Yes it does have access to your data, at least any email coming from or going to another mail provider. Because those are not end to end encrypted. Only encrypted in transit. So they need to have the plaintext.
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say.
Proton isn't opsec, it's just the best available commercial clearweb host that still has to follow all the laws and comply with warrants, but won't be arbitrarily selling your metadata or engaging in the adtech garbage.
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
Journalists should work for free. Which means that they are going to be paid by governments and corporations to spout propaganda because everyone has a mortgage to pay off...
I really don’t think 404 Media having a login gate is a red flag. They’re a business that needs to make money and the alternative to subscriptions is ads, which would be exponentially worse for user safety than what exists today.
That's 404 media's approach. That's why I only read their headlines.
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
I let my subscription expire and my account was never locked down or emailed held for ransom. I suspect there is another piece to the story you're either neglecting to mention or don't know.
>the second was when they shared IP address logs of a French protestor. Even though at the time they had a no logs policy, if I remeber correctly. Or if I don't.
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
last time i tried they asked for an email to link the account to. I don't think they provide anonymous accounts anymore, but you can probably create one with another anonymous email.
> Proton only has access to your IP and device ID, not your data.
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
>So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
Is even that needed? Nothing e2ee about the emails you receive normally, they could just read them right away if they really wanted to. And that is to say nothing about the metadata.
Proton doesn't really protect anything email related unless the recipient is also using protonmail. The article also points out they sought payment data, not "IP and device ID" information.
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
Proton won’t lock me out of my email because I accidentally sang a copyrighted song in a Youtube video. That’s why I use it, not because it’s the pirate bay for email.
This should surprise exactly nobody after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
>after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
Where are the stories about all the other mail providers who routinely cough up everything about your email account, including full content, metadata, and full payment details, on a daily basis?
Proton is one of the few services who accepts anonymous payment, and cannot themselves provide encrypted content in cleartext. They cannot save you from yourself, though.
> The records provide insight into the sort of data that Proton Mail, which prides itself both on its end-to-end encryption and that it is only governed by Swiss privacy law, can and does provide to third parties.
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
> Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
In what sense? Germany has among the strongest judicial oversight for invasion of privacy in Europe. Due process is followed when securing search warrants that provide access to subscriber data (Germany does not have administrative subpoenas like in the US and other countries).
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
Thank you for sharing. I was trialing Proton Mail but I will move away from it because of this. This is some teenage level crime and legitimate protesting that it threw away its reputation for.
>Sign up with no phone number:
Get a private email account without handing over more personal data than necessary, making it harder for advertisers, data brokers, and other services to track you online.
I guess it doesn't mention law enforcement so ¯\_(ツ)_/¯
I'm not sure what you were expecting here. If you have data and the police shows up with a warrant, you can't just tell them "nah we don't feel like it".
They could have used a VPN to connect to Proton and paid for their account with bitcoin or cash and then law enforcement would have had a very tough time. Instead, they paid with a method connected to their identity. Of course Proton handed it over when law enforcement came knocking.
If you don't want info being given to law enforcement by third parties, your best bet is to make it so that nobody else has access to it in the first place. You might get away with third parties that are in a jurisdiction unfriendly to wherever you live. Definitely don't hand over your info to a company in fricken' Switzerland and then be surprised when they comply with law enforcement requests for it.
The article explains that the account was identified based on a credit card payment for a paid account, which does not invalidate the statement in question IMO. Perhaps we differ on the definition of "private" or something else, but unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
> unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
That the person you're exchanging messages with, has your messages, is hardly a surprise. Not everyone-but-Proton sells your data though so it's not quite that black-and-white
What Proton sell you is reduction of anxiety. But that's a lie.
The whole idea of encrypted email is pointless. There's absolutely no guarantee it's encrypted in transit or encrypted at rest on any machines it transits through unless you encapsulate the messages with PGP and then you still leave a trail of envelopes everywhere. Any government who wants your data will come round and beat it out of you or the provider as best as they can. And if you have the pay the provider, as evidenced here, they can point to you and then beat you for it. Beating being metaphorical or otherwise.
Use any old shitty email provider and make sure you can move off it quickly if you need to. Standard IMAP, not weird ass proprietary stuff like proton. Think carefully what you do and say. Use a side channel for anything that actually requires security.
As a long time Proton customer...I am fairly certain Proton has always been completely upfront that they will comply with lawful requests for information from the Swiss authorities, if response is obligated by Swiss law. Therefore this isn't especially surprising.
Exactly, you can use bitcoin, even cash. You can even add credits with PayPal or a credit card, in which case Proton (I assume) won't remember your payment data. But if you attach credit card info permanently to your account then it can be retrieved.
