If you don't want to receive the punishment for thought crimes, which is being threatened outright more loudly every day, it's increasingly difficult to actually have a dissenting voice online. Don't believe me? Set up a linux VM, Mullvad VPN with a killswitch, then run Tor browser. You MAY be able to get a TutaMail account, which requires a backup e-mail that disappears after a short period of time (allegedly), and then a Proton account with the TutaMail account as your required backup there, but all of the privacy-first "anonymous" services require some form of verification. Then, if the social media network isn't blocking you from signing up via a Tor exit nodes outright, you are immediately shadow banned.
I remain very annoyed with the massive number of engineers that are making it possible for people who can't figure out how to check their e-mail to utilize advanced technology to spy on us, steal our tax money, pervert the technologies we build, and indiscriminately murder innocent people.
We are a community of greedy ladder pullers and that's so disappointing.
I generally just use tor browser and proton (verified through a disposable email address only accessed via the tor browser) - seems secure enough for me?
Yes it does have access to your data, at least any email coming from or going to another mail provider. Because those are not end to end encrypted. Only encrypted in transit (and even that is optional). So they need to handle the plaintext at the point of transmission.
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text on their SMTP servers. Because that's just how SMTP works. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those from people using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say at any point of transit. And non technical people have no idea about the difference.
Ps I'm not blaming proton for not having a technical solution for this because interoperability makes it an unsolvable problem. But I do blame them for their marketing around it.
Look at the numbers for number of people who die from interactions with police (both armed and unarmed) and then compare that to the extra violent deaths that happen because of defund the police polices and then let us know what you find. Only then can you make the claim you are implying. Otherwise you are doing the conspiracy theory thing where you present random data and then imply the idea you are pushing.
Proton isn't opsec, it's just the best available commercial clearweb host that still has to follow all the laws and comply with warrants, but won't be arbitrarily selling your metadata or engaging in the adtech garbage.
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
Journalists should work for free. Which means that they are going to be paid by governments and corporations to spout propaganda because everyone has a mortgage to pay off...
I really don’t think 404 Media having a login gate is a red flag. They’re a business that needs to make money and the alternative to subscriptions is ads, which would be exponentially worse for user safety than what exists today.
That's 404 media's approach. That's why I only read their headlines.
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
>the second was when they shared IP address logs of a French protestor. Even though at the time they had a no logs policy, if I remeber correctly. Or if I don't.
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
I let my subscription expire and my account was never locked down or emailed held for ransom. I suspect there is another piece to the story you're either neglecting to mention or don't know.
last time i tried they asked for an email to link the account to. I don't think they provide anonymous accounts anymore, but you can probably create one with another anonymous email.
> Proton only has access to your IP and device ID, not your data.
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
>So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
Is even that needed? Nothing e2ee about the emails you receive normally, they could just read them right away if they really wanted to. And that is to say nothing about the metadata.
Proton doesn't really protect anything email related unless the recipient is also using protonmail. The article also points out they sought payment data, not "IP and device ID" information.
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
Where are the stories about all the other mail providers who routinely cough up everything about your email account, including full content, metadata, and full payment details, on a daily basis?
Proton is one of the few services who accepts anonymous payment, and cannot themselves provide encrypted content in cleartext. They cannot save you from yourself, though.
This should surprise exactly nobody after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
>after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
Source? We need the exact claim here, because there's a fine line between "we're in switzerland, so warrants aren't a thing!" (outright false) and "we're in switzerland, which have better privacy laws than other countries!" (debatable).
> Switzerland is a fundamentally different environment. Two of the things Switzerland is most famous for are also highly conducive to data protection: privacy and neutrality.
> When a law enforcement agency in the US requests user data from a Swiss company, it is illegal for that company to provide the data. At Proton, we reject all data requests from foreign agencies.
> Proton and other Swiss companies will only hand over user data when ordered to do so by a Swiss authority. And even then, Proton’s general policy is to challenge data requests whenever possible and only comply after all legal remedies have been exhausted.
So maybe your parent poster is confused? They do claim that being Swiss protects them from requests from foreign entities, but not Swiss entities. Which is what happened here, the Swiss authorities asked Proton for the data, then they handed it to the FBI.
Has Proton challenged the data and “only complied after all legal remedies have been exhausted”, though? That’s another question.
> The records provide insight into the sort of data that Proton Mail, which prides itself both on its end-to-end encryption and that it is only governed by Swiss privacy law, can and does provide to third parties.
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
> Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
In what sense? Germany has among the strongest judicial oversight for invasion of privacy in Europe. Due process is followed when securing search warrants that provide access to subscriber data (Germany does not have administrative subpoenas like in the US and other countries).
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
Proton won’t lock me out of my email because I accidentally sang a copyrighted song in a Youtube video. That’s why I use it, not because it’s the pirate bay for email.
Thank you for sharing. I was trialing Proton Mail but I will move away from it because of this. This is some teenage level crime and legitimate protesting that it threw away its reputation for.
>Sign up with no phone number:
Get a private email account without handing over more personal data than necessary, making it harder for advertisers, data brokers, and other services to track you online.
