ProtonMail Now Keeps IP Logs

After being compelled by a Swiss court to monitor IP logs for a particular user, ProtonMail no longer claims that “we do not keep any IP logs.”

EDITED TO ADD (9/14): This seems to be more complicated. ProtonMail is not yet saying that they keep logs. Their privacy policy still states that they do not keep logs except in certain circumstances, and outlines those circumstances. And ProtonMail’s warrant canary has an interesting list of data orders they have received from various authorities, whether they complied, and why or why not.

Posted on September 10, 2021 at 6:10 AM38 Comments

Comments

Who? September 10, 2021 6:20 AM

As any other Swiss company, ProtonMail is a team player. How much time until they block access through the Tor network?

Who? September 10, 2021 6:27 AM

Oh, I would bet this policy affects ProtonVPN too.

All to stop a climate activist, the worst offender known to governments, I guess. Crazy.

Gregg September 10, 2021 7:40 AM

ProtonMail doesn’t need to block access via Tor. After all, the CIA already controls most of the Tor exit nodes . . . or was that the NSA?

Clive Robinson September 10, 2021 7:54 AM

@ ALL,

After being compelled by a Swiss court to monitor IP logs for a particular user,

Take note of the implicit time line,

1, No logs.
2, Secret court order
3, — unspecified time duration —
4, Logging becomes “public knowledge”

That unspecified time of “secret logging” would for many be a danger zone. In that they would assume no logging and carry on their activities that might cause them problems down the line.

So,

Assume you are ALWAYS, without exception logged, by everyone and act accordingly.

I know it is a sad state of affairs to realise that you are by default treated as a “suspect” or “enemy of the State” but that is the reality of this century so far and we are only 20% of the way through it.

As the old saying has it,

It will get worse before it gets better, if it ever does.

Wicked Lad September 10, 2021 7:54 AM

FWIW, ProtonMail’s warrant canary has an interesting list of data orders they have received from various authorities, whether they complied, and why or why not.

It includes a 2019 case in which IP logging was enabled for a particular user. As Jim Salter’s Arstechnica article says, “The phrase ‘by default’ did a lot of heavy lifting in ProtonMail’s old front page.”

Joel Halpern September 10, 2021 8:48 AM

Potentially relevant to the above, I have seen work on using secure enclaves to create DNS servers that can not log their activity. It is related to work on encrypted DNS and to work on adjusting the behavior so that traffic correlation is at least difficult (I hesitate to say anything is impossible in a security discussion).
There is also discussion of whether that could be generalized to other cases. I have trouble seeing how it could work for a mail relay that needs to store data anyway. But it is an interesting path.

Nate September 10, 2021 9:27 AM

This is blatantly untrue. Their privacy policy still states that they do not keep logs except in certain circumstances, and outlines those circumstances: https://protonmail.com/privacy-policy

Bruce, I really respect you and I know you’re an expert, but this is second time I’ve caught you being sensationalist or flat out lying/misleading and it’s really making me question what else I’ve “learned” from you that isn’t true.

tfb September 10, 2021 9:32 AM

Is there evidence that they (now?) log by default, rather than when legally compelled to for a specific user? It ought to be pretty easy to have part of the authentication process say ‘is user in list of users we must log for? ifyes, then log, otherwise don’t’.

tfb September 10, 2021 9:44 AM

In fact it is perhaps worth just quoting the section of their privacy policy:

IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation. This obligation however does not extend to ProtonVPN (see VPN privacy policy here). Additional details can be found in our transparency report.

Now, either that is a lie, or this article and some of the comments on it are sensationalist nonsense. Sadly the latter seems more likely to be true to me.

[In no way associated with ProtonMail, do not even have an account.]

Etienne September 10, 2021 9:48 AM

The Internet is a fad.

My collection of carbon paper will be worth billions when Air Mail returns to power.

Andy September 10, 2021 10:55 AM

They maintain there VPN services don’t log, although who would believe that?

