Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester

You cite the Proxy Store & SL gift cards in the other post as an anonymous, preferrable alternative, though I believe this only obfuscates the source of the funds, and does nothing to mask the beneficiary account:

Anonymous payment (cash/monero) → proxy store gift card → SL account

Vs

Anonymous payment (cash) → Proton account

So, the Proxy Store setup is no more anonymous than Proton’s cash payments, right? Both scenarios support an anonymous source of funds, and both demand a coupling to your account for the final transaction. Anonymity is broken if either account is associated with PII

Barring the introduction of blind signatures, Id believe all transactions will need to be coupled with a username or account UID. Users seeking anonymity will need to make sure this account is not associated with PII

I found this Twitter post to be a well rounded critique of Proton Mail: https://x.com/DoingFedTime/status/2030108076531995016

A big problem that it highlights isn’t necessarily Proton’s technology or the company’s ethics itself. With Swiss laws now making it easier to send legal notices en masse Proton is unable to keep up and is forced to comply with a larger and larger amount.

This coupled with Proton’s marketing being somewhat misleading for a layman. When you make big sweeping claims of security and privacy without fully educating the user about the risks of certain ease of use features (e.g. credit card payments, password recovery, etc…), you’re putting less tech savvy users at risk of misunderstanding Proton’s strengths and limitations.

I think this particular case is pretty egregious with the background and dirty tricks being employed by the government in this Cop City stuff, Proton failing to take a big enough stand on this is a pretty embarrassing failure on their part imo.

I still feel safe using Proton for my day to day. I’m using it as my personal email rather than a pseudononymous identity, so the concerns raised by the Cop City incident don’t apply to me. However conceding to the FBI over the Cop City stuff in particular does leave a bad taste in my mouth around my own personal ethics, so I’ll probably move to a new provider when my subscription runs out.

TBH I don’t think it is feasible for companies to “fully educate“ users on this aspect, because they will be basically slamming people with

1. Technical documentations on their infrastructure
2. Technical documentations of payment processors and banks / card issuers
3. Plenty of case laws (to cover different scenarios and justifications)
4. Their Terms and Conditions
5. Their Privacy notice
6. Even more not so basic basic education such as definitions of privacy, security and anonymity, threat modelling and risk assessment.

And they cannot simply say your data is safe with us, as long as you are not trying to do something illegal as we might be forced to hand out certain information to LE. Because 99% of the public won’t understand and the companies are simply asking for troubles (and / or losses)

Yeah I agree there isn’t an easy way around without it just becoming another set of T&Cs that nobody will ever read. But potentially putting warnings/disclaimers on certain features like account recovery and payment services could be helpful.

I don’t see the problem as significant as you’re making it out to be. If a client has sufficient knowledge and poses a high threat level, they will know perfectly well what information to provide and what not to. On the other hand, if the client is an ordinary everyday user looking for privacy rather than anonymity, they will pay by card and, in principle, authorities will not be able to access the contents of their email and so on. Another story is if they set up a Gmail recovery email or something like that, in which case it depends more on the user’s own knowledge. I don’t think a warning needs to be added for everything

To say Proton “helped” is an injustice. If someone says Proton Mail “helped” FBI, it paints a mental imagery of Proton staff willingly going out of their way to try and uncover this person. That is not what happened. The wording in this headline is so unjust it seems borderline malicious.

Does this mean if the user had a free account, FBI would have failed ?

PS: Are you sure that they did not provide IP adress ?

It absolutely does.

Proton employees (humans) don’t need to know which account the payment is going to.

How do you explain that neither cash payments for Posteo nor many other privacy services work that way?

Millions of people use their real name as their Proton username, including investigative journalists. And as I have already mentioned, even if I have a random username (fresh.cow@pm.me), if it is linked to the one that has my real name, my privacy is not protected by using it.

It is not the same. I’ll explain why in a second.

Yes and no.

There is something you and @phnx fail to understand.

There is a difference between Proton, the company, which comprises the computational system that registers purchases, versus Proton’s employees, who are real people and can look into people’s profiles.