I guess it doesn't mention law enforcement so ¯\_(ツ)_/¯
I'm not sure what you were expecting here. If you have data and the police shows up with a warrant, you can't just tell them "nah we don't feel like it".
They could have used a VPN to connect to Proton and paid for their account with bitcoin or cash and then law enforcement would have had a very tough time. Instead, they paid with a method connected to their identity. Of course Proton handed it over when law enforcement came knocking.
If you don't want info being given to law enforcement by third parties, your best bet is to make it so that nobody else has access to it in the first place. You might get away with third parties that are in a jurisdiction unfriendly to wherever you live. Definitely don't hand over your info to a company in fricken' Switzerland and then be surprised when they comply with law enforcement requests for it.
The article explains that the account was identified based on a credit card payment for a paid account, which does not invalidate the statement in question IMO. Perhaps we differ on the definition of "private" or something else, but unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
> unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
That the person you're exchanging messages with, has your messages, is hardly a surprise. Not everyone-but-Proton sells your data though so it's not quite that black-and-white
What Proton sell you is reduction of anxiety. But that's a lie.
The whole idea of encrypted email is pointless. There's absolutely no guarantee it's encrypted in transit or encrypted at rest on any machines it transits through unless you encapsulate the messages with PGP and then you still leave a trail of envelopes everywhere. Any government who wants your data will come round and beat it out of you or the provider as best as they can. And if you have the pay the provider, as evidenced here, they can point to you and then beat you for it. Beating being metaphorical or otherwise.
Use any old shitty email provider and make sure you can move off it quickly if you need to. Standard IMAP, not weird ass proprietary stuff like proton. Think carefully what you do and say. Use a side channel for anything that actually requires security.
As a long time Proton customer...I am fairly certain Proton has always been completely upfront that they will comply with lawful requests for information from the Swiss authorities, if response is obligated by Swiss law. Therefore this isn't especially surprising.
This is just impossible. If they're going to be sending your email to gmail then they need to see what's in it. So they will have the data at some point. You have to trust their brown eyes that they don't look at it while it's going through their inbound and outbound servers. But they're selling it as a technical protection, not a trust-based one.
Personally, if you want private Comms, just don't use email. The protocol is just not suitable.
Exactly, you can use bitcoin, even cash. You can even add credits with PayPal or a credit card, in which case Proton (I assume) won't remember your payment data. But if you attach credit card info permanently to your account then it can be retrieved.
In trying to check this claim (I thought Proton did sensible things), I found that the submitted news article is not new at all:
> [Proton's] homepage touts that “With Proton, your data belongs to you, not tech companies, governments, or hackers.” However, [...] Proton previously handed over an IP address at the request of French authorities made via Europol to Swiss police. Yen wrote a Twitter post at the time, stating, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.” ---https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
Big surprise: swiss company complies with swiss law!
And the same happened now, quoting the part of the submission that you can read without signing up:
> privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
Anyway, regarding your claim, it's a whole rabbit hole of statements they made but broadly speaking it sounds like you're right: Vance supported legislation which Proton campaigned for and, subsequently (as of 2025-01), Proton loves the US Republican Party, believing they would stand up for 'the little guy'. To be fair, they bring some evidence that sound like it can be verified and back this opinion up somewhat, but even if it's a correct opinion on this sub-topic, it's still supporting authoritarianism. Anyway, this is where I'm going to stop trying to politically analyze their situation and just not recommend Proton anymore...
More informed by that comment, really? Did you read this[0]? As someone disinterested in the topic, the controversy seems very overblown and a knee jerk response. His position seems to have been pretty consistent over time.
I don't know what Proton did regarding Trump, but if you follow this principle to the end you might as well ditch technology and live in the forest. I'm not being hyperbole, everyone does business with or endorses someone on either side who does stupid shit.
If you don't want to receive the punishment for thought crimes, which is being threatened outright more loudly every day, it's increasingly difficult to actually have a dissenting voice online. Don't believe me? Set up a linux VM, Mullvad VPN with a killswitch, then run Tor browser. You MAY be able to get a TutaMail account, which requires a backup e-mail that disappears after a short period of time (allegedly), and then a Proton account with the TutaMail account as your required backup there, but all of the privacy-first "anonymous" services require some form of verification. Then, if the social media network isn't blocking you from signing up via a Tor exit nodes outright, you are immediately shadow banned.
I remain very annoyed with the massive number of engineers that are making it possible for people who can't figure out how to check their e-mail to utilize advanced technology to spy on us, steal our tax money, pervert the technologies we build, and indiscriminately murder innocent people.
We are a community of greedy ladder pullers and that's so disappointing.
I use it often...
Where you one that voted for laws that protected our privacy?
Where you one that upvoted comments in forums that said software engineers needed a standard ethics?
Where you one that downvoted every post saying we should have unions in software so we can protect ourselves as a group.
Or were you greedy like the rest of us saying, I don't want any of those things because I can make more money without it.
This is were the hunt for more money has taken us, and it only gets worse from here.
Proton only has access to your IP and device ID, not your data. With IP and device ID, you can easily track an user like finding the ISP, etc.
Do you wanna do naughty things?? Don't use such services do to so.
