‘Like An Amoral Infant’ – How ProtonMail Contributes To False Media Claims About Belarus

May 30, 2021

ProtonMail, an encrypted end-to-end email provider in Switzerland which promises ‘Swiss Privacy Data Security and Neutrality’, has been busted for making false claims about bomb threat emails which were sent through its service to Minsk airport in Belarus as well as to airport authorities in other countries.

The despicable behavior of ProtonMail has led to false headlines like the one by UPI depicted below.

ProtonMail may or may not have made that quite explicit headline claim. It is however 100% false. Belarus received a legit bomb threat against a Ryanair flight via an email sent through the ProtonMail mail servers. After receiving the email it contacted the plane in question and recommended to the pilot to divert the plane to Minsk. The pilot voluntarily followed that advice.

ProtonMail has made no effort to correct the false impression and false headlines its statement has caused. It has instead obfuscated the issue as much as it could. That is neither neutral nor fair behavior but partisan lying in an information war waged by ‘western’ regime changers against the people of Belarus.

Due to the malign behavior of ProtonMail new sanctions against Belarus, which will directly or indirectly hurt every Belorussian citizen, were introduced by the United States, the EU and other countries.

Moon of Alabama has detailed the publicly available evidence of the case and has called on ProtonMail to correct the record. ProtonMail responded and communicated with me via Twitter. In its communication with me ProtonMail indirectly admitted that the above headline is wrong. The complete exchange is of public interest and therefore copied below.

How did this happen?

On May 23 at 9:25 utc some yet unknown person used a ProtonMail email account to send a bomb threat against Ryanair flight 4978 witch at that time was in the air flying from Greece to Vilnius, Lithuania.

The email was directly addressed in the “Send to:” field to the Lithuanian administration responsible for Lithuanian airports. The airport of Minsk, Belarus, with the email address info@airport.by, was copied in the “CC to:” ‘Carbon copy’ field of the very same email.

In communication with me ProtonMail tried to claim that this meant that Minsk was not directly addressed in that email. That is nonsense. Any email server will handled email addresses in the “Send To:”, “Carbon Copy (CC) to:” and “Blind Carbon Copy (BCC) to:” fields equally in that it will resolve the IP-address of the appropriate server responsible for receiving emails to that email-address. It will then open a session with it that server and deliver the mail. It makes no difference for the receiving side in which “To:” field of the sent email it was mentioned. It will get a full copy of the email.

Minsk received the first email at 9:25 utc. At 9:30 utc Ryanair flight 4978 entered Belorussian airspace. It was immediately contacted by the Belorussian Air Traffic Control (ATC) and made aware of the bomb threat against the plane. The complete English language radio exchange between the Ryanair pilot, call sign RYR 1TZ, and the ATC as well as a narrative of what had happened was published by the Belorussian air traffic authorities (scroll down for the English version and the radio transcript).

The pilot then asked where the bomb threat had been coming from (emph. added):

Pilot: The bomb….direct message, where did it come from? Where did you have information about it from?
ATC: RYR 1TZ standby please.
ATC: 09:33:42: RYR 1TZ
Pilot: Go ahead.
ATC: RYR 1TZ airport security stuff informed they received e-mail.
Pilot: Roger, Vilnius airport security stuff or from Greece?
ATC: RYR 1TZ this e-mail was shared to several airports.

At 9:33 utc (12:33 local time) the air traffic controller communicated that Minsk received the warning in an email that had been addressed to multiple entities.

This directly contradicts the above UPI headline which was based on a misleading statement ProtonMail had made towards news agencies.

The Ryanair pilot was warned of the bomb threat at 9:30 utc. He/she took until 9:47 utc to decide on the issue to then declare MAYDAY. Only several minutes later did the pilot changed the plane’s course towards Minsk.

A second ProtonMail email with the bomb threat was received at Minsk airport at 9:56 utc (12:56 local time). The sender of the second email, which was addressed to info@airport.by in the “To:” field, might have watched the plane’s course live on Flight Aware and likely prepared and sent the second email when the plane, as visible in the flightpath, seemed to not react to the first threat.

The pilots decided to go to Minsk because the risk of a potential bomb going off over Vilnius, as announced in the email, was high. The Belorussian authorities have handled the case by the book. They scrambled a fighter jet to watch over the plane as is usual with any plane that gets threatened or hijacked. The Ryanair pilot was left unaware of this.

