ProtonMail is an independent Email platform based in Switzerland designed with privacy and security as its key selling points. It can be confusing exactly how far that level of privacy and security go though. For example, some users may have the misconception that ProtonMail can’t be traced at all and provides absolute privacy.
As ProtonMail is based in Switzerland it is subject to Swiss laws that are well known to be very pro-privacy. ProtonMail cannot legally comply with a court order from a foreign government unless the Swiss government approves it. While this does happen occasionally, ProtonMail also pushes back on many cases that they object to. Details of the cases that they did and did not provide information for can be found in their transparency report.
ProtonMail doesn’t require any personal details to sign up, so your account is essentially anonymous. This anonymity only goes so far though, if you want true privacy you should practice proper OPSEC, or Operational Security. You should make sure that your email address doesn’t include any identifying information and that you don’t reuse the handle of another email address with ProtonMail as this could be used to link the two accounts.
Messages between ProtonMail accounts are encrypted from end to end and all emails are encrypted when stored on ProtonMail’s servers. This means that ProtonMail can’t access or analyse your emails at all, or hand over that data.
ProtonMail offers a hidden tor site, also known as an onion site, that can be accessed over the tor network for connection and IP address anonymity. You should be aware that a lot of governments actively try to track activity on the tor network, meaning it may in some cases draw more attention to you than just accessing the site normally.
What can be traced
As part of their service, ProtonMail does temporarily log some metadata such as IP addresses. This could potentially be used to identify you, or at least where you live.
Subject lines of emails, as well as the recipient and sender addresses, are not encrypted during transmission. This is because no email standard, even the PGP encryption standard supports encrypting this data. Thus, if you include sensitive or identifying information in the subject line, this could be visible to third parties. Any email you send to third parties is tied to your account and can be traced back to it as your sender address will always be visible.
The content of emails sent to third party email platforms will be visible to those third parties, unless you use the encryption feature. This could allow the third party to perform analysis of the content of the email.
Overall, ProtonMail offers more security and privacy than most email providers, as much as is technically possible, without limiting compatibility. Due to the nature of email, the emails you send can be traced back to your account. Due to how web systems work, ProtonMail would be able to monitor the IP address from which you access its service. This could potentially be used as part of a process to identify you, but due to strict Swiss privacy laws, the bar of entry for this to happen is high.
If you’re interested in a security and privacy focussed email provider, you can’t really go wrong with ProtonMail. If you’re really worried about having your actions traced, however, you should probably either avoid digital systems entirely, or try to resolve the issues with the people trying to trace you.