality of an order under Swiss law, ProtonMail will always request further clarification from Swiss authorities. If doubts persist and the order appears not to be compliant with legal requirements, ProtonMail will contest it to the extent permitted by law.
ProtonMail may also sometimes act upon other types of requests. If presented with overwhelming evidence that the account in question is being used for illegal purposes against our Terms and Conditions, the offending account will be suspended immediately. Legality is assessed on Swiss law, and illegal purposes include activities such as phishing, ransomware, or identity theft. No data is handed to third parties during this process unless a qualifying data order is also received.
Warrant Canary:
- In the 4th quarter of 2015, we received an order from the Swiss Federal Police to retain data for an account that was the subject of a criminal investigation. The data preservation order was made by the US Federal Bureau of Investigation via MLAT agreement. After consultation with counsel, Proton Technologies AG decided to comply with the order and preserve the relevant account data. No data was handed over as we have yet to receive a binding court order for this data.
- In the 1st quarter of 2016, we received an order for user data from the Ministère public of the Republique et Canton de Genève, originating from the United Kingdom, which was legally valid under la Convention européene d’entraide judiciaire en matière pénale (CEEJ Strasbourg 1959, RS 0.351.1) and the Deuxième Protocole additionnel (Strasbourg 2001, RS 0.351.12). The full facts of the criminal incident was provided to us. Given that criminal action was clearly involved and in breach of our terms and conditions, we declined to mount a court challenge against the order. Proton Technologies AG decided to comply with the data order, to the extent that it is possible, given our cryptography.
- In the second quarter of 2016, we received a request for user data as part of an ongoing investigation into a bomb threat in the United States. We agreed to retain (but not to hand over) data on this case, pending the issuance of a Swiss court order for this data.
- In the second quarter of 2016, we received an order from Swiss authorities on behalf of German authorities requesting information in a case where a minor was at risk. After consultation with counsel, we learned a binding Swiss court order is inevitable in this case. Therefore, we handed over available data in this case without waiting for a court ruling in order to not hinder the investigation. It is ProtonMail’s policy to always assist authorities in cases involving pedophilia or terrorism.
- In the second quarter of 2016, we received an order from Swiss authorities on behalf of French authorities requesting information on a case involving extortion. Upon our request, Swiss authorities provided to us a copy of the International Letters Rogatory and court order approved by a Paris judge. Upon our request, a Swiss court order was also provided for this data request. Since clear evidence of a crime was provided and the requested paperwork was in order, Proton Technologies AG decided to comply with the data order, to the extent that it is possible, given our cryptography.
- In the fourth quarter of 2016, we received an order from Swiss authorities from the Canton de Vaud, seeking information in a fraud case. After reviewing the relevant court order, Proton Technologies AG decided to comply with the data order, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received an order from the Swiss Federal Police regarding a cause of fraud which occurred in the Czech Republic. Czech authorities had secured the appropriate Swiss court approvals via an International Letters Rogatory and provided evidence documenting the fraud which had occurred. After reviewing the relevant court order, Proton Technologies AG decided to comply, to the extent that it is possible, given our cryptography.
- In the first quarter of 2017, we received an order from the Swiss Federal Police that originated from the law enforcement authorities of the Republic of Georgia concerning an alleged cybercrime. After reviewing the relevant court order, our legal team determined it was excessively broad and we are challenging the order.
- In February 2017, we received notification from the Geneva prosecutor’s office regarding an impending data request from overseas that will come with a valid International Letters Rogatory. The most probable data requester is US law enforcement. Update: The request is from the US Department of Justice in a case of extortion against a prominent advisory firm. After reviewing the relevant evidence forwarded by US authorities, criminal intent was apparent, so Proton Technologies AG decided to comply with the data request, to the extent that it is possible, given our cryptography.
- In March 2017, we received an order from the Geneva prosecutor’s office regarding a data request from overseas that came with a valid International Letters Rogatory. The request came from German law enforcement, investigating an account with links to ISIS. However, we were unable to provide the data requested by German law enforcement as we did not have access to the data requested.