On May 28 the Investigative Committee of Belarus, the country’s prosecution service, published a note about the case (machine translation, emph. added):

Read also:
Nationalist candidate Ersin Tatar wins Turkish Cypriot leadership vote

It has already been established, to which we draw special attention, that there were several messages about the “mining” of the aircraft received through the Swiss anonymous mail service ProtonMail – at 12:25 and at 12:56. At the moment, the records of conversations with the pilots of the aircraft are being studied and analyzed in detail, and numerous other investigative actions are being carried out.

On May 26 the Dossier Center, a rather shady anti-Russian outfit in London financed by the exiled billionaire and company raider Mikhail Khodorkovsky, published a misleading narrative about the Ryanair incident. It produced a screenshot of the second email that had arrived at Minsk airport and falsely claimed that Belarus receive a bomb threat email only at 9:56 utc. The Daily Beast, which collaborated with the Dossier Center, headlined:

‘Bomb Threat’ That Justified Belarus Hijacking Came 24 Minutes After
An exclusively obtained record shows that the Ryanair ‘Hamas bomb’ email—which the Belarus president said prompted the jet landing—was sent after the crew was told of a ‘threat.’

The claim was false. Minsk airport, with the email address info@airport.by, had been CCed, ‘Carbon Copied’, in the 9:25 utc email sent “To:” Lithuanian authorities. Minsk airport was directly addressed in the second email of which the Dossier Center and the Daily Beast, by unknown means, acquired the screenshot they published.

News agencies then contacted ProtonMail and asked about the validity of the 9:56 utc email the Dossier Center had published. ProtonMail stated that the 9:56 utc email had been sent to Minsk airport. It did not mention that the 9:25 utc bomb threat email was also sent to Minsk airport. This obfuscation of the issue, and ProtonMail’s unwillingness to correct the record, directly led to the false headlines and to sanctions against Belarus.

You can check the validity of the above narrative from my recent communication with ProtonMail, published for your amusement below. Earlier communication with ProtonMail was published in my previous post on the issue.

At some point the @ProtonMail account on Twitter requested to move the communication from the public realm to Direct Messaging (DM) mode. I followed up on that request. I was never asked to nor did I promise to keep the direct messaging exchange with @ProtonMail private. I believe that publishing its content is of public interest.

Here is a screenshot of the most relevant part.

And here is the whole rest of it, typos included:

Moon of Alabama @MoonofA – 14:51 utc · May 29, 2021
New on MoA:
How @ProtonMail Lost The Public Trust It Needs To Do Business

ProtonMail @ProtonMail – 15:07 utc · May 29, 2021
Replying to @MoonofA
Just to reiterate, it is not that we don’t want to comment on the first email. Rather, our current privacy policy does not let us comment as the first email is not yet in the public domain. We do expect government authorities to disclose it eventually however.

Moon of Alabama @MoonofA – 15:12 utc · May 29, 2021
Replying to @ProtonMail
Knowledge of the first email is in the public domain – see my blogpost.
You can comment on the metadata of that first email just as you did comment on the metadata of the second email.
Media attribute a false claim to your company. It should by your interest to clean that up.

Moon of Alabama @MoonofA – 15:16 utc · May 29, 2021
Replying to @MoonofA and @ProtonMail
Any delay in clearing up this issue will create more damage and hurt people.
That on your conscience. But then don’t claim to be neutral and secure.

ProtonMail @ProtonMail- 15:16 utc · May 29, 2021
Replying to @MoonofA
Then you would also be aware that the Lithuanian government did not contact Belarus, which raises the question of how did Belarus know about the first email.

Moon of Alabama @MoonofA – 15:17 utc · May 29, 2021
Replying to @ProtonMail
Because Belarus also received the first email. It states so in several documents.
It is on you to confirm that.

ProtonMail @ProtonMail – 15:21 utc · May 29, 2021
Replying to @MoonofA
Actually, if you double check the public reporting on the issue, sources are clear in stating that “only Lithuanian Airports received a letter”.

Moon of Alabama @MoonofA – 15:24 utc · May 29, 2021
Replying to @ProtonMail
Dossier Center makes that claim but provides zero evidence for it. How would it know unless you checked your systems and told them?

Moon of Alabama @MoonofA – 15:26 utc · May 29, 2021
Replying to @MoonofA and @ProtonMail
BTW – I just wrote a 2600 word blogpost on the issue.
You may want to read that.
Some 50,000 other people will do so.

