How ProtonMail Lost The Public Trust It Needs To Do Business

May 29, 2021

ProtonMail is a Swiss provider of an end-to-end encrypted email application. The service is free to use for consumers but sold to businesses and other organizations.

ProtonMail claims to have “Swiss Privacy Data Security and Neutrality“.

bigger
But how far can one trust ProtonMail’s claims of a secure service when it is openly breaking, as we show below, its pledge of neutrality?

During the aftermath of the emergency landing in Minsk of a Ryanair flight between Greece and Lithuania ProtonMail provided fractional information about emails which delivered a bomb threat against the plane to several airports. The partial and seemingly willfully incomplete response by ProtonMail has led to false claims by various media against the government of Belarus.

The ‘west’ is currently waging an information war against Belarus. It wants to change the government of Belarus by whatever means. By only providing fractional information about the case ProtonMail has taken a side in this war. The ‘west’ is now imposing sanctions against Belarus which will inevitable have negative consequences for ALL people in that country. If ProtonMail does not clean up its slate on this issue it must take responsibility for these.

This, from today’s New York Times, includes several false claims:

The plane, a Ryanair Boeing 737 headed from Greece to Lithuania, was traveling through Belarusian airspace on Sunday when it was diverted and forced to land in Minsk, the capital, with an escort from a fighter jet. Roman Protasevich, a Belarusian opposition journalist who had been living in exile abroad, was detained along with his girlfriend after the plane landed.

Belarus’s president, Aleksandr G. Lukashenko, a brutal and eccentric strongman, has claimed that he rerouted the plane because of an emailed bomb threat, not to seize Mr. Protasevich. But a Swiss email provider has said that the email cited by the Belarusian authorities was sent after the plane had already been diverted.

As we have show previously the Ryanair plane was not “diverted and forced to land in Minsk”. When the plane entered Belorussian airspace at about 12:30 local time (9:30 utc) it was informed by the Air Traffic Control (ATC) of Belarus that an email had been received by several airports that threatened to explode the plane over its destination in Vilnius. The ATC recommended to the pilot to land in Minsk. The pilot decided to do so by himself. The radio traffic between the pilot and the ATC has been published (scroll down) by the aviation authorities of Belarus. It is undisputed.

The NYT claims, relying of partial information by ProtonMail, that “the email cited by the Belorussian authorities was sent after the plane had already been diverted.” The claim is false. There were two emails with bomb threats. One was received before the Ryanair plane entered the airspace of Belarus, the other was received after the pilot had already made his decision to land in Minsk. ProtonMail has so far only confirmed that the second email was send to Minsk. It has rejected to make comments about the first bomb threat email sent through its service to Minsk.

Here is how we know about the two emails.

The narrative of the incident (scroll down for the English version) by the Belorussian authorities starts with this:

On May 23, 2021, a written message with the following content in English was sent to the e-mail of the National Airport Minsk from the e-mail address protonmail.com:

A translation of the Russian language version of that paragraph is a bit more specific:

On May 23, 2021, a written message with the following content was sent to the e-mail of the National Airport Minsk info@airport.by from the e-mail address protonmail.com in English:

The radio talk between ATC and the pilot of flight RYR 1TZ has additional information about the email:

ATC: RYR 1TZ
Pilot: The bomb….direct message, where did it come from? Where did you have information about it from?
ATC: RYR 1TZ standby please.
ATC: 09:33:42: RYR 1TZ
Pilot: Go ahead.
ATC: RYR 1TZ airport security stuff informed they received e-mail.
Pilot: Roger, Vilnius airport security stuff or from Greece?
ATC: RYR 1TZ this e-mail was shared to several airports.

At 9:33 utc the Belorussian ATC knew that the email had been received by several airports in the region. This must have been the first email in question and the recipient field must have show several airport related email addresses.

Read also:
The Price for Closing Ranks

We know that one of the other recipients of the email received by Minsk airport was an airport organization in Vilnius, Lithuania.

The Dossier Center, a rather shady anti-Russian outfit in London financed by the exiled billionaire and company raider Mikhail Khodorkovsky, has published this misleading narrative about the Ryanair incident (machine translation, emph. added):

Swiss Hamas – Inconsistencies in the “terrorist” version of the Belarusian authorities

On May 26, during a speech in parliament, Alexander Lukashenko commented on the emergency landing in Minsk of a Ryanair airline, on board which was the former editor-in-chief of the Nexta Telegram channel Roman Protasevich. Lukashenka said that the message about the mining of the side was received by “Athens, Minsk and Vilnius at the same time”. After the Belarusian air traffic controllers passed the information about the bomb allegedly received from the special services to the Ryanair pilots, it was decided to land the plane in Minsk. To escort the board, a MiG-29 fighter of the Belarusian Air Force was raised.