- In April 2017, we received a request from the Swiss Federal Police about an information request coming from a former Soviet republic (not Russia) regarding a case with an immediate threat of bodily harm to innocent civilians. Proton Technologies AG decided to comply immediately with the data order, to the extent that it is possible, given our cryptography, with the understanding that a valid Swiss court order will be immediately delivered to our office as soon as possible.
- In May 2017, we received a request from US authorities in a US tax and money laundering case. We have informed US authorities that the request must pass through the Swiss Federal Police and be approved by a Swiss court before we will respond. Update: After contesting the validity of the warrant with assistance from lawyers from the EFF, the US authorities have decided not to pursue the search and seizure warrant.
- In July 2017, we received a request for assistance from British police in the case of the kidnapping of Chloe Ayling. In light of the fact that we were able to verify that the kidnappers were, in fact, using a ProtonMail account, and the fact that the first 48 hours are the most critical in kidnapping cases, we rendered assistance to law enforcement without a court order, but with the understanding that a court order would be furnished to us retroactively. We delayed disclosure on our transparency report at the request of police until the victim was successfully rescued. Update: The court order was indeed received soon after we rendered assistance.
- In August 2017, we received a request for assistance from Turkish law enforcement authorities that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government’s human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.
- In January 2018, we received two requests for assistance from US law enforcement, regarding bomb threats made with ProtonMail. We rendered assistance to Swiss law enforcement working on this case without having yet received a court order, but with the understanding that an approved court was on its way to us. Update: The court order was indeed received soon after we rendered assistance.
- In March 2018, we received a police request from Austria involving a politician who was accused of sexual harassment. The authorities are trying to identify the person who reported the accusation. Since the person who made the report is likely entitled to certain privacy protections, we have rejected the order even though it was approved by a Swiss court, and have requested that the Geneva prosecutor’s office review the facts of the case again and provide Proton legal with additional information.
- In May 2018, upon the request from the top law enforcement officer from an EU country in a case involving terrorism with an imminent threat, we disabled an account and rendered assistance, with the assurance from Swiss authorities that a court order was on its way to us. We did indeed receive the court order. Per our standard procedure for cases like this, we will attend the court hearing to learn details from the relevant authorities about this case and to ensure that all applicable due process was followed.
- In January 2019, we discovered evidence that a data request from an EU country in Eastern Europe may be improperly targeting a whistleblower that exposed corruption involving a high ranking politician. As a result, we are opposing the assistance order from the Swiss prosecutor’s office.
- In April 2019, upon the order of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.
- In July 2019, we received a request for information that was approved by the Swiss judiciary involving a case in another EU country, which upon further assessment, we suspect could be targeting a whistleblower. We have refused to hand over data while seeking further clarification from the authorities as to why this request for information was approved in the first place, and asking for Swiss authorities to re-check the facts of the case.
Request Statistics
Aggregated statistics of all requests by authorities that we have received in 2017 and 2018 are provided below:
| Year | Orders by Swiss authorities | Foreign requests approved by Swiss authorities | Contested orders | Orders complied with |
| 2018 | 262 | 76 | 4 | 336 |
| 2017 | 13 | 13 | 3 | 23 |
Foreign requests approved by Swiss authorities:
| Jurisdiction | 2018 | 2017 |
| Europe | 61 | 10 |
| Austria | 2 | – |
| Belgium | 1 | – |
| Bosnia-Herzegovina | 1 | – |
| Cyprus | – | 1 |
| Czech Republic | – | 1 |
| Estonia | 1 | – |
| France | 5 | – |
| Germany | 19 | 1 |
| Greece | 2 | – |
| Italy | – | 2 |
| Latvia | 2 | – |
| Lithuania | 1 | – |
| Malta | – | 1 |
| Monaco | 1 | – |
| Netherlands | 16 | 2 |
| Norway | 1 | – |
| Poland | 2 | 1 |
| Sweden | 2 | – |
| Slovakia | 1 | – |
| United Kingdom | 4 | 1 |
| North America | 10 | 3 |
| United States | 10 | 3 |
| South America | 2 | – |
| Argentina | 1 | – |
| Brazil | 1 | – |
| Asia | 3 | – |
| Jordan | 1 | – |
| Oman | 1 | – |
| Indonesia | 1 | – |
| Total | 76 | 13 |
124 comments on “Transparency Report”
Thanks for the awesome work so far. I look forward to reviewing your code.