ProtonMail @ProtonMail – 15:27 utc · May 29, 2021
Replying to @MoonofA
We have never had contact with Dossier Center. Any information, would have been obtained from Lithuanian authorities with access to the email.

ProtonMail @ProtonMail – 15:30 utc · May 29, 2021
Replying to @ProtonMail and @MoonofA
As we have already reiterated, none of the emails which have been cited in any of the reporting, are sourced from us, because we cannot read/access emails due to our encryption, which can be verified in our publicly audited source code.

Read also:
Appel de Gilets Jaunes à créer des Maisons du Peuple partout

ProtonMail @ProtonMail – 15:44 utc · May 29, 2021
Replying to @ProtonMail and @MoonofA
Lastly, we can’t comment on non-public information found in external reporting. Your question should be directed to the source of this information, the dossier center, and not to Proton.

Keith Granger @regnarGhtieK – 18:11 utc · May 29, 2021
Replying to @ProtonMail and @MoonofA
Wow, Proton, there is no good reason for you to not tell the world the timing of the first email & whether it went to Belarus or not
You’ve already said enough to cause harm & made yourselves look partisan
Do you have no shame – as of right now you look like an amoral infant.

ProtonMail @ProtonMail – 18:16 utc · May 29, 2021
Replying to @regnarGhtieK and @MoonofA
Commenting on non-public information related to an on-going Swiss govt investigation is generally not permissible. @MoonofA can DM us for clarification.

At 18:18 utc yesterday I followed up on @ProtonMail’s suggestion to move into Direct Messaging (DM) mode. Tweets exchanged in that mode are not directly linkable. I copy/pasted the exchange below. For clarity I have marked tweets from my @MoonofA account with a preceding “M:”. Tweets by the @ProtonMail account are preceded by “P:”.  I also provide screenshots of the complete communication (1, 2, 3, 4). The screenshots were made today, May 30. The time marks displayed in the exchange are UTC+2.

ProtonMail @ProtonMail

Incoming envelope Secure email that respects your privacy, brought to you by CERN and MIT scientists. Creators of @ProtonVPN & @ProtonCalendar | Maintainers of @openpgpjs

321 Following 218.6K Followers

Joined October 2013

So now you claim that there is a Swiss government investigation.
Wondering why there would by one?
Yesterday, 8:18 PM

There is an investigation ongoing, and as disclosed in our statement yesterday we have received legally binding requests from the swiss government. It seems you are determined to push the belarusian narrative. if you were to receive confirmation that there was no first email sent to minsk, would you actually change your story?
Yesterday, 8:22 PM

I do not push anyone’s narrative but analyze facts and point out were I see mismatches in the various claims.
If you would publicly(!) state that there was no email sent from any ProtonMail account to info@airport.by on May 23 at or about 9:25 utc I would publicly accuse the government of Belarus of publishing misleading information. I would also publicly demand an explanation from it.
Yesterday, 8:33 PM

we are not permitted to comment on specifics, but we can say that the reporting by dossier.center is more correct than the belarussian version, which by the way, does not explicitly say that the first email was sent to minsk. all they did was repeat the claim that there was a first email, without clarifying where it was sent.
in other words, the conclusion you have drawn in your blog post is incorrect and we hope you will correct it.
Yesterday, 8:41 PM

That is, again, a very mealymouthed (“more correct”) and unproven claim by you.
You are insinuating that Minsk got the email from elsewhere, not from ProtonMail.
Maybe by snooping on Lithuanian accounts or by being copied on emails sent from a Lithuania administrative account to its airports.
Knowing the current hostile relations between Lithuania and Belarus and the Belarus statement on the issue we can exlude the second alternative.
We are told by Dossier Center that the 9:25 utc email was sent to one Lithuanian administrative account, not directly to its airports. The ATC in Belarus tells the pilot at 9:33 utc that the email “was shared to several airports”.
Belarus prosecutor also claims that the email arrived in Minsk from ProtonMail at the very same minute that Dossier Center says it arrived in Lithuania.
The facts and timeline I know of are inconsistent with a snooping operation and with a sharing of the email by Lithuania.
My conclusion are unchanged.
Yesterday, 9:10 PM

Only one email went to belarus, and it was the one that dossier center published, which is in public domain.
Yesterday, 9:12 PM