In trying to check this claim (I thought Proton did sensible things), I found that the submitted news article is not new at all:
> [Proton's] homepage touts that “With Proton, your data belongs to you, not tech companies, governments, or hackers.” However, [...] Proton previously handed over an IP address at the request of French authorities made via Europol to Swiss police. Yen wrote a Twitter post at the time, stating, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.” ---https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
Big surprise: swiss company complies with swiss law!
And the same happened now, quoting the part of the submission that you can read without signing up:
> privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
Anyway, regarding your claim, it's a whole rabbit hole of statements they made but broadly speaking it sounds like you're right: Vance supported legislation which Proton campaigned for and, subsequently (as of 2025-01), Proton loves the US Republican Party, believing they would stand up for 'the little guy'. To be fair, they bring some evidence that sound like it can be verified and back this opinion up somewhat, but even if it's a correct opinion on this sub-topic, it's still supporting authoritarianism. Anyway, this is where I'm going to stop trying to politically analyze their situation and just not recommend Proton anymore...
People will never understand, Proton is a privacy based email server, it is not the dark web where you can do as you please without consequences.
Proton only has access to your IP and device ID, not your data. With IP and device ID, you can easily track an user like finding the ISP, etc.
Do you wanna do naughty things?? Don't use such services do to so.
And ironically,this 404 Media is the only place I found covering this information and they require you to login to read the whole thing.
Hmmmmmmmmmmmmmmmmmmmmm red flag big time!!!!
Yes it does have access to your data, at least any email coming from or going to another mail provider. Because those are not end to end encrypted. Only encrypted in transit. So they need to have the plaintext.
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say.
> Do you wanna do naughty things?? Don't use such services do to so.
Is that really what happened here?
https://en.wikipedia.org/wiki/Stop_Cop_City
Proton isn't opsec, it's just the best available commercial clearweb host that still has to follow all the laws and comply with warrants, but won't be arbitrarily selling your metadata or engaging in the adtech garbage.
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
Sounds like Fastmail, except Fastmail is less sketchy and has better deliverability.
What's sketchy about proton?
404 Media has an excellent track record and is very reputable, if you're saying the "red flag" applies to them.
Journalists should work for free. Which means that they are going to be paid by governments and corporations to spout propaganda because everyone has a mortgage to pay off...
this
I really don’t think 404 Media having a login gate is a red flag. They’re a business that needs to make money and the alternative to subscriptions is ads, which would be exponentially worse for user safety than what exists today.
That's 404 media's approach. That's why I only read their headlines.
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
I let my subscription expire and my account was never locked down or emailed held for ransom. I suspect there is another piece to the story you're either neglecting to mention or don't know.
>the second was when they shared IP address logs of a French protestor. Even though at the time they had a no logs policy, if I remeber correctly. Or if I don't.
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
Thanks for the update of the current state.
I think at the time there was confusion around their policies
"ProtonMail logged IP address of French activist after order by Swiss authorities"
https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
You can still pay with cash!
last time i tried they asked for an email to link the account to. I don't think they provide anonymous accounts anymore, but you can probably create one with another anonymous email.
> Proton only has access to your IP and device ID, not your data.
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
>So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
Just out of curiosity, what is a cold boot attack?
What if you use encryption?
FDE stands for "Full Disk Encryption" in this context.
The only solution is blockchain
Is even that needed? Nothing e2ee about the emails you receive normally, they could just read them right away if they really wanted to. And that is to say nothing about the metadata.
Here you are: https://archive.ph/Zvw3O
What device identifier are you referring to, something like the MAC addresses of your network cards? How are they retrieving that via a browser?
Proton doesn't really protect anything email related unless the recipient is also using protonmail. The article also points out they sought payment data, not "IP and device ID" information.
> unless the recipient is also using protonmail
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
Proton won’t lock me out of my email because I accidentally sang a copyrighted song in a Youtube video. That’s why I use it, not because it’s the pirate bay for email.
Does Proton store the payment information tied to an account for the duration of a potential chargeback period or indefinitely?
Whether they store such info for cryptocurrency payments as well (no chargeback risk) would be telling.
This should surprise exactly nobody after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
>after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
they used to claim that being Swiss based protected them from warrants like this
Source?
Where are the stories about all the other mail providers who routinely cough up everything about your email account, including full content, metadata, and full payment details, on a daily basis?
Proton is one of the few services who accepts anonymous payment, and cannot themselves provide encrypted content in cleartext. They cannot save you from yourself, though.
They accept anonymous payment? I could've sworn they require an account...
Man 404 Media is really crushing it lately. Thanks to the team!
> The records provide insight into the sort of data that Proton Mail, which prides itself both on its end-to-end encryption and that it is only governed by Swiss privacy law, can and does provide to third parties.
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
> Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
In what sense? Germany has among the strongest judicial oversight for invasion of privacy in Europe. Due process is followed when securing search warrants that provide access to subscriber data (Germany does not have administrative subpoenas like in the US and other countries).