And ironically,this 404 Media is the only place I found covering this information and they require you to login to read the whole thing.
Hmmmmmmmmmmmmmmmmmmmmm red flag big time!!!!
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text on their SMTP servers. Because that's just how SMTP works. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those from people using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say at any point of transit. And non technical people have no idea about the difference.
Ps I'm not blaming proton for not having a technical solution for this because interoperability makes it an unsolvable problem. But I do blame them for their marketing around it.
Is that really what happened here?
https://en.wikipedia.org/wiki/Stop_Cop_City
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
I think at the time there was confusion around their policies
"ProtonMail logged IP address of French activist after order by Swiss authorities"
https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
I'd count that up as a hypothetical win of the self-hosted main in your own location.
If you are Dr. Evil, OTOH, other calculi apply.
tl;dr they pull the decryption keys from your computer while it's still running, which of course it is because your mail server has to be up 24/7.
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
Proton does have interoperability with PGP/GPG but very few people use that because of its UX.
Proton is one of the few services who accepts anonymous payment, and cannot themselves provide encrypted content in cleartext. They cannot save you from yourself, though.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
https://proton.me/blog/data-privacy-abortion
Quote (emphasis theirs, in bold):
> Switzerland is a fundamentally different environment. Two of the things Switzerland is most famous for are also highly conducive to data protection: privacy and neutrality.
> When a law enforcement agency in the US requests user data from a Swiss company, it is illegal for that company to provide the data. At Proton, we reject all data requests from foreign agencies.
> Proton and other Swiss companies will only hand over user data when ordered to do so by a Swiss authority. And even then, Proton’s general policy is to challenge data requests whenever possible and only comply after all legal remedies have been exhausted.
So maybe your parent poster is confused? They do claim that being Swiss protects them from requests from foreign entities, but not Swiss entities. Which is what happened here, the Swiss authorities asked Proton for the data, then they handed it to the FBI.
Has Proton challenged the data and “only complied after all legal remedies have been exhausted”, though? That’s another question.
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
Is there a specific story you’re referring to? Mind sharing a link? I have no intention of disputing it, I just haven’t heard of that particular case.
Whether they store such info for cryptocurrency payments as well (no chargeback risk) would be telling.
"Authorities were investigating [them] for their connection to arson, vandalism and doxing"
And there it is.
Civil disobedience means accepting punishment. Literally "letter from Birmingham jail" was sent from a jail in Birmingham for a reason.
>Sign up with no phone number: Get a private email account without handing over more personal data than necessary, making it harder for advertisers, data brokers, and other services to track you online.
I guess it doesn't mention law enforcement so ¯\_(ツ)_/¯
If you don't want info being given to law enforcement by third parties, your best bet is to make it so that nobody else has access to it in the first place. You might get away with third parties that are in a jurisdiction unfriendly to wherever you live. Definitely don't hand over your info to a company in fricken' Switzerland and then be surprised when they comply with law enforcement requests for it.
That the person you're exchanging messages with, has your messages, is hardly a surprise. Not everyone-but-Proton sells your data though so it's not quite that black-and-white
The whole idea of encrypted email is pointless. There's absolutely no guarantee it's encrypted in transit or encrypted at rest on any machines it transits through unless you encapsulate the messages with PGP and then you still leave a trail of envelopes everywhere. Any government who wants your data will come round and beat it out of you or the provider as best as they can. And if you have the pay the provider, as evidenced here, they can point to you and then beat you for it. Beating being metaphorical or otherwise.
Use any old shitty email provider and make sure you can move off it quickly if you need to. Standard IMAP, not weird ass proprietary stuff like proton. Think carefully what you do and say. Use a side channel for anything that actually requires security.
Personally, if you want private Comms, just don't use email. The protocol is just not suitable.
And from what little I can tell from the article, it was account payment data, not content from the account.
Proton was never designed or advertised to resist this kind of threat.
I cancelled my Proton account when all of that hit Mastodon. Their VPN was good, but I dont support nazies and their toadies.
The single most useful link I found was this Reddit thread:
https://www.reddit.com/r/ProtonMail/comments/1i2nz9v/on_poli...
> [Proton's] homepage touts that “With Proton, your data belongs to you, not tech companies, governments, or hackers.” However, [...] Proton previously handed over an IP address at the request of French authorities made via Europol to Swiss police. Yen wrote a Twitter post at the time, stating, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.” ---https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
Big surprise: swiss company complies with swiss law!
And the same happened now, quoting the part of the submission that you can read without signing up:
> privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
Anyway, regarding your claim, it's a whole rabbit hole of statements they made but broadly speaking it sounds like you're right: Vance supported legislation which Proton campaigned for and, subsequently (as of 2025-01), Proton loves the US Republican Party, believing they would stand up for 'the little guy'. To be fair, they bring some evidence that sound like it can be verified and back this opinion up somewhat, but even if it's a correct opinion on this sub-topic, it's still supporting authoritarianism. Anyway, this is where I'm going to stop trying to politically analyze their situation and just not recommend Proton anymore...
[0]: https://medium.com/@ovenplayer/does-proton-really-support-tr...
what an oddly specific example