A police inquiry into a bomb threat that was emailed to dozens of schools in and around the Bengaluru region of India has inadvertently illustrated how robust the privacy protections offered by ProtonVPN are.
How has a bomb hoax helped Proton VPN?
The bomb threat in question was issued on December 1st this year. It was sent to almost 70 different schools in and around the Bengaluru area.
Fortunately, the threat was a hoax, and nobody was hurt, but, needless to say, the local police are keen to get the bottom of who sent it.
Their keen detective work enabled them to trace the email to a Cyprus-based private domain email service provider called Beeble.com. If you haven’t come across Beeble.com before, it is an end-to-end encrypted email service.
Because the email service is encrypted, there was only limited information Beeble were able to share with the Bengaluru City Police. However, they did confirm that it was sent from a user who was deploying a VPN.
Further investigation revealed that the VPN in question was the Switzerland-based ProtonVPN.
As the story of this incident in The Hindu national newspaper rightly made clear, Proton VPN is “known for its end-to-end encryption and focus on privacy.”
How Proton VPN’s protocols protected its user
Proton VPN was then approached by the Bengaluru City Police to help them with information about their user. As one senior official explained to The Hindu, this is where their inquiry ground to a halt.
“Proton VPN has asked us to put up the request through the Mutual Legal Assistance Treaty (MLTA),” he explained. “This will take a long circuitous route — we need to send a questionnaire to the CID, who will send it to CBI, who will, in turn, send it to the Interpol and to local Swiss authorities, who will send the query to Proton VPN.”
This might sound petty, but it is the due process that has to be followed when the Indian Police want information from a Swiss-based company. Proton VPN is well within their rights to request such an approach.
However, even if such a lengthy process is followed, the chances are that Proton VPN will not have anything to tell the Bengaluru City Police. And they know.
As the same official explained, “Proton VPN is notorious for its stress on privacy. They have a no-logs policy, which essentially means they will likely claim the user cannot be tracked as the logs are not recorded at all.”
He is right, and frankly, it is refreshing to see such a clear-headed understanding of how premium VPNs work from a law enforcement official when so many of them seem to think if they demand data loudly enough, it will somehow magically appear.
As a result of Proton VPN’s role, the Bengaluru City Police are resigned to not being able to solve this case.
The expectation is that the investigation will hit a dead end exactly as a similar one did in 2022.
“In the 2022 case, the email was initially traced to Syria, but as more layers of VPN were uncovered, the trail finally went cold in Pakistan,” an officer involved in that case told The Hindu. “We couldn’t trace the final user who sent the mail from across the border. We gave our inputs to security agencies and are not aware of further developments.”
Proton VPN just doing its job
That is not to suggest that emailing in bomb threats is something that should be advocated in any way. It is a truly obnoxious crime, and whoever was responsible should be thoroughly ashamed of themselves and if possible brought to justice.
But the right to privacy online is absolutely paramount and this case is just another piece of evidence that shows how important VPNs are at protecting the online privacy of their users.