I don’t have a problem with my cash payments being registered by Proton’s computers when I credit my account. I have a problem with my cash payments being registered by Proton agents.

Let’s go back to the bank deposit analogy.

When I deposit $100 in my bank account via ATM, the bank’s computer system knows that a deposit was made into my account. But no bank employee knows. No bank employee’s attention has been drawn to my account. I am in an ocean of millions of bank customers, hiding in plain sight.

This is how cash payments work for many other privacy services.

On the flip side, when I physically go to the bank to deposit $100 into my account, I have to speak to a teller, and hence I am drawing a bank employee’s attention to my account. In fact, I have to present my ID to prove I am the owner of said account.

Can you see how my privacy is being compromised?

This is how Proton cash payments work, and I don’t want that.

No, it doesn’t.

When I make a cash payment to purchase a Tuta gift card, I can credit it to any Tuta account.

I can send the cash payment with the intention to credit my account, but after the payment is sent, change my mind and credit my sister’s account instead.

Proton cash payments could work the same way, especially if they allowed their gift cards to be bought with cash, but even if they didn’t, it’s possible. It’s 100% possible, as it already exists with various privacy services like Posteo.

One thing you forget about the bank deposit analogy is that ATM cash deposits can be anonymous. I can deposit cash into anyone’s account, including my own, without the bank knowing who deposited the money.

The same should be possible with Proton.

Yes, it can be worked around from most countries. But it would be better if we didn’t have to write Proton’s name as the recipient.

As I am relatively new to this topic, there seems to be one aspect I do not understand.

Follow-up question:

If I want to purchase a gift card for SimpleLogin or Proton Pass, for example, I can do so via Proxy Store, where I can pay with cash. My identity is not disclosed at any point.

If I now want to subscribe to Proton Mail with cash, I can send cash in an envelope to the required address with a note stating the account name.

It is relatively irrelevant whether a machine reads the cash payment, which is not possible, or whether an employee does so. The only information that the employee and Proton have is that someone has “topped up” this account with cash. This is not a risk, even in high-risk use.

What is the problen which I don’t understand?

You are assuming secret of corespondence (ie the state not reading your letters) is upheld. Third-party intercepting the letters is probably the biggest risk. It can be a proof if you did bad OPSEC (ie, fingerprint and/or banknotes you took from an ATM*)

*it is possible that some ATMs register the notes with your bank card number or something.

Okay, so would it be possible to do this just by using fingerprints or traceable banknotes? These are two aspects that can be prevented, albeit at great expense and easy to overlook.

If these two aspects do not apply, would it be impossible to do anything with the information contained in an intercepted and opened letter?

It’s a bit embarrassing I’ve never really considered this before (probably because I don’t use ATMs lol) but yeah it seems so obvious.

The company Wincor Nixdorf, today: Diebold Nixdorf (DN), has already presented a cash box for ATMs in 2010, which records serial numbers of the bills in it. The cassette also logs when and where the bills are accessed, and sends the data to a server. DN writes on request: “Any implementation, storage and reuse of the banknote serial numbers is at the discretion of the respective financial institution and must comply with local legal provisions.” [Translated quote]

I think maybe this should be it’s own thread but yeah it is even public data here:

https://en.eurobilltracker.com/

There’s also fingerprints (as mentioned above) and DNA traces, identification via your handwriting or even the type of pen&paper or envelope you bought (could be something special that’s only sold in a couple places etc.).

And paranoia as the authorities won’t pull the full forensic analysis on just everyone.

I think this is quite different from automatic data collection, but funny nonetheless.

Did you read my comments when I used the bank deposit analogy?

Something tells me that you have never experienced a customer service agent commenting or asking you about things that have nothing to do with the reason you contacted them. Or worse, you’ve never experienced a customer service agent making a change to your account without your consent because they noticed something “odd”. Or maybe you have, and it doesn’t bother you. This has happened to me multiple times with online services, including Proton, and with physical businesses too. The most recent was a month