Ultimately, authorities everywhere hate the idea of citizens having genuine comms privacy, except of course for themselves. Solving it is more a political mindset problem, than a technical one. We need better politicians, preferably network tech savvy ones.

Corrine September 10, 2021 11:23 AM

@Hedo,

Most TOR exit nodes have been and are controlled by the NSA for along time now.
That is what I have known for a while.

Whether true or not, an HTTPS connection would make it non-trivial for them to track users, and an Onion Service would take exit nodes out of the picture entirely. A service that wants to promote itself as privacy-conscious should be doing something to ensure they don’t and can’t capture private data. An Onion Service is one way (e.g., seach “DuckDuckGo onion” on DuckDuckGo to get their onion address). An unaffiliated VPN, preferably in another country, could be another way (users could never really trust this, but it could protect the service from certain legal demands—remember, user data is toxic waste).

Winter September 10, 2021 11:56 AM

@Corrine
“Whether true or not, an HTTPS connection would make it non-trivial for them to track users, and an Onion Service would take exit nodes out of the picture entirely.”

ProtonMail can be accessed through an Onion Service:
ht tps://onion.live/site/protonmail

I also do not see how supplying the exit node does re-identify the user. You need to have both the entry&exit nodes and quite a lot of traffic to re-identify a user.

As for alternatives to Tor, I have yet to hear of one that is of practical use for anyone not of the level of Bruce or Clive, and Clive does not seem to use electronic communication for secure messages.

BillB September 10, 2021 12:19 PM

@Hedo @gregg Actually Protonmail supports tor, no exit nodes needed.

Which is great, because the biggest weakness of tor is having to trust exit nodes.

Seems like I’m in the minority here, but the summary seems to be. It’s illegal for Protonmail to comply with any records request for anyone but the swiss government.

Like any Swiss company, Protonmail much comply with requests from the Swiss government … or cease to exist.

So the USA can’t just order Protonmail to collect or reveal logs.

Who? September 10, 2021 2:22 PM

@ Gregg, Hedo, Corrine, Winter, and all.

The most efficient way would be for the NSA controlling the exit relays and for the CIA acting as backup on the monitoring process! (it may be even worse.)

Tor uses three relays (guard, middle and exit). Getting knowledge on the exit relay alone does not provide useful information to track the sender or, somewhat equivalent, identifying the guard (entry) relay, but it is a perfect place to monitor network traffic coming from the Tor network.

HTTPS alone does not provide a very good protection. Think not only on the well known TLS inspection technique, widely used these days by the private sector, but also on the huge amount of information leaked by the URLs themselves. It is not clear to me DoT or DoH are enough to hide our activity, as these techniques just hide requests to nameservers.

Who? September 10, 2021 2:29 PM

@ Clive Robinson

It will get worse before it gets better, if it ever does.

I am not as confident as you, it will never get better. Internet has been snafu for decades; I cannot be as optimistic as to think there is a chance for it to get better.

Internet is a human development, so it has all the human being weaknesses and sins. It was great until mid-90s (and I enjoyed it until then) but it is now more a problem than an answer.

John September 10, 2021 2:40 PM

@Nate, Mind defining how long “Temporary” is? They claim that by default that they don’t permanently maintain IP logs. But they do temporary maintain IP logs for various purposes. But that word temporary is just a tad ambiguous for my taste.

Frankly September 10, 2021 3:51 PM

Political problems cannot be solved with technology. They can always make and enforce laws, even unreasonable ones, to defeat any technology. So we are only as secure as our politics, not our technology.

Linden September 10, 2021 4:48 PM

@Andy, from my understanding VPNs carry quite a high markup, the only way they could sell user data (according to their policies) would be breaking the law, if they sold (even on the darknet) it would be traced back to them (as database leaks are), is there another way to profit off of this data that I’m missing?

Clive Robinson September 10, 2021 6:29 PM

@ Frankly, ALL,

They can always make and enforce laws, even unreasonable ones, to defeat any technology. So we are only as secure as our politics, not our technology.

Not fully true, that door swings both ways.