“Under Swiss law, ProtonMail also cannot be compelled to have this ability so we cannot turn over unencrypted user communications if we receive a request from the Swiss government.”
I assume this means that, under Swiss law, ProtonMail cannot be compelled by authorities to modify its (client-sided) decryption scripts to send the password back to law enforcement?
Actually, this is discussed in more detail on another blog post we made: https://protonmail.com/blog/switzerland/
I am looking forward to someday having an invite appear in my inbox! My fingers are crossed 🙂
Please allow me to try and use your proton mail, its look interesting for me
“By using open source libraries, we can guarantee that none of the encryption tools we are using have clandestinely built in back doors.”
Wow! You can GUARANTEE zero backdoors? Like the RSA? Like openSSL? Like {insert almost any open source library at one time or another}.
Amazing!
+1 for using auditable FOSS libraries. -1000 for false claims. FOSS libraries just let you confirm or deny reported problems and let people go look for them. They don’t *guarantee* backdoors don’t exist.
100% certainty is always impossible, but I think everybody out there is fairly confident that OpenSSL does not have a backdoor, you do get a certain measure of safety from having thousands of people poring over the code.
SSL has been 100% broken in real time by security agencies since 1997. RSA was intentionally weakened to make it easy to break. You should be very careful relying on “public libraries” of opensource code, it will give users a false sense of security.
A distinction has to be made between RSA the company, and RSA the algorithm. The algorithm is just mathematics and is sound, especially in the open source implementations of it.
Just a curios question: are you planning to stay with OpenSSL or perhaps contemplating to go with the fork towards LibreSSL?
We plan to stay with OpenSSL.
education – forums – craigslist
I heard about this new and secure email service by ProtonMail at http://www.extratorrent.cc and i was extremely interested so i visited ProtonMail website and started reading almost everything about the secure email service, but i have one question only to ask, how did you guys raised funding for such an expensive project and how do you plan raising additional funds to keep this services always running? I will be extremely happy if ProtonMail officials answers my question ASAP if possible. thanks for the great service and good work done! keep the privacy spirit up!
So actually, the project is not that expensive because the biggest cost is our time. And this we are very willing to give for free because this is a cause we truly believe in.
True transparency requires financial transparency as well. And, once you have the funds, a properly sourced third party audit of finances and policies. Just posting milestones in that direction would suffice for the moment.
The same Rsa that the nsa compromised?
http://www.wired.com/2013/09/rsa-advisory-nsa-algorithm/
RSA is both an algorithm and a company. The company is compromised, but the algorithm is just mathematics and that isn’t so easily compromised 😉
well stated…simple and to the POINT.
One key aspect of security is understanding your business model. If I don’t understand how you make the money required to operate the service, I can’t be sure about your survivability, and your resistance to human hacks. It would be useful to post something about this on your “About Us” and “Security” pages.
Put another way, where do I send my check once I get an account?
Thanks for putting together a very useful service.
We intend to pay the bills by charging for extra storage once the service goes out of beta, this should be able to cover our operating expenses.
Please send me complete information on the Proton Mail Account, Costs, How to sign, up and Operating Instructions. Thanks. WG
I understand pgp and gpg. One public key to encrypt and a private one to decrypt. But I don’t understand how you encrypt a mail for a particular user as you don’t have his public key.
Could you explain like I’m 5? 🙂
We do have the public keys, the ProtonMail servers server as a public key store. But this is not a security issue because public keys, but definition, are public.