The Dossier Center, together with The Daily Beast and Der Spiegel, managed to obtain and analyze a copy of an email sent by a “Hamas representative” to the Minsk airport. It follows from it that the Belarusian air traffic controllers informed the Ryanair pilots about the mining of the plane 27 minutes earlier than they themselves received the message about the bomb.

On May 23, at 12:25 pm Belarusian time, the administration of “Lithuanian Airports” received a letter with a threat of a bomb explosion on board the flight FR4978, sent from the address [email protected].

The highlighted sentence says that a threat email arrived in Lithuania at 12:25 pm (9:25 utc). This must have been the same email which the Belorussian ATC mentioned at 9:33 utc:

ATC: RYR 1TZ this e-mail was shared to several airports.

Then however the Dossier Center claim in the second paragraph above, that “the Belarusian air traffic controllers informed the Ryanair pilots about the mining of the plane 27 minutes earlier than they themselves received the message about the bomb”, makes no sense.

But the Dossier Center does show an email with a bomb threat that was received at 12:56 (9:56 utc) after the pilot had already made the decision to land in Minsk.

bigger
The explanation that resolves the seemingly contradicting evidence is simple. There were two emails sent to the airports.

In fact on May 28 the Investigative Committee of Belarus, the country’s prosecution service, published a note about the case (machine translation, emph. added):

It has already been established, to which we draw special attention, that there were several messages about the “mining” of the aircraft received through the Swiss anonymous mail service ProtonMail – at 12:25 and at 12:56. At the moment, the records of conversations with the pilots of the aircraft are being studied and analyzed in detail, and numerous other investigative actions are being carried out.

The Dossier Center however claims, without providing any evidence, that Minsk did not receive the first email (machine translation, emph. added):

At 12:30 the plane entered the airspace of Belarus. As follows from the transcript of the dispatchers’ negotiations with the Ryanair pilots, at the same moment the Belarusian side informed the crew about the alleged explosion threat. At 12:33 pm, the controller informed the pilot that a letter with a message about the bomb had been sent to several airports at once. However, as the Dossier Center found out, at that time only Lithuanian Airports received a letter from the “terrorists”. The Greek Civil Aviation Authority said it had not received a bomb threat letter at the Athens airport.

At 12:47 the plane changed course and flew towards Minsk. The official statement of the Aviation Directorate of the Ministry of Transport of Belarus did not disclose details about the time of receipt of the email, but Dossier found out that a copy of the letter from user Ahmed Yurlanov came to the email of the National Airport of Minsk ([email protected]) at 12:57 pm Belarusian time – that is, almost half an hour after the transmission of the message about the possible mining of the side.

How the anti-Russian Dossier Center in London would even know when and what emails arrived or didn’t arrive at Minsk airport is inexplicable.

Read also:
Tensions Grèce-Turquie : Morano appelle Macron à être "plus ferme" avec Erdogan

The Daily Beast has cooperated with the Dossier Center in reporting the issue. Its piece, authored by Michael Weiss, a former research director of the neo-conservative Henry Jackson Society in London, does not resolve the issue:

The email was sent to Minsk’s National Airport’s general information account at 12:57 p.m. on May 23, 27 minutes after the plane first entered Belarusian airspace and 24 minutes after air traffic control in Minsk first informed the Ryanair pilot that an emailed bomb threat was “shared with several airports.”

But the Greek Civil Aviation Authority, which is responsible for the plane that took off from Athens, has publicly stated that it received no such warning at any point during FR4978’s journey. Lithuania did receive the email, but not Vilnius Airport, the intended destination; rather, the recipient was State Enterprise Lithuanian Airports, the state-run company that handles three different Lithuanian airports (Vilnius, Kaunas, and Palanga).

That someone in Greece did not receive the bomb threat email and who in Lithuania received the email or not does not tell us anything about the reception of the first email in Minsk. The whole writeup is a diversion from that critical point.

Here is where ProtonMail comes in.

ProtonMail was asked about the second email published by the Daily Beast and the Dossier Center. It responded with a statement to Reuters which then misleading headlined:

Bomb threat cited by Belarus was sent after plane was diverted – Swiss email provider

A bomb threat cited by Belarusian authorities as the reason for forcing a Ryanair jetliner carrying a dissident journalist to land in Minsk was sent after the plane was diverted, privacy-focused email provider Proton Technologies AG said on Thursday.

Proton declined to comment on specifics of the message but confirmed it was sent after the plane was diverted.

“We haven’t seen credible evidence that the Belarusian claims are true,” the Swiss company said in a statement. “We will support European authorities in their investigations upon receiving a legal request.”

ProtonMail seems to have confirmed to Reuters that the second email, received in Minsk at 12:56 (9:56 utc), had been sent through its service.