Interesting claim, made privately in a DM, but I fail to accept that as it is not a ‘public domain’ fact.
As I said: “If you would publicly(!) state that there was no email sent from any ProtonMail account to info@airport.by on May 23 at or about 9:25 utc …” I will change my conclusions (and blog post).
(PS: It is nearing bedtime here and social responsibilities demand me to sign off for today.)
Yesterday, 9:21 PM

ask dossier center if the email to lithuania had belarus in cc. they should be able to give you a confirmation.
Yesterday, 9:25 PM

Anyone who is in CC of an email is a direct recipient of that email. That is independent of who is named as the first recipient in the “To” field.
It is your email server that will have directly sent a copy of an email to everyone in the “To” recipient, CC or BCC field of that email.
If Minsk airport was CCed in an email to Lithuania it was your email server that contacted and transmitted that email to the server that accepts email for info@airport.by .
To then claim that ProtonMail did not sent the email to Minsk airport when Minsk airport was CCed in that email is a lie.
(I have set up and configured my first sendmail daemon at or about 1987. Please don’t try to bullshit me with such nonsense.)
Yesterday, 9:40 PM

Read also:
The Greek people are tax hostages to the Troika and the bankers

we are checking with legal right now, and will update in an hour
Yesterday, 9:45 PM

but as we mentioned already, Only one email went to belarus, and it was the one that dossier center published, which is in public domain.
Yesterday, 9:46 PM

Clarification regarding ProtonMail, Belarus, and Ryanair flight 4978
we are going to update our statement here (http://protonmail.com/blog/belarus-ryanair) later tonight. will you be updating your blog to report the truth?
Yesterday, 10:12 PM

The ‘updated’ statement that ProtonMail published is again a mealymouthed obfuscation which in no way clarifies the issue. It says:

The only email sent to Belarus was published by dossier.center to demonstrate that the “bomb threat” was sent after Ryanair flight 4978 was redirected.

That statement is however in contradiction to the public ProtonMail tweet at 15:07 utc · May 29, 2021:

… it is not that we don’t want to comment on the first email. Rather, our current privacy policy does not let us comment as the first email is not yet in the public domain …

It is also contradicted by the Belorussian prosecutor who clearly states:

… there were several messages […] received through the Swiss anonymous mail service ProtonMail – at 12:25 and at 12:56 …

It seems to be clear from the above communication and the publicly known facts that Minsk airport was CCed in the first email on May 23 9:25 utc which was primarily addressed to the Lithuanian airport authority. While Minsk was CCed in the 9:25 utc email it was primarily addressed in the second email received at 9:56 utc.

ProtonMail tries to differentiate between recipients of an email which are primarily addressed in the “To:” field and those which are copied in the “CC:” ‘carbon copy’ field. That is legally gibberish and technically nonsense. The sending email server, here ProtonMail’s, will have handled all those addresses equally.

ProtonMail has the metadata which shows that info@airport.by in Minsk was carbon copied on the 9:25 utc email. It has stated to news agencies that (only) the second email was directly addressed to Minsk airport. This led to the false or misleading headlines and reporting as well as to sanctions against the people of Belarus. ProtonMail seems unwilling to publicly clarify the issue. It is not ‘neutral’ but is taking part in an information war waged by the ‘west’ against the people of Belarus.

Now ask yourself if you can trust ProtonMail with the handling of any of you ‘encrypted’ emails.

PS: We do not know who sent the bomb threat emails and to what purpose. Some will speculate that some Belorussian authority did so. Others will speculate that the ‘regime change’ opposition did it so to hurt Belarus. There is no public evidence to support either claim.

We do know that Belarus, after it received the 9:25 utc bomb threat email, handled the case by the book and within the realms of international law. After being informed of the threat the Ryanair pilot decided to divert the plane to Minsk where it was searched for a bomb. When none was found the crew and all passengers, except for two for whom there were outstanding arrest warrants and three who had had Minsk as their final flight destination, reentered the plane and flew to Vilnius.

I do not support the government of Belarus. But I also see no reason to criticize its behavior in this case. There is reason though to criticize the misreporting of the incident in ‘western’ media and to condemn ProtonMail’s obfuscation which. at a minimum, contributes to that.

Previous Moon of Alabama post on the Ryanair incident in Belarus:

Published at www.moonofalabama.org

Also read

Proton, a company which is often issuing denials

How ProtonMail Lost The Public Trust It Needs To Do Business