Facepalm: Proton Mail is facing renewed accusations of handing user data over to law enforcement agencies. The Swiss company provides a secure email service with end-to-end encryption, ostensibly to protect its customers’ identities from prying eyes. However, recent events suggest otherwise.

Proton Mail recently came under scrutiny for providing Spanish authorities with enough data to identify and arrest a member of the Catalan independence organization Democratic Tsunami. The company claimed it was compelled to cooperate with law enforcement due to Swiss laws. They asserted that the Spanish police’s success in apprehending the individual was partly due to the person’s lack of a proper Operational Security (OpSec) policy.

Proton Mail’s primary service is an end-to-end encrypted email platform established in 2013. The platform aims to ensure that email content remains unreadable to both third parties and the company itself. While Proton Mail asserts it cannot access message contents, some user-related data passing through its servers could potentially be used to identify individuals.

In a separate incident in 2021, Proton Mail was required to provide Swiss authorities with the IP address and device details of a French climate activist. This information was subsequently used by French authorities to apprehend the activist. Proton Mail clarified that while email content is encrypted, the company is obligated to comply with lawful access requests for any data passing through its servers in criminal prosecution cases.

In the recent case involving the Spanish police, Proton was seemingly compelled to provide the Apple recovery email address used by a client known as “Xuxo Rondinaire.” The customer was suspected of collaborating with Catalonia’s police force, the Mossos d’Esquadra, while covertly aiding the independence movement in the region.

Authorities requested additional data from Apple, enabling them to identify the individual behind the pseudonym. Proton CEO Andy Yen confirmed that the personal data used to apprehend the alleged “terrorist” was provided by Apple, not Proton. Yen emphasized that Proton cannot decrypt data, but Swiss courts can mandate the sharing of recovery email addresses in “terror cases.”

In a written statement, Proton AG clarified that their email service stores “minimal user information” and does not guarantee complete anonymity. Customers seeking enhanced security should implement proper Operational Security (OpSec) measures, such as refraining from using their genuine Apple account as an optional recovery method. While a recovery address is not mandatory for using Proton Mail, the company could be compelled to disclose such information under a Swiss court order.