Is this not still susceptible to a man-in-the-middle attack? If a compromised server provides a false public key for the intended recipient, decrypts the message on the server, then encrypts it again for the recipient with the correct key?
This would require changes of the code server side which would be detected.
I´ve got another question about the keys!
The public one is stored at your server…that´s ok.
But what about the private key? Where is this one stored?
I´d like to have that one stored at my PC and not on a server.
Kind regards and thanks for your efforts 😉
If the person you are sending an encrypted message, that is time expired, is in China and is using an account like sina.com will the message scannable by the “great fire wall”? If they have a proton account will it pass the “great fire wall” with out being read?
No, encrypted messages cannot be scanned by the Chinese great firewall.
Two questions:
1) Can I communicate securely with friends using OpenPGP, GPG etc., or would they need a Protonmail account?
2) Will there be mail folders at some point (or did I overlook the feature)?
Hey Team of Protonmail, first I wanna say thanks for what you are doing, it’s amazing what you did.
But I have one question, do you have any plans to make a standard for other providers to send asymmetrically encrypted mails to ProtonMail and vice versa?
hey guys
congrats for the success of protonmail, i just got the invitation 3 days ago and i registered it, but whenever i send a email to my protonmail account i receive this error
“Hi, User saurabh.kumar@protonmail.ch doesn’t exist. Please check the email address again. Thank you! ProtonMail”
but i already registered my account under this email and its working perfectly, i can send the email from my protonmail account but i can’t receive it.
please look into it and response me asap, i am eagerly waiting to use the services.
thank you
saurabh.k1@hotmail.com
Hi Saurabh, we have sent you an email about this issue, thanks for reporting it.
Hi, I read the letter from “Interested User” above who asked where the PRIVATE key is stored. You haven’t put an answer on the website.
I too would like to know where the private key is stored.
Greg
http://security.stackexchange.com/questions/58541/how-are-protonmail-keys-distributed
Hello there Proton Mail! I’m really taken back n very pleasantly delighted that there is an actual group of individuals out there in this world who’ve been able to create the reality and ability in which truly seems to uphold the same belief system as me in the issues of privacy standards n human moral values along with respect of people… That is awsome and gives me a bit of hopefullness of the human race and life as we know it..Since I cud remember as a lil kid and up to now I never stopped thinking so much about the fast advancements of technology and its invasive and intrusive integration with our everyday lives… I’m very very happy that I’ve come across Proton Mail its the first group I’ve ever seen that seems to perfectly suite me! Thank god you guys came about… I’m looking forward and hoping for the opportunity to be able to open an account with Proton Mail and have it as my new email address! Thanks, Natasha
I am waiting eagerly to receive my invite. Checking my current mailbox every day. I really hope it won’t take too long.
Thank you guys you have given me the invite to use protonmail within 5 days of my request. I like you guys
Quick question, will there be a way to have Push on Android with Protonmail (through K-9 or perhaps an own protonmail app)?
We are currently developing an Android app, which should be released in the near future.
Take attention : if you protect à mail with a password PROTON send the mail but the Exchange Serveur of my office block it without any message.
I tried to send from my proton account to my professional account
Can you say whether you notified the individuals whose data the government tried to access?
Can you also say what government institutions tried to get user data, what kind of data they wanted and what was their reaction when you denied their requests?
If the foreign government succeeds in getting a Swiss court order, notification of the individual targeted is mandatory. For privacy reasons, we cannot publicly disclose which governments requested data and what data they requested. We think that privacy is a universal right and even governments are entitled to privacy when they make a request.
Can you say what government institution tried to get user data, what kind of data they wanted (metadata, actual email messages etc.), what was their reaction when you denied their requests and whether you notified the users whose data they tried to access?
https://protonmail.com/blog/transparency-report/
On the link “https://protonmail.com/”, I have found on ghostery, a chrome extension which you might know, that it had tracked a tracker called Piwik Analytics. I dont think its safe.
