Berners-Lee Joins ProtonMail Following Privacy Debacle

Tim Berners-Lee has joined the advisory board of ProtonMail, just days after the encrypted email service was criticized for unmasking the identity of a user for French police.

The worldwide web inventor was a scientist at the European Organization for Nuclear Research (CERN) at the same time as ProtonMail CEO Andy Yen, and helped to sketch the initial plans for what is now the world’s largest encrypted email service, with over 50 million users.

“I’m delighted to join Proton’s advisory board and support Proton on their journey. I am a firm supporter of privacy, and Proton’s values to give people control of their data are closely aligned to my vision of the web at its full potential,” he said in a statement.

However, the Geneva-headquartered firm’s privacy-first credentials took a blow this week after it emerged that it had complied with a request from the Swiss authorities to hand over the identity of a French climate change activist using the service.

Although ProtonMail says it will not comply with requests from “foreign” law enforcement, the case highlighted for some just how authorities outside of Switzerland could work around this policy.

The firm was also forced to row back on confusing messaging that made it seem like user accounts were anonymous by default and that IP logging only occurs in “extreme criminal cases.” While open to interpretation, the individual concerned does not appear to fall under the latter category but rather operates the Parisian chapter of the pressure group Youth for Climate.

The following used to appear on the firm’s website: “No personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first.”

However, today, the site talks about its service as “email that respects privacy and puts people (not advertisers) first.”

Users who want to stay anonymous on ProtonMail would be best placed using its onion site or potentially using the ProtonVPN service. Swiss law prevents the firm from monitoring the IP addresses of its VPN users.

“We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way,” said Yen in a blog post explaining the case.

“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.”

What’s Hot on Infosecurity Magazine?