The ultimate laws that can not be cheated are the “natural laws” of the Universe. Even though our understanding of them is limited we know there are things we can not do.

So any laws passed by humans are constrained by the natural laws. It’s why we find the notion of making Pi a rational number by law so idiotic that in this day and age it’s funny.

More recently we had a laugh at the Australian Government for passing other just as idiotic laws. And prior to that a belly laugh at Australian PM “Malcom Turnbull” who made a right arsehat of himself by saying,

“The laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only law that applies in Australia is the law of Australia.”

He was wrong and provably so. The only way “The Laws of Australia” can prevail against “The laws of mathematics” is by corruption in the legislators, judiciary, and similar undemocratic behaviour. In fact the very behaviours we deplore in the domains of fascists, tyrants, despots, and Police States. Where “disposing of people” by “hit squads” and show trials by kangaroo courts is the way of ensuring continuance of power. However as the old saying has it,

“Live by the sword, die by the sword”

Is usually such “leaders” fate often by a subordinate who desires power, and, often stupidly the “status of office” as well… hence the old saws about “The power behind the throne” and “Sitting ducks”.

In such places it is clear that the laws of the nation no matter what they say are still bound by the laws of nature. After all legislation will not stop the inertia of an assassins bullet or knife.

However there is a counter balance to all tyrants, dictators and even democratic leaders, they all need resources to maintain their positions. Because there is a chain of “No resources, no followers, no power, no status”. If you can bring about “no resources” then things will collapse eventually. It is by the way the ultimate fate of mankind and no legislation will ever change that.

Because of the need for resources to maintain authority by guard labour etc there has to be some degree of freedom not just for the resource makers but the authoritarian following guard labour. In short there is a counter balance that provides an opportunity to evade the authority. It always favours the majority not the minority even when technology is used by the minority against the majority. In short ultimately it’s a numbers game.

Yes this appears to be contrary to the principles of “asymetric warfare” but actually it’s not. At the final analysis asymetric warfare only works where the majority defeat themselves through fear etc.

During WWI and WWII it was assumed that inflicting hardship, casualties and death on sufficient of the oppositions population would bring the politicians to heal. Well it did not, because for various reasons the population did not defeat themselves.

The thing about “numbers games” is you can use them advantageously to hide in. One face in a crowd is unremarkable. So is one message in a million as long as it remains unremarkable.

It is the idea behind covert communications within overt communications. The minority authority is resource bound by definition no matter how much technology they have to hand it to is always going to be constrained. Providing the communications is unremarkable the minority authority does not have direct cause to progress beyond a certain level of investigation, because it does not have the resources.

So the trick is to keep communications unremarkable, for which there are various techniques. One set of which are provably secure because of the issue of equiprobability. As an observer you can not say with certainty what an individual message means if it has redundancy within it.

You can hide a supprising amount in the redundancy of a spoken language or when it is written. The trick is to maintain equiprobability for an observer but not for the intended recipient.

Such systems were used during WWII and will work just as well today, providing people follow the rules correctly. You can even get “full message deniability” against “Second party betrayal” if you do things correctly.

The problem is most humans do not follow rules precisely, they look for short cuts or even ignore them. Just one mistake like that can make an unremarkable message remarkable, thus attract attention, the usage of more resources and the dangers of being targeted.

By and large the job of SigInt agencies is looking for “individual mistakes” and then working them looking for other more subtle mistakes or correlation with events (a form of traffic analysis).

That is they look for cracks to place the tip if a wedge and drive it. Sometimes they get lucky and it all falls appart, most often they do not as “random happens”.

At the end of the day all numbers games are a question of probability, if you can work within it, then your actions can not be distinquished by an observer from random events that crop up all over the place.

name.withheld.for.obvious.reasons September 10, 2021 8:10 PM

@Nate
Curious as to how you reached such a conclusion, what observable or in writing has Bruce engaged in behavior that you claim are surprised by?