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
> prides itself both on its end-to-end encryption
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
Thank you for sharing. I was trialing Proton Mail but I will move away from it because of this. This is some teenage level crime and legitimate protesting that it threw away its reputation for.
Wild that it says this on their site:
>Sign up with no phone number: Get a private email account without handing over more personal data than necessary, making it harder for advertisers, data brokers, and other services to track you online.
I guess it doesn't mention law enforcement so ¯\_(ツ)_/¯
I'm not sure what you were expecting here. If you have data and the police shows up with a warrant, you can't just tell them "nah we don't feel like it".
They could have used a VPN to connect to Proton and paid for their account with bitcoin or cash and then law enforcement would have had a very tough time. Instead, they paid with a method connected to their identity. Of course Proton handed it over when law enforcement came knocking.
If you don't want info being given to law enforcement by third parties, your best bet is to make it so that nobody else has access to it in the first place. You might get away with third parties that are in a jurisdiction unfriendly to wherever you live. Definitely don't hand over your info to a company in fricken' Switzerland and then be surprised when they comply with law enforcement requests for it.
The article explains that the account was identified based on a credit card payment for a paid account, which does not invalidate the statement in question IMO. Perhaps we differ on the definition of "private" or something else, but unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
> unless all parties are using proton, email is inherently insecure and somebody can/will have a record of your communication regardless.
That the person you're exchanging messages with, has your messages, is hardly a surprise. Not everyone-but-Proton sells your data though so it's not quite that black-and-white
You're not wrong, but I think it just means you can never be 100% safe, as even the recipient of your message may be secretly working against you.
When a SWAT team drops in nobody's gonna take a bullet for your emails.
This is disappointing. I would pay up to $10/month for an email provider who would go to jail for me.
https://en.wikipedia.org/wiki/Bulletproof_hosting
Actually neat. No mail deliverable issues?
Well I guess Proton cannot be trusted. You know what they say, centralization corrupts absolutely
What Proton sell you is reduction of anxiety. But that's a lie.
The whole idea of encrypted email is pointless. There's absolutely no guarantee it's encrypted in transit or encrypted at rest on any machines it transits through unless you encapsulate the messages with PGP and then you still leave a trail of envelopes everywhere. Any government who wants your data will come round and beat it out of you or the provider as best as they can. And if you have the pay the provider, as evidenced here, they can point to you and then beat you for it. Beating being metaphorical or otherwise.
Use any old shitty email provider and make sure you can move off it quickly if you need to. Standard IMAP, not weird ass proprietary stuff like proton. Think carefully what you do and say. Use a side channel for anything that actually requires security.
As a long time Proton customer...I am fairly certain Proton has always been completely upfront that they will comply with lawful requests for information from the Swiss authorities, if response is obligated by Swiss law. Therefore this isn't especially surprising.
The key is and always has been to make sure that someone like Proton simply doesn't have the information so they can't give it away.
Exactly, you can use bitcoin, even cash. You can even add credits with PayPal or a credit card, in which case Proton (I assume) won't remember your payment data. But if you attach credit card info permanently to your account then it can be retrieved.
It's wild to me that people are downvoting this. Nobody is going to jail for you...
I don't think any commercial entity can be trusted to break the law on behalf of customers who only pay a small fee each
In this case, it was Swiss courts who forced them to comply, not foreign courts.
And from what little I can tell from the article, it was account payment data, not content from the account.
Proton was never designed or advertised to resist this kind of threat.
Given they were praising Trump, Vance, and gang - I called it then.
I cancelled my Proton account when all of that hit Mastodon. Their VPN was good, but I dont support nazies and their toadies.
I wasn't even aware of anything around Proton and specific US political parties. Thank you for your post, as it led me to some searching.
The single most useful link I found was this Reddit thread:
https://www.reddit.com/r/ProtonMail/comments/1i2nz9v/on_poli...
In trying to check this claim (I thought Proton did sensible things), I found that the submitted news article is not new at all:
> [Proton's] homepage touts that “With Proton, your data belongs to you, not tech companies, governments, or hackers.” However, [...] Proton previously handed over an IP address at the request of French authorities made via Europol to Swiss police. Yen wrote a Twitter post at the time, stating, “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.” ---https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...
Big surprise: swiss company complies with swiss law!
And the same happened now, quoting the part of the submission that you can read without signing up:
> privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
Anyway, regarding your claim, it's a whole rabbit hole of statements they made but broadly speaking it sounds like you're right: Vance supported legislation which Proton campaigned for and, subsequently (as of 2025-01), Proton loves the US Republican Party, believing they would stand up for 'the little guy'. To be fair, they bring some evidence that sound like it can be verified and back this opinion up somewhat, but even if it's a correct opinion on this sub-topic, it's still supporting authoritarianism. Anyway, this is where I'm going to stop trying to politically analyze their situation and just not recommend Proton anymore...