ProtonMail however seems to not have been asked about the first email received in Minsk and Lithuania on May 23 at 12:25 (9:25 utc). Still Reuters attributes the false claim,  that the bomb threat cited by Belarus was sent after the plane was diverted, directly to ProtonMail. Belarus cited the first email sent. ProtonMail only confirmed that the second email was sent. It should be in the interest of ProtonMail to clear up that issue.

Yesterday evening I asked ProtonMail to explicitly confirm that the first email was also sent to and received in Minsk. As it confirmed that the second email was sent it should have no problem with confirming the first one too. This unless it has left its claimed neutrality and is an active participant in the information war against Belarus.

Here is the full exchange:

Chahuapa @Chahuapa – 22:22 utc · May 26, 2021

Email can be easily spoofed (appear to come from some adres when it’s not). I suggest anyone to stop using protonmail. It has been compromised.

ProtonMail @ProtonMail – 18:10 utc · May 27, 2021
Replying to @Chahuapa

The email leaked to the press was not obtained from us. Due to our encryption, we can’t access/verify the message contents. However, we can see the sent time and can confirm it was after the plane was redirected.

Moon of Alabama @MoonofA – 19:12 utc · May 28, 2021
Replying to @ProtonMail and @Chahuapa

The Belarus prosecutor states that it received two ProtonMails – at 12:25 and at 12:56 (UTC+3). sk.gov.by/ru/news-usk-gm…
Dossier Center claims that Lithuanian airports received threat email at 12:25.
Can you please confirm that the first email at 12:25 was also sent to Minsk.

ProtonMail @ProtonMail – 19:54 utc · May 28, 2021
Replying to @MoonofA and @Chahuapa

Unfortunately we can’t comment on this as the first email is not public information yet. Only the Swiss authorities can make additional disclosures at this time.

Moon of Alabama @MoonofA – 20:07 utc · May 28, 2021
Replying to @ProtonMail and @Chahuapa

Read also:
Les nouveaux fermiers généraux

I contacted you because I learned of the first email from:
a. Dossier Center
b. General Prosecutor of Belarus
Their claims of reception of the 9:25 utc email in Vilnius and Minsk are already public information.
You are only asked to confirm that both were sent at that time.

There was no further response from ProtonMail.

While ProtonMail seems to confirm the existence of the first email it is not willing to confirm that the first email was also received in Minsk.

This is not helpful. ProtonMail’s confirmation to Reuters that the second email was received in Minsk has led to widely misleading headlines and numerous reports which, attributed to ProtonMail, falsely claim that Belarus recommended the plane to land in Minsk without having received a bomb threat to that plane.

ProtonMail could easily clean up the false reports by confirming in a public statement that there were two emails and that the first email at at 12:25 (9:25 utc) was also sent to and received in Minsk.

That ProtonMail rejects to do so demonstrates that it is a party in the information war against Belarus. Swiss Neutrality this is not.

But ProtonMail claims neutrality. It also claims that its encrypted email service is secure.

In light of the above ProtonMail’s neutrality seems to be quite questionable. That lets me doubt that its service and products are as secure as it claims.

There have been other Swiss providers of encryption technology and services who had made false claims about their neutrality. Their claims about the security of the encryption services they provided turned out to be false.

Last year this led to headlines like these:

It is easy for ProtonMail to reclaim Neutrality by publicly providing information that an email from the account shown in the above screenshot or any other ProtonMail account was sent to the info@airport.by address in Minsk on May 23 at 9:25 utc. As ProtonMail confirmed that the second email was sent and received it must have the metadata that allows it to issue a similar confirmation about the first mail.

An additional public explanation of the fact that there were two emails in question and that its previous statement to Reuters was only with regard to the second email would be very helpful.

We should also keep in mind that this is not a question of good versus bad but true or false. One may dislike the leadership of Belarus. But one also has to acknowledge, as even The Atlantic does, that the government of Belarus acted in full accordance with the relevant laws:

Ryanair’s CEO called the incident “state-sponsored hijacking.” It was not. Technically, you have to be on a plane to hijack it. But the Ryanair incident was nevertheless diabolical—and what makes it particularly diabolical is that Belarus may have managed to pull it off without violating its agreements under international law.

One should also consider that the only casualty in this incident is an openly neo-nazi regime change activist who is financed by ‘western’ governments.

If ProtonMail wants to take that side it is free to do so. But it can not claim neutrality, and a secure service, while doing so.

Should ProtonMail change its mind and issue a clarifying statement on the issue I will update this post accordingly.

Previous Moon of Alabama post on the Ryanair incident in Belarus:

Published at www.moonofalabama.org

Also read

Proton, a company which is often issuing denials