Just wondering…

Clive Robinson September 10, 2021 8:48 PM

@ name.withheld…,

Just wondering…

You are not the only one…

I had assumed @Nate had misread something.

However, having been myself recently repeatedly attacked by baseless accusations and having my defensive replies @Moderated but the baseless accusations left up… It appears that “Open Season” time is approaching yet again and many blog posters will just leave without saying why, leaving the site much poorer for their going.

In my case I have decided to alow the accuser to hang themselves a bit, which they are doing with their usual arm waving and their “I’m-rightery” nonsense. It is shocking how much they conform Parkinson’s Law Of Triviality (PLOT)…

I guess we will have to wait and see if @Nate can make his case or not, or will even try.

Dave September 10, 2021 10:10 PM

The headline is quite misleading, they were required by a Swiss court to monitor and report the IP address of a single user. That’s a long, long way from them logging IP addresses for all users.

Knowing Switzerland, it’s also quite possible that this triggers a law change which alters the way foreign governments can compel Swiss companies to play ball, for example by modifying the seriousness of the crime that needs to be committed. So overall this could be a win for privacy.

(-_-;) September 10, 2021 10:28 PM

Protonmail has always logged IPs on signup “to fight spam”.

Also, their “onion address” only links to its login page. The second you click “SIGN UP” it redirects you to the clearnet address (https://protonmail.com/signup). And if you try to visit any other page with the onion url (i.e., by manually typing “/signup” after it) it redirects you back to the login page.

Anyway, not sure why everyone’s freaking out about all of this IP logging stuff now; it was always in the fine print. What surprises me is that they just handed it over and then said “well the court said we had to we didn’t have a choice 🙁 and we didn’t know it was a climate activist 🙁 they just told us to log and we did :(“.

Sanguine September 11, 2021 2:47 AM

To anyone who are claiming Schneier’s title to be “sensationalist”, “lying”, etc, and/or are stating that they “will never trust Schneier again”…

The title of the blog is “Protonmail now keeps IP logs” – there is nothing about all in that statement, but the truth is that against everyone’s account on Protonmail there is now a “do_record_ip_activity” type property, which can be activated for any user, at any time, and for any reason and with justification only known to the admins with access to user details at the time they decide to switch it on (or off).

No one who’s a user of ProtonMail can ever say, with 100% certainty, that their user profile is not configured to allow IP tracking.

Secondly, regarding “never trust him again” – just be careful with blanket statements. Schneier is simply reporting recent security news here – nothing more, and it’s your job to decide whether it’s valid or worth worrying about, not his.

Clive Robinson September 11, 2021 5:01 AM

@ Sanguine, ALL,

Schneier is simply reporting recent security news here – nothing more, and it’s your job to decide whether it’s valid or worth worrying about, not his.

Yup.

@ ALL,

Also similar with posts in threads as well.

There are certain persons that are “Kennel Dwellers” who insist on denegrating and abusing people baselessly. Some even try to stir things up by hiding known “Political dog whistles” in longer posts. Presumably to try and trigger the likes of Internet Robots / search engines etc to bring Trolls and the like around. In short their intent is to commit damage for vanity or other reasons, thus is the equivalent of Trolling or cyber-bullying.

My advice if you have doubts about a posters arm waving or aggrandizement claims is do the OsInt Intelligence analysys bit and verify any grandiouse preening or other unsupported claims accusations etc.

If they can not be verified then see if they are just a harmless anecdotes in response to another commenters anecdote, designed to provide a little “lite amusment”, or to indicat / illuminate a security or technical point, rather than arm waving to get attention thus what the arm waver thinks is “status they are due”.

Also if some one provides logical argument / reasoning to support a point they make, work your way through it. If a part of the logic or reasoning is unclear then “ask questions”, because if you don’t understand something, then others probably do not either. Also it alows the person presenting a logical / reasoning argument to adjust their presentation to be more inclusive, which is important for both the presenter and the audiance.

Clive Robinson September 11, 2021 6:32 AM

@ echo, Nate,

That’s what I read when I had ploughed past the screaming headlines full of duck and roll types swallowing their tongues with knee jerk panic.

