Earlier this year a user on Mastodon started a list of non-US tech services that were out of US jurisdiction. They specifically called out Proton as having offices in the US and as the only country to be mentioned specifically (other than Switzerland). They insisted several times on several threads that Proton does fall within US jurisdiction because it maintains corporate offices here. I’ve looked at the TOS and yes, it’s true that the US is there.
Does anyone know anything about this? If it is true that the company falls within US jurisdiction it does seem like something to be aware of and to mention when recommending the service. And, if true, should the services be recommended?
Searching on DuckDuckGo I get this summary:
“Proton Technologies AG is based in Switzerland and markets itself as a non-U.S. company, but it must comply with U.S. laws if it has operations or users in the U.S. This means that while it operates under Swiss privacy laws, certain aspects of its services may still be subject to U.S. jurisdiction.”
Yes. The service does not mandate any real info from their users and users can use their products highly privately or even anonymously.
Is your concern of the US requesting data on you if you are at risk? Let’s say that happens. You should still be fine if your privacy settings are such that you don’t even allow Proton to log your sign in’s from your IP addresses (which can be obfuscated with a VPN anyway). And obviously make sure you don’t use your credit card to pay for it.
You should be equally concerned with Proton being subject to certain US laws as much as Signal is. Signal is fully in the US and yet its the best encrypted messenger out there that should be encouraged to all to use.
No data can be given to lawful requests if none exist. Encryption and security for all persons is still legal in the US.
If someone has more nuance, context, or concrete info, they may explain it better. But this is what I think.
Thanks so much for the helpful details. I was just looking to better understand the possible implications. I see it recommended so often as a privacy solution for multiple services but have never seen this discussed.
Of course, you’re right to point out that Signal is fully a US entity.
Maintaining US offices does not mean the company itself is under US jurisdiction (as in, the entire company compared to these seperate offices). Technically, almost every single service is under US jurisdiction so long as it is accessible to at least one American resident. American offices mean that there is a corporate presence, usually for compliance reasons. Proton is not “based” in the United States and can make decisions independent of their laws, but may suffer the consequence of being banned or fined like every single company out there.
What you should be concerned about is: where is Proton de-facto headquartered? What is the location of the data centers storing your data? Proton is clearly subject to Swiss laws and therefore should be considered as such. The only real way that a company is not under US jurisdiction is if they block every single IP address coming from there.