Piwik is OK, it is an open source analytics tool which we self host (so no data sent to third parties) and is used to gather browser/language information so we know which browsers/languages we need to support.
3 Months without an update to the Canary? Historically, how often was the canary being updated?
Whenever we receive a new request that would require us to update the numbers shown here. No update means no new requests.
If you are worried, know that Piwik actually respects the “do not track” setting of your browser. Unlike many other systems.
Is it possible for you to also release the country of origin these requests come from in your report thanks.
Hey,
many thanks for being such champions in privacy, much appreciated!
I got two relating questions:
a) Up to reading this very page, i thought Protonmail followed Swiss court orders only and strictly in regards to handing over user data, however i read that “Proton decided to comply with the request” even before a court order was issued. Has Protons approval policy changed? If so, what rules are used?
b) Was the original assumption of Switzerland being out of reach from the EU and US wrong, considering MLAT and similar agreements used in the two (so far) approved user data requests?
Cheers!
The request we complied with was approved by the Swiss judiciary.
Apart from encrypted emails themselves, what kind of “user data” was handed over? The login password? Access to any other data that or technical mean that could facilitate obtaining or cracking the private key?
In the one case from Q1 2016, we only handed over the non-ProtonMail email account the user linked to their ProtonMail account.
Does ProtonMail keep a log of the mobile number used for account verification (SMS verification code)?.
We store this information to avoid spammers using the same number to obtain multiple accounts.
I am a Citizen in the United States of America. That being said, the concepts and issues of Privacy versus Government, are always endlessly interesting, to say the least.
I just started using ProtonMail yesterday. As I read more about ProtonMail, the more thrilled I become with my decision.
Thank you!
please do not destroy any data or information for the following accounts:
benrotast@protonmail.com
proxyhackr@protonmail.com
I am the owner of these accounts and they have been compromised by people in industry and the US government in a highly illegal, black operation that is performing a bizarre form of psychological torture.
I am currently enduring this torture and belive that the information will indicate foul play and the methods used to hack the accounts.
508-292-6046
818-747-9361
When you say
«To be counted here as a request for information, the request must come through official channels foreign or domestic (either a court order, directly from a government entity, or from legal/security departments of corporations). We do not count unofficial requests such as requests made by private individuals.»
do you not separate requests from authorities and requests from corporations?
Thank you.
We do not, because we will also respond to corporate requests such as reports of phishing. We will disable accounts involved in criminal activity and sometimes retain data until an official law enforcement request can be made.
“In the second quarter of 2016, we received a request from Swiss authorities on behalf of German authorities requesting information in a case where a minor was at risk. After consultation with counsel, we learned a binding Swiss court order is inevitable in this case. Therefore, we handed over available data in this case without waiting for a court ruling in order to not hinder the investigation. It is ProtonMail’s policy to always assist authorities in cases involving pedophilia or terrorism.”
This worries me SO MUCH. You gave away information without any actual court order because the case relates to pedophilia/terrorism, governments know damn well that if you want something done you just mention the magic words pedophilia or terrorism and tadaa!
Basically I am reading “It is ProtonMail’s policy to always assist authorities in cases where the government is willing to lie to us.”
Now I am sure you thought this trough but can you please take away my worries. Thank you!
This particular request was vetted by our legal team. We only agreed to cooperate after it became clear that the authorities had a clear legal case and would be able to get court approval.
When you say “We will disable accounts involved in criminal activity and sometimes retain data until an official law enforcement request can be made.” what does that “involvement”, in fact, mean? Does it mean a mere suspicion of such “criminal activity” of something more? In other words, no charge and/or conviction needed – just an ongoing investigation is enough for you to determine that an account has been involved in criminal activity and therefore it will be disabled?
Usually when we are presented with clear evidence (like a copy of a phishing email for example).
So. Your company handed over user data without a court order because it was inevitable? But if that’s the case, why not wait for that inevitability. This makes me very uneasy because it’s a slippery slope. Why not follow the law and your policy and wait for court orders?
