"Thank you for reaching out and sharing your concern. We understand why this story is alarming, and we want to give you a clear picture of what actually happened.
First, Proton did not provide any information to the FBI. The data was obtained by the Swiss Federal Department of Justice through a Mutual Legal Assistance Treaty (MLAT) process. Proton operates exclusively under Swiss law and only responds to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is clearly stated in our TOS and Privacy Policy.
In this specific case, Swiss authorities determined that the legal bar was met because a law enforcement officer had been shot, and explosive devices were involved during an incident in 2024. Switzerland has one of the strictest privacy frameworks in the world, and legal assistance is only granted in cases involving serious criminal matters.
Importantly, the only information that could be disclosed was a payment identifier because the user chose to pay by credit card although Proton accepts gift cards, cryptocurrency and cash. No emails, no message content, and no communications metadata were handed over. This actually demonstrates how little data Proton holds by design, our end-to-end encryption means we cannot access email content even if ordered to.
We hope this provides some reassurance. Please don't hesitate to reach out if you have any further questions.
Best Regards, The Proton Mail Team"
The real scandal here isn't Proton Mail's compliance. It is that the FBI is seemingly monitoring the financial transactions of millions of citizens' bank accounts.
This can happen with Mullvad too. If the FBI spots a Mullvad Purchase on anyone's bank account, they can go up to Mullvad with the Order ID, date, and credit card digits, and request Mullvad to redirect VPN traffic of that specific Order ID to the FBI's own monitoring servers.
a little snippet of the article can help reduce the number of people who have a knee-jerk reaction to whatever the headline says
For readers who do not want to pay to read the article, the headline leaves incomplete context and creates a misleading impression of the story. That damages Proton’s reputation, and the missing context is only available if someone pays for the article, reaches out to Proton, or searches forums for substantive information.
The Proton user had bad opsec by using a credit card to pay for the account.
Had Proton just turned data over to an out of jurisdiction LEA, then it's more of a complaint. But they followed their policy and law here.
Proton offers a Tor address for accounts requiring anonymity rather than just privacy. The crux of this is on the account user
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
You want to be anonymous? Don't use your credit card! Don't connect from your home internet connection. (I don't know whether this person did because I can't read the story due to login-requirement). Either way, total non-story. Anyone whose potential adversary is a powerful government should already know this stuff.
Either way, Proton didn't help the FBI. The article title is deceptive and implies a degree of insidiousness or dishonesty that has not been demonstrated by Proton in this case.
> Proton Mail complied with a legal demand they had no choice but to comply with
Are you trying to say that any compliance is by definition help? Like if the FBI subpoenas my public key and I comply, that’s helping them?
Privacy and anonymity are a gradient. If I needed real opsec from government threats I wouldn't tie a credit card to a service.
Whether they store such info for cryptocurrency payments as well (no chargeback risk) would be telling.
If you don't want to receive the punishment for thought crimes, which is being threatened outright more loudly every day, it's increasingly difficult to actually have a dissenting voice online. Don't believe me? Set up a linux VM, Mullvad VPN with a killswitch, then run Tor browser. You MAY be able to get a TutaMail account, which requires a backup e-mail that disappears after a short period of time (allegedly), and then a Proton account with the TutaMail account as your required backup there, but all of the privacy-first "anonymous" services require some form of verification. Then, if the social media network isn't blocking you from signing up via a Tor exit nodes outright, you are immediately shadow banned.
I remain very annoyed with the massive number of engineers that are making it possible for people who can't figure out how to check their e-mail to utilize advanced technology to spy on us, steal our tax money, pervert the technologies we build, and indiscriminately murder innocent people.
We are a community of greedy ladder pullers and that's so disappointing.
I use it often...
To the extent it works that's a loophole. I can't speak to proton specifically but the majority of services don't want to permit disposable email because the entire point is to cut down on spam and abuse.
I can appreciate having the option of providing a phone number or email or whatever but I think the state of the ecosystem is telling. The option for anonymous email with PoW per outgoing email isn't provided despite largely addressing the commonly cited rationale for requiring some sort of verification. And we're still stuck bashing PGP, shilling for competing E2E message solutions while it's plain as day that the vast majority of commerce isn't going to move off of email any time soon. Meanwhile TLS can figure out how to distribute public keys via DNS as part of implementing ECH in all major browsers over a period of less than a decade.
If willing, I would appreciate some examples, actual or hypothetical. I have left a few comments regarding my concerns over AI and have been surprised by the hostile reactions. Much of my research kindof revolves around a central concern matching your statement. But my perspective is in a vacuum, out of touch with what others are dealing with. Feel free to ignore this if not comfortable.
