"…the company behind Proton Mail, told 404 Media in an email: “We want to first clarify that Proton did not provide any information to the FBI, the information was obtained from the Swiss justice department via MLAT. Proton only provides the limited information that we have when issued with a legally binding order from Swiss authorities, which can only happen after all Swiss legal checks are passed. This is an important distinction because Proton operates exclusively under Swiss law.” "
Edit: switching over code block for bolded quoted text.
I have seen commentary online that this means Proton only gave payment info and no other information. I haven’t seen an indication the scope of information provided to Swiss authorities was limited to payment data.
I think it is notable that even if you pre-fund your account with alternative payment methods, you cannot delete credit card data while on a paid plan. I personally feel that if the account is sufficiently pre-funded with available credits through alternative methods (Cash, BTC, Gift Card) I would think you could delete your payment method.
“Proton Mail Helped FBI” != “Proton did not provide any information to the FBI”
so right from the start this is a bad article because the headline states something that is immediately rejected by PM in the article.
They got presented with a legally binding order from Swiss authorities, they followed the law. And honestly that’s all there is to say about it IMHO.
Edit: almost the same thing happened 2021 with a French activist.
Proton Mail will give up data they have on you when presented with a valid court order.
Only use it over Tor and pay in cash if your threat model requires it.
I don’t know why 404media chose the framing they did here. Articles pitched this way only end up making people less likely to choose privacy-based big tech alternatives. Proton didn’t help the FBI, they were forced to provide data to the Swiss government who then helped the FBI.
I don’t think it’s good that Proton revealed this info, but I fail to see what choice any company has in the matter? They could refuse to follow the law I guess?
The same applies for Tuta, mailbox, etc. and would defend them equally.
Proton is a legal entity that has to follow the law. Proton provides a way to pay for an account anonymously via cash. The user decided to use a tracible credit card. It’s their own fault for terrible opsec.
Expecting to be fully anonymous then proceed to pay a service with visa/mastercard that could be tracked back to them is a massive fukup from that activists. Thats like opsec 101.
I might be missing something, but if someone simply had a Proton subscription paid with their credit card, would authorities have access to the contents of their emails or aliases (from SimpleLogin or Proton)? I’m not sure what metadata Proton collects.
On the other hand, a Catalan activist or politician, as mentioned above, had an Apple recovery account. What does this imply? If the recovery account were with Tuta, would that change anything?
This issue as I see it is that it’s not exactly clear either of these examples could lead to doxing in the future. For example, Mullvad permanently deletes payment data sometimes after only 20 days. Whereas, as I mentioned above, Proton does not even allow the user to manually clear the data. There is certainly clear benefit in Proton storing your payment info, but to restrict the user from manually deleting the data is a very odd choice given the nature of their Privacy claims.
The issue with the recovery email situation, in my opinion, is the unclear nature differentiating recovery email address vs. verification emails. See this take on the dark patterns which I think exist both before and after account creation related to the recovery email address.
There is so much poor discussion of this on Reddit. The title is also to blame for how it portrays Proton.
Human error when setting up your OPSEC is to blame. Not the company following the law or the law itself.
This just goes to show, when choosing privacy first services, always use the most private option to pay for it. It’s also best to harden your account by changing your settings such that no IP logs or anything are recorded. And of course using a strong password with 2FA is always the way to go.
So, people expect Proton to close down whole business because they complied with Swiss court order? That “activist” also used their own credit card for payment. Who would have tought Proton will give whatever info they have to courts if there is a valid order? Which are also very limited, like your IPs, recovery methods, subject of the mail, and so on. Blaming Proton for complying with local law and also having zero clue about privacy, well..
Most of these people don’t understand tech, policy, privacy, and how it works with the law. These are barely armchair experts on the matter yapping about things that don’t follow logic. I don’t mean to be crudely evaluating others but those in the know who are in the privacy community would come to the same conclusions about discourse on the topic elsewhere.
I really thought they were better equipped to properly evaluate the facts and express them more factually and not succumb to dumb clickbait titles when they are being paid for it.
I would not have gone so far as to have unsubscribed (yet) but yes, this is very disappointing.
Its not just on reddit, its everywhere. On hackernews, on mastodon. I would’ve expect the crowd at hackernews and mastodon to be more capable of rational thinking than reddit trolls but nope, they bandwagon with pitcfork yap about how proton aren’t privacy respecting. I’m not really a fan of proton, but come on people… Credit is where its due and pitchfork should be the same too. This is just classic opsec fail, nothing more.
What do you do if they already have your payment information from a previous transaction? I think Proton should find a way or give us the option to delete any other identifiable information that they may have so that we can start fresh.
I’m going to have to revisit my relationship with email after this. It’s exactly what I said before on PG - that it’s best to minimize or even avoid emails.
First, let’s correct the headline: Proton did not provide information to the FBI. What happened is that the FBI submitted a Mutual Legal Assistance Treaty (MLAT) request, which was processed by the Swiss Federal Department of Justice and Police. Proton operates exclusively under Swiss law, and we only respond to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is an important distinction.
Second, let’s talk about what this case actually involved. This wasn’t a routine investigation. Swiss authorities determined that the legal threshold was met because a law enforcement officer was shot, and explosive devices were found during a protest in 2024. Switzerland has one of the strongest legal frameworks for privacy in the world, and its standard for granting international legal assistance is exceptionally high. This case met that standard.
Third, let’s talk about what was actually disclosed. No emails were handed over. No message content. No metadata about who the user communicated with. The only information Proton could provide was a payment identifier because the user chose to pay with a credit card. This is information the user themselves provided to us through their choice of payment method. Proton also accepts cryptocurrency and cash payments, which would not have been linkable to an identity.
If anything, this case demonstrates exactly what we’ve always said: Proton holds very little user data by design. Even under the most serious legal circumstances, the only data that could be produced was a payment record. Our encryption means we simply cannot access email content even if ordered to.
We understand that stories like this can be alarming, and we take our users’ trust seriously. We will continue to fight for privacy and challenge any legal order we believe does not meet the strict requirements of Swiss law. But we also want to be transparent: no service can operate outside the law entirely, and Swiss law requires compliance with valid legal orders in serious criminal cases. What we can promise is that the legal bar in Switzerland is among the highest in the world, and our architecture ensures we have as little data as possible to hand over.
For users who want maximum anonymity: use Proton with a VPN or Tor, pay with cash or cryptocurrency, and don’t add a recovery email.