I also need to know what sort of data is being handed over. In your site it says IP information is not recorded and mail is encrypted. So what do you hand over for these requests?
You can see the data we can hand over in our privacy policy. We did not wait in that case because a minor was at serious risk and speed was important.
Hello,
Can you explain what do you mean what data do you retain when asked?
By default IP logs are disabled, do you enable them in such case? Do you only copy all emails in case he delete them? If yes, do you have a time limit of storage?
Thank you
For retention requests, we will retain the current state of the account (at the time the retention request is asked) for a period of 6 months. We do NOT enable logging.
“In March 2017, we received a request from the Geneva prosecutor’s office regarding a data request from overseas that came with a valid International Letters Rogatory. The request came from the German government, investigating an account with links to ISIS. However, we were unable to provide the data requested by the German government as we did not have access to the data requested”
How did you not have access ?
ProtonMail uses end-to-end encryption.
For the cases where protonmail has handed out data access (under whatever rationales and any stipulated terms) *before* a legally binding order from the Swiss courts was procured and delivered, how many of those handed out data accesses were *subsequently* backed validated and covered by the procurement and delivery of such a legally binding order?
This may be answered by “number disclosed before order” and “number of those later covered with order”.
So far all of them.
Пожалуйста!,подскажите, что мне необходимо сделать? Каждый раз, когда я набираю текст письма,- при наборе буквы перескакивают,меняясь местами,и текст отправляемого мной письма выходит …перепутанным…Помогите! С Уважением, Борис.
This might sound odd,but did you guys ever think of making a proton browser?sort of like tor,but with all the other things you have to do with tor.
thanks
I believe there is a need for privacy, but I was informed by local police that a user has sent a threatening letter about harming students at a foreign school (not Swiss) through ProtonMail. For you to offer a system that protects such users is rather absurd. Hopefully you carefully think about this offering and take measures to allow justice for those who can and will use technology to commit crimes. If the justice system needs to jump through many hoops and communicate with foreign Swiss courts to obtain information, valuable time may be lost, people injured, and crimes might go unpunished. Hopefully there is some balance between lawful use and danger to society. I also don’t agree with “Big Brother” snooping, so don’t get me wrong. We need privacy, but we also need some form of justice and protection against a few nuts that could misuse your service.
But that’s the thing. End-to-end encryption is absolute. You can’t have it ‘a bit’, but not have it when someone makes a decision that ‘nah, no privacy in this case’. ProtonMail, based on what I’ve read, provides what they can (I’d even call it helpful!) but without compromising end-to-end encryption. Encryption is only thing that can’t be compromised. All this bull on news, calling Australian law over math’s laws and ‘we cannot aide terrorist’ and so on.
If companies eventually are forced to implement backdoors or lift privacy veil in any way, terrorists will code their own tools, and governments won’t have control over them. All of us, random, users will suffer, once backdoor control gets lost or broken. The only thing that has to remain is uncompromised end to end encryption and this, by definition, cannot allow for any peeking.
Why don’t you go invent “selective encryption” without it getting abused and report back here?
Why don’t you go invent “selective encryption” without it getting abused and report back here?
I solely believe the fact that Protonmail protects all emails. Even after the authorities have legal requests for any suspicious criminal acts against other individual(s) or a country, Protonmail would hold back on the investigation. My case I am a civilian of the US. Someone from protonmail has use my name and created an email account in my name to send me threats, obscene pics, and downloaded pics of me from my Facebook to threaten me. This individual(s)/culprit(s) is making my life miserable. I have contacted my local authorities to investigate, now after reading your transparency canary, I think my harassment and threats will continue from protonmail clients since no action on your end is resisting to help.
Please look into case# 38491321 and #38490063, that I have reported under abuse and security. My only hope is that you have heart to find that I am reaching out to you to help catch this culprit. Please don’t let it be too late, for me, my family, or friends. Thank you in advance.