But my personal experience is something snapped in a lot of people during COVID when people asked reasonable questions like — “is an experimental gene therapy really QALY positive in populations not at risk, such as healthy children?”
According to government actuarial tables, the answer was no: the UK government concluded that there was no point at which for those under 40 the immunizations prevented more serious outcomes than they caused. But people were (and often still are) absolutely rabid if you point out we (in administering a QALY negative treatment to a vulnerable population) decided to poison children and young adults en masse. I’ve had people look up my mother on Facebook for calmly citing UK government actuarial reports, which did the calculation on COVID vs vaccine harms.
That’s setting aside that on HN you’d get shadowbanned for even posting the clip of BLM leaders describing themselves as “trained Marxists” and BLM itself as Marxist in ideology. Apparently, no matter how politely you state facts, if HN froths irrationally in response it is an “inherent flamewar”.
But I’m not sure I qualify for what you’re asking, as I generally post under my true identity, not anonymously.
Hyberbolic? Sure. But we live in a society that reinforces the idea that the performance enhancement is worth it. But there is a cost, and what you've described is it.
like no shit people are going to be more willing to do the bidding of evil when their decision making apparatus is unnaturally saturated. and no shit people are going to have adhd symptoms in a screen based society. its completely obvious. but me saying that is going to get down voted to oblivion. people don't enjoy having a comfortable narrative questioned; dissent (no matter how minor) is equivalent to full scale assault on perceptions of existence. that being said, i dont blame anyone for this, considering that the entirety of existence is currently geared towards forcing the populace into fight or flight mode, thus rendering null the capacity to exact societal change and disrupt the status quo.
people really do think their best interests are at the heart of billion dollar companies like those producing pharmaceutical goods !
Where you one that voted for laws that protected our privacy?
Where you one that upvoted comments in forums that said software engineers needed a standard ethics?
Where you one that downvoted every post saying we should have unions in software so we can protect ourselves as a group.
Or were you greedy like the rest of us saying, I don't want any of those things because I can make more money without it.
This is were the hunt for more money has taken us, and it only gets worse from here.
In other professions such unions inevitably end up building a chummy relationship with the government and going along with whatever it says, software engineering wouldn't be any different. If anything it'd be worse because the government could pressure the union into removing the license of engineers who make privacy-preserving software.
Historically, there won't be trials for this when it gets worse, so there won't be anyone charged or convicted. They will eventually just be murdered by a secret police force.
A high profile interesting example of this is the assassination attempt on Brett Kavanaugh. If you look at the details none of the actions would have been an attempt if not for the intent.
It is an interesting thought experiment as to how many actions you have to take for a crime that you don’t commit to be charged as an attempt or more broadly as conspiracy and at what point people are allowed to change their mind. We see this in terrorism cases pretty frequently.
Proton is one of the few services who accepts anonymous payment, and cannot themselves provide encrypted content in cleartext. They cannot save you from yourself, though.
it absolutely should be news when the company who heavily promoted themselves to normies as safe, encrypted, and private is sharing customers data which is ending up in the hands of authoritarian foreign governments who are hunting for protesters.
This is a highly deceptive title. As if Proton proactively helped FBI, which is not even close to truth. Proton is not even in direct contact with FBI. It's Swiss government that forwarded the info to FBI.
A much better title would be:
Proton Mail Payment Info Helped FBI Unmask Anonymous 'Stop Cop City' Protester
Or
FBI Unmasked Anonymous 'Stop Cop City' Protester via Proton Mail Payment Info
The point is informing the normies that your payment info is linked to your identity and a potential risk to your anonymity.
That clickbaity title makes me want to unsubscribe from their RSS feed.
> then it turns out they may be sharing data with the swiss government who then gives it to the us government.
Literally every legal business complies to law enforcement. They have to.
What is horrifying are big corporations giving access to all user data without recourse. That my data in Europe is send to the USA and accessed without limits by their goverment is a crime and a very dangerous situation.
- Fighting crime in an open criminal case with judge oversight is a very good thing and part of keeping the rule of law.
- Collecting data from all users without probable cause is a crime and will have nefarious consequences for all of us.
Know the difference.
Is there a specific story you’re referring to? Mind sharing a link? I have no intention of disputing it, I just haven’t heard of that particular case.
But just the other week there were stories all over HN about Google banning accounts for accidental Gemini ToS violations
Not really, that's a minute procedural distinction without a difference.
> can only happen after all Swiss legal checks are passed.
Oh, don't worry, US also has some "checks", just as useful!
