1159 words

August 27, 2024

6 minutes read

Decrypting Proton Privacy Policy

Introduction

If you read some of my posts on this website you might have seen that I like Proton. However, every now and then, there is a new controversy about Proton handing out data to feds. My take on that is that peoples should be more careful of their opsec and try to understand why Proton need some data unencrypted and which.

However, to be fair, Proton are also not really been open about this, they have a Privacy Policy for each of their services with walls of text. That’s why I wanted in this article to present the metadata they collect in a simpler way.

PS : For this article we will concentrate on a “basic” Proton account meaning not using any insecure extra features like easy-switch, referral, chat support, scribe, in order to keep it simple.

Proton Account

Email adressVerification EmailVerification Phone numberIP
anon@pm.me or anon@gmail.comverifemail@gmail.com+1 3370000Depends (read bellow)

They state in their privacy policy that both the email or phone number used for verification or account recovery are stored hashed. Hashing is a one way encryption that if given the same parameters and same text always gives the same result. This mean that it can be brute forced by feds. Proton has also already been found giving those out as the result of a court order. To make it clear I left them in clear text on the table.

By default, IP logs are not kept. However, they might be in those cases :

  • Combat abuse and fraud (this is extremely vague)
  • Are engaged in activities that breach our terms and conditions (extremely vague too, is this malicious at this point ?)
  • If you enable authentication logging for your Account
  • If you voluntarily participate in Proton’s advanced security program
  • If they receive a court order they will turn on IP logging on your account

Proton Mail :

About an email

sender and recipient email addressesIP of sending serverattachment namesmessage subjectmessage sent and received times
jane.doe@pm.me to anon@pm.me8.8.8.8pdf for John Doe.pdfHi John Doe, I hope no one found your real name yet :):):)2024-04-20 07:13:37 and 2024-01-69 07:15:35

This is a lot of informations that can be used but this is also pretty much the minimum of informations they need unencrypted in order to be able to process an email with the implementation of PGP.

PS: Email cotent, if sent unencrypted to a Proton Mail address is processed unencrypted by Proton Mail (to encrypt it but also to check for spam). They claim to never store it on disk but this is a limitation of email that has to be known. It also seems that Proton is sending some email metadata to spamhaus for spam detection which mean that some informations about your emails is sent to spamhaus (a Company that can be hated for a lot of reasons).

About an email account

number of messages sentamount of storage space usedtotal number of messageslast login time
1352.56gb12652024-04-20 01:33:07

Proton Drive

About a file

size of the encrypted filefile/folder creation and modification timespermissionsusername of uploader
2.6gb2024-04-20 01:33:07Editjane.doe@pm.me

About a shared file

size of the encrypted filefile/folder creation and modification timespermissionsusername of uploaderlast access timenumber of times accessedcreator
2.6gbEditjane.doe@pm.me2024-04-20 01:33:0713jane.doe@pm.me

Proton Calendar

About an event

event start and end timetime zonerepetition ruleevent creationlast event updateevent status
2024-04-20 01:33:07 to 2024-04-20 02:33:07Europe/ZurichRepeat Weekly2024-04-10 13:33:072024-04-11 14:09:00active

Proton VPN

There is not much information on what is collected. If we trust their privacy policy it means that they keep no log of any action. However, payment and account data are still collected (see bellow).

Proton Pass

About an entry

Everything seems to be encrypted except alias email adresses. It means that by a hack or court order a bad actor could get all the emails on every website you registered to (and link those easelly because the default alias generation add the website URL at the start).

Proton Wallet

All of your TXIDS, wallets, exchange rates for transactions and even notes you wrote are saved unencrypted. You are also limited on the number of wallets you can create with a limit of two wallets and 4 adresses. It is also stated in their privacy policy that they may use the data they have (everything) to track fraud at their discretion (do they check the txids with chain analysis firms ? this is not clear but not denied). There is no Privacy in any way there.

PS : There is external services to buy, sell and exchange crypto on Proton Wallet. If you want privacy I would advise against using those and check on orangefren, trocador or kycnot.me for kyc-free options.

Payment

Proton Mail always had a problem of payment methods. You cannot pay in Monero or any other Privacy Coin for that matter. Even their bitcoin payment option (which is not private in any way if not made using mixers, coinjoins, etc) is managed by a third party.

If you pay with credit card then your payment information will be sent to a third party but not your account information (this might work with a txid only ? Not clear on how your transaction and account are linked). The last 4 digits of your credit card are saved.

IOS and Android apps

  • Analytics and statistics using external services (“e.g. fabric.io”).
  • Crash reporting via Play Store app statistics, App Store app statistics, or self-hosted (Sentry). It is not stated in the Privacy Policy but you should be able to deactivate both the analytics and crash reporting on the app settings page.

Others considerations

  • Backups from all of Proton services are kept for up to 30 days.
  • I wouldn’t expect the fact that they only accept Swiss court orders to protect anyone, they seem to not be to hard to get (Proton transparency page)
  • Proton employ a local installation of self-developed analytics tools. Analytics are anonymized whenever possible and stored locally. This is very much not clear on what they collect, when and how.
  • They use external CDN(s) (like https://cloudinary.com for their landing page). Those might collect your informations too.
  • Simple Login and Proton Pass are not hosted on Proton owned servers and infrastructure but rather on some rented/owned servers on external data-centers.

Conclusion

Most of the data collected by Proton is data that needs to be collected in order for their services to work. However, there is also a lot of data that,for a privacy service, should not be collected (like billing, recovery / verification email and number and ips).

Wallet, their last product, seems to offer no benefit and even be a really bad way to use bitcoin as it will link your crypto payments, transactions and balance to your other accounts (email, pass, drive, etc).


Leet
i[a]sy.st
I’m ██████████ █████, a ██ years old working at ████████ ███████████.