You may use these HTML tags and attributes:
This worries me a bit. The idea of a transparency report is to be, well – transparent. These Request Statistics have not been updated in over 10 months and with the growing use of Proton Mail i’m sure these numbers have risen in the past 10 months. Proton VPN seems to have their transparency report updated more recently, and considering Proton Technologies AG focus on security and privacy outdated or missing information from these reports is odd or even suspect.
This is a snippet from the transparency report:
Update: February 21, 2017 – Due to the increasing volume of requests, Proton Technologies AG will no longer continually publish updated statistics. Instead, aggregated statistics will be released periodically.
The below figures are the totals up to January, 2017 and are no longer being updated.
Email address (Mintvi@protonmail.com) has been used to harassment purposes.
Can you close that address, please.
We cannot disable an address without any proof. This would be a security issue for other users. Please send us a request to security@protonmail.ch with all the proof you have.
I paPay for an encrypted I can’t every month multiple of them and password has been changed I need to access my emails ASAP please contact me Lauren Schommer
Lauren, I am sorry to hear that! Who changed your password? Please contact our support through this form https://protonmail.com/support-form and one of our customer support experts will help you.
How is it possible that protonmail got ‘zero-acces’ to protonmail accounts, but a few requests which trying accessing user data were granted? What did they actually get?
The information we can actually provide, is detailed in our privacy policy here: https://protonmail.com/privacy-policy
Accounts are locked out due to payment. Need assistance.
Please open a support ticket here: https://protonmail.com/support-form
How long does it take for you to wipe an account after it’s been deleted by the user?
The account is deleted from our production servers instantly. However, deleted data may be retained in our backups for up to 14 days. Please read more in our privacy policy: https://protonmail.com/privacy-policy
”IP Logging: ProtonMail does not log the IP addresses used to access our Service unless this feature is specifically enabled by the user (it is disabled by default).” If a user enables that option, will you at ProtonMail have access to these logs in case you are compelled to hand over data to authorities?
If the feature is disabled, any logs that are present are deleted.
You have exelence service,but reading all this court reqests I wonder what type of data you provide on that requests? Do you give them ability to log in into account and provide them with password,and can judge log in with my credentials even if 2fa is turned on,do you provide them with that 2fa codes also?
We cannot provide access to our users’ accounts as we do not have access to decryption keys or 2FA codes. See in the following link what is encrypted and what is not encrypted in ProtonMail: https://protonmail.com/support/knowledge-base/what-is-encrypted/
“I think everybody out there is fairly confident that OpenSSL does not have a backdoor”
Fairly confident isn’t 100% though… it’s interesting that your comment was actually posted a month after Heartbleed was disclosed!
Anyhoo, that’s mostly why you don’t just put your eggs in one basket – and use multiple layers of encryption utilising multiple ciphers.
Suppose I am being threatened from a ProtonMail account and I live in USA.
What are the legal steps I should do to assist in leaning the owner of the account? (All the threats I have gotten are in clear text so no issues with data encryption)
Very sorry to hear this. Please send all proof of abuse to abuse@protonmail.ch and our abuse team will analyze this case and disable it in case it does not respect the law in Switzerland and our TOS.
If I sign up for an account with Protonmail can this be interchanged with those that are NOT Protonmail users? If so, how does the encryption maintain its integrity of any and all data either sent or received?
All messages forwarded to ProtonMail are encrypted the moment they reach our servers and protected with zero access encryption https://protonmail.com/blog/zero-access-encryption/ We provide the possibility to send end-to-end encrypted emails to Non-ProtonMail recipients. https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/ and we also provide full PGP support https://protonmail.com/support/knowledge-base/how-to-use-pgp/
I want to thank you I really need this service and so does everyone else !
Hello,
I am currently involved in custody and divorce in Canada. I am really hoping that you can help me as I have gone to the RCMP in the very small town and reported what I about to tell you. Due to the small town, I live in unfortunately they just don’t seem to have the education needed to pass this along to the Tech Crimes Unit in which my friend who lives in the US told me the FBI will usually subpoena the information through the Swiss courts.
