ProtonMail is a service lauded for its commitment to privacy. It's a particular favorite amongst journalists, as it can be used by whistleblowers and the like securely without fear of revealing their identity. However, ProtonMail was recently compelled by Swiss authorities to release the IP address it had logged of a user, though it had a good reason.

A few months ago, Ryanair flight FR4978 was traveling from Athens in Greece to Vilnius in Lithuania. However, the flight was diverted to Minsk airport in Belarus after a bomb threat was sent to Minsk National Airport and State Enterprise Lithuanian Airports. These emails were sent from a ProtonMail address according to the ICAO fact-finding investigation, and what's particularly interesting is that the IP address which was used to create the account was also released to authorities by ProtonMail.

ProtonMail released the IP address of the account used to send the emails

Following the plane's landing in Minsk, both journalist Roman Protasevich and his girlfriend Sofia Sapega were arrested. Investigators in Lithuania launched a pre-trial investigation into the matter, which is why ProtonMail was compelled through a "mutual legal assistance mechanism" to release the IP address to authorities. The United States has also recently accused the Belarusian government of "air piracy" following the incident, charging four Belarusian government officials.

ProtonMail said in a statement in May 2021 that it had been compelled by an official request by the Swiss government to divulge the information that it had, though made clear that the email itself was released by investigative journalists. "We are supporting European authorities in their investigations, as we are legally obligated to do so on the basis of an official request from the Swiss government."

However, many may be surprised that ProtonMail was able to release the IP address of the account creator in the first place. The company's commitment to privacy (as shown by the contents of the emails and mailbox being fully encrypted) would have led many to believe that it would have been unable to recover the IP address. I reached out to ProtonMail asking how this was possible, and I was told that the company does not comment on specific cases. However, I was given the following response in broad reference to the company's privacy policy.

"Data related to the opening of an account" details the steps taken to prevent abuse and protect users. Specifically: "IP addresses, email addresses, and phone numbers provided are saved temporarily in order to send you a verification code and for anti-spam purposes"

It seems that when the Lithuanian government realized that the bomb threat was a hoax, ProtonMail was contacted. The Ryanair flight forced to land in Belarus flew on May 23rd, 2021, meaning that the company kept a log of the IP address for just over a week at that point. It's not clear how long ProtonMail holds on to the IP addresses, email addresses, and phone numbers after their last use.

What is clear though is that the company's promise of email contents being encrypted was not broken. All investigators were able to collect from ProtonMail was the account creation date and time, along with the IP address used to create it. It's worth noting as well that it does not appear that the IP address of the email sender was logged, and it was only the IP address that was used to create the account.