In April 2023, Proton AG — the Swiss company behind Proton Mail, a popular encrypted email service — came under fire for complying with a request from Spanish police for information about one of its users. The user in question was a Catalan pro-independence activist, and the incident sparked outrage among privacy enthusiasts.
The Fantasy vs. Reality
Many people love encryption and the ideals it represents. However, encryption is not a panacea, and the more we encrypt, the more metadata matters. When it comes to privacy, metadata collection can be an exercise in minimization, but centralized services have natural limits on how much they can minimize their metadata collection.
Proton has done an excellent job limiting access to user metadata, which deserves praise. The company should get a pat on the back for building a system where all they can provide is an optional recovery email. In this case, however, Proton provided the user’s recovery email address, which led police to their Apple account.
The Fantasy of ‘Cancel Subscription’ Buttons
When news broke about Proton complying with the request from Spanish police, online anons brandished ‘Cancel Subscription’ buttons and ominous headlines that began with ‘Is Proton…’ and ended with question marks. This expectation has reared its head multiple times in the past, including another ProtonMail case just a couple of years ago.
The Delusional Expectation
However, this fantasy is delusional and self-destructive. If Proton took the route of resisting legal requests from authorities, they would face crippling legal pressure that could set the sun on the entire company rather quickly. This would leave us with just a couple of established encrypted email providers, which is not a useful outcome for Proton, its users, or privacy at large.
Defending Proton Mail
FreedomTech editor SethForPrivacy defended Proton Mail in a post on X (formerly Twitter), writing that the case had "proven" Proton’s architecture minimizes the amount of data they have on any user. Proton is well aware of this, and the reality is that they complied with almost 6,000 legal requests in 2023 alone.
Once the shock of the news wore off, more people accepted that outrage wasn’t really warranted nor was it helpful. The case has proven that even Proton Mail, one of the most secure email services available, can be vulnerable to metadata collection.
The Limitations of Decentralization
In cases where safety and security is critical, purposeful decentralization could offer an extra layer of protection that is vital for at-risk people. However, implementing decentralized networks for data-routing needs is complicated. Networks like Nym are generalizable for data-routing needs but might not be a good solution for instant messenger or conferencing services due to speed limitations.
For email, which is a de facto record-keeping utility for many people, the storage side of things is more complicated. App-specific networks offer ephemeral message storage in a decentralized way, but this won’t suit email. Spam filters and the email mafia might make top-to-bottom decentralized email service impractical, although it won’t stop people from trying.
The Future of Decentralized Communication
In the end, legal requests will keep on coming, and companies will continue to comply. However, in cases where safety and security is critical, purposeful decentralization could offer an extra layer of protection that is vital for at-risk people. Proton — and other companies like it — can help by implementing decentralized solutions.
Conclusion
The incident has sparked a debate about the limitations of encryption and the importance of metadata collection in centralized services. While decentralized networks are not yet perfect, they offer an exciting opportunity to protect user data and ensure that communication tools remain secure even in the face of legal requests from authorities.
By working together, we can create a future where communication tools prioritize security and privacy above all else. As Alexander Lintonis, the director of the encrypted messaging app Session and its nonprofit foundation OPTF, wrote: "We can help, all you have to do is call (or, I suppose, send an email)."