Two old truisms to think about,

Bird’s of a feather stick together.

And more importantly,

You are judged by the company you keep.

As several others have pointed out you are wrong in your claims.

But why let that get in the way of your faux-puritanical imaginings and crazy claims to be messangers from a higher morality or similar faux-Wokism nonsense.

Anonymous September 11, 2021 9:00 AM

Protonmail Behaves like a CIA/NSA “Honeypot” Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary. When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification. There are absolutely no technical reasons for this feature. In fact, the only other websites that operate like this are suspected NSA/CIA Honeypots. This is a huge security issue that was either created because Protonmail is managed by Particle physicists who do not understand computer security OR they have been forced to operate their website in a similar way as CIA/NSA honeypots. Both possibilities are serious concerns.

Winter September 11, 2021 10:43 AM

@Anonymous
“Protonmail Behaves like a CIA/NSA “Honeypot” Protonmail has an Onion domain that allows users to visit their site using the TOR browser. ”

Which is exactly what the TLAs would want you to bei if Proton mail was secure. This also sounds a lot like the anti-HTTPS campaign by the NSA to dissuade from using it.

Sheilagh Wong September 12, 2021 11:13 AM

Back in the 90’s, I remember reading a novel, or possibly short story, where the protagonist goes back using paper mail to circumvent surveillance. I wish I could remember the title.

Clive Robinson September 12, 2021 1:01 PM

@ Sheilagh Wong,

the protagonist goes back using paper mail to circumvent surveillance

The author lacked knowledge or imagination 😉

Ever heard of “micro dots” or even “micro film”?

Well once the were all the rage, the former in espionage, the latter in business archives, libraries and similar long prior to the 1980’s when computers on desktops started taking over.

Well put simply they were very fine grained photo films and you could store a couple of A4 sides on a microdot between 1000-3000 sides of A3 / A2 quite detailed technical drawings on spools of micro film and around 100 A4 pages on Micro fiche around the size of a small post card.

The thing about photo film is the process of producing a negative alows for a degree of “secrecy”. Exposed but not developed or fixed film stock can be put in a container and carried in your pocket. Giving it further exposure to light destroys the imageson the film. During the early cold war this was used as a layer of security against being intercepted.

The fun thing is that you can print out a complex 2D Bar code (like QR code) that has quite a high bit density and then microdot it. You can with care get around 8k of data on a side of A4. If you first encrypt the data then it is atleast as secure as the encryption you use, and probably stronger.

The fun thing is “analog photography” is showing a resurgence these days and high quality film stock and the required developing etc equipment is relatively inexpensive these days.

R2D2 September 12, 2021 2:03 PM

@ Clive Robinson

Assume you are ALWAYS, without exception logged, by everyone and act accordingly.

So.

Have nothing to hide.

And that’s the best way to hide anything.

“Steganography” is the science of cryptography for people with nothing to hide.

Clive Robinson September 12, 2021 3:49 PM

@ R2D2,

And that’s the best way to hide anything.

Except the routing, which gives traffic analysis etc.

The problem with stego is most of the time it is not at all good and simple filtering will show it is present.

That is to hide it you have to dynamically match not just the signal to noise profile of the carrier file, but it’s frequency and other spectrums as well. If you are old enough to have been involved with “Digital Watermarking” in the 1990’s one of the problems they had was making the watermark sufficiently covert. Generally if they did it was not robust.

Oddly the easy file to hide stego in is a file that has been encrypted very roughly it’s statistics are flat and it’s spectrum white noise. So you encrypt your covert signal and they both have the same characteristics (if you do things like the modes right).

If you look at some of the information leaking out about Apples “cop-tag” system it is likely that the algorithm will detect many naive forms of stego as a byproduct of the way it works.

Winter September 16, 2021 12:50 AM

@Jason
“Check out this article on the CIA and Protonmail’

The answer comes down to “We neither confirm nor deny”. So, no information.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.