> we understood that a law enforcement officer was shot and explosive devices were involved
And now you're just compounding your fail by siding with the notorious liars against your own customers.
Re. at the moment not sure, that depends on their jurisdiction, but that's another thing - why don't they explain what's possible and what and why they did/didn't do?
"Authorities were investigating [them] for their connection to arson, vandalism and doxing"
And there it is.
Civil disobedience means accepting punishment. Literally "letter from Birmingham jail" was sent from a jail in Birmingham for a reason.
Proton only has access to your IP and device ID, not your data. With IP and device ID, you can easily track an user like finding the ISP, etc.
Do you wanna do naughty things?? Don't use such services do to so.
And ironically,this 404 Media is the only place I found covering this information and they require you to login to read the whole thing.
Hmmmmmmmmmmmmmmmmmmmmm red flag big time!!!!
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text on their SMTP servers. Because that's just how SMTP works. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those from people using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say at any point of transit. And non technical people have no idea about the difference.
Ps I'm not blaming proton for not having a technical solution for this because interoperability makes it an unsolvable problem. But I do blame them for their marketing around it.
Is that really what happened here?
If the person or politics / group,they don't support then they have no problem just straight up making stuff up.
Like the hit piece of Elons Grok where it was "doxing" pornstars names,but in reality all it did was just search web online and got the info from the first website it could find.
But they made it seem like it was some hidden info that only Grok and Elon would know...
Yes, correspondence between you and Build-A-Bear, and between you and your local terrorist cell, are unencrypted individually. But Build-A-Bear presumably doesn't know about your correspondence with the cell, and the latter presumably has some interest in not sharing organizational data access with the former.
I suppose you do have to trust that Proton isn't served a directive to snoop on your correspondence in transit with other providers. But that's still a much better position than leaving all of your historical data unencrypted at rest.
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
They can just send things without e2ee from any of their clients (not just web).
> This type of attack could be targeted at the behest of authorities.
No? How can authorities tell them how to do their business?
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
If you are so hard-pressed to do something, then maybe setup your own smtp server
>Sign up with no phone number: Get a private email account without handing over more personal data than necessary, making it harder for advertisers, data brokers, and other services to track you online.
I guess it doesn't mention law enforcement so ¯\_(ツ)_/¯
That the person you're exchanging messages with, has your messages, is hardly a surprise. Not everyone-but-Proton sells your data though so it's not quite that black-and-white
If you don't want info being given to law enforcement by third parties, your best bet is to make it so that nobody else has access to it in the first place. You might get away with third parties that are in a jurisdiction unfriendly to wherever you live. Definitely don't hand over your info to a company in fricken' Switzerland and then be surprised when they comply with law enforcement requests for it.
You might need to pay more than that.
The whole idea of encrypted email is pointless. There's absolutely no guarantee it's encrypted in transit or encrypted at rest on any machines it transits through unless you encapsulate the messages with PGP and then you still leave a trail of envelopes everywhere. Any government who wants your data will come round and beat it out of you or the provider as best as they can. And if you have the pay the provider, as evidenced here, they can point to you and then beat you for it. Beating being metaphorical or otherwise.
Use any old shitty email provider and make sure you can move off it quickly if you need to. Standard IMAP, not weird ass proprietary stuff like proton. Think carefully what you do and say. Use a side channel for anything that actually requires security.
And from what little I can tell from the article, it was account payment data, not content from the account.
Proton was never designed or advertised to resist this kind of threat.
I cancelled my Proton account when all of that hit Mastodon. Their VPN was good, but I dont support nazies and their toadies.
The single most useful link I found was this Reddit thread:
https://www.reddit.com/r/ProtonMail/comments/1i2nz9v/on_poli...
> [Proton's] homepage touts that “With Proton, your data belongs to you, not tech companies, governments, or hackers.” However, [...] Proton previously handed over an IP address at the request of French authorities made via Europol to Swiss police. Yen wrote a Twitter post at the time, stating, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.” ---https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
Big surprise: swiss company complies with swiss law!
And the same happened now, quoting the part of the submission that you can read without signing up:
> privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
Anyway, regarding your claim, it's a whole rabbit hole of statements they made but broadly speaking it sounds like you're right: Vance supported legislation which Proton campaigned for and, subsequently (as of 2025-01), Proton loves the US Republican Party, believing they would stand up for 'the little guy'. To be fair, they bring some evidence that sound like it can be verified and back this opinion up somewhat, but even if it's a correct opinion on this sub-topic, it's still supporting authoritarianism. Anyway, this is where I'm going to stop trying to politically analyze their situation and just not recommend Proton anymore...