Is there a way for me to achieve such a warrant or to just get your help? I have now received two very volatile and threatening emails to my safety. Someone has made an email address using your services to threaten me. The RCMP officers, myself, and lawyer strongly believe it is the writings of my ex-husband who is very abusive and has been convicted of some very violent and heinous crimes. I need proof of the originating IP address of the person sending these threatening emails to me. My two little children are involved and I go to trial in March 2019. It would be very helpful to prove that these emails came from him. Can you help me? I’ve read on you support page that you will help those who fall under the category of “special and significant as requests and it states that…..anonymous threats.”
Can someone please help me…I already have the emails. I just need to know the originating IP address and any other information you can provide me. If you contacted me I could provide you the emails. The RCMP here, just aren’t trained to deal with technology-related issues, unfortunately.
Please let me know.
Thank you!
The request for data to be legal (and for it to be admissible in court), it must come through law enforcement, so RCMP should contact legal@protonmail.ch with their request for assistance and our legal team will help connect them to the Swiss police to process the request.
Often private and sensitive information (eg. trade-secrets) is obtained by threatening or bribing an insider (ie. staff) who has access to the stored information.
This risk can be counted by using 2FA or passwords involving two or more staff before access to sensitive servers is granted.
Does Protonmail employ such internal security protocols to protect customer details?
Be aware …
No matter how much physical and electronic protection – along with secure areas and security guards – the weak point is always the human factor.
Foreign government intelligence services are skilled at accessing potential targets for recruitment.
It would be prudent, therefore, to review your information security to ensure recruitment risks are minimized.
Only our most senior employees have access to customer details and only do so when strictly necessary, such as upon reception of a legal order or for anti-abuse cases. We are well aware that human factor represents a risk and both our recruitment team and security team ensures that best practices are enforced in that regard.
What kind of data do you hand over? I know if you have access to the server farm you are able to see all the routed traffic but are you able to make that kind of connection to an account? I don’t oppose handing information over but I want to know what kind of infrastructure and tools you run on the actual servers.
How can I be sure you were not hacked or coerced/blackmailed causing your infrastracture to be implanted with malware? The root of my line of questioning is the burden of information you carry vs. how much the user controls.
Generally, as long as the order is delivered in the due process of law, we are requested to deliver anything that can be useful for identification.
You can never be absolutely sure of anything but we try to be as open and transparent as possible without it leading to facilitate abuse. We are also working on a security audit that should add further legitimacy to our claims of independence.
Do you retain the originating IP address of an account that has been deleted? So if I were being harassed by someone with a ProtonMail account and they then deleted that account would I be able to discover IP information to possibly trace back to them?
No, if a user has activated authentication logs, deleting the account or deactivating the logs will delete the registered IPs.
So it sounds like I would have to way to figure out their ISP even with LE assistance?
It depends whether the account has other data that could lead to identification.
What about Australia – why has Australia been left off the list? Is that because Proton mail MUST give access to comply with Australian laws?
Australia was not left off the list. We received no MLA request from Australian authorities, at least none that was confirmed and forwarded by Swiss authorities.
Thank you for providing your transparency report. If privacy laws allow, it would be great to share a success story in regards to how Protonmails’ technology protects victims of crime and/or domestic abuse.
Somebody blackmailing me using email id news2100@protonmail.com please help.
Hi! We are sorry to hear this. If you have proof that this address is being used for something illegal or is involved in any illegal activities, please send them to abuse@protonmail.com and our abuse team will investigate and take proper measures if needed.
I use ProtonVPN. If I access my ProtonMail e-mail with the VPN turned on, then you guys record the IP address I used to login, correct?
Either way, your VPN probably knows my actual IP address since I use it to connect to the VPN. In that case, you have the ability to reveal my true IP to authorities even if I login using your VPN, correct?
ProtonVPN does not log any of our users’ activity, IP addresses, or DNS requests. Please note that we have a strict no logs policy and we cannot be forced to log data against our will as such order would be illegal against the Swiss law: https://protonvpn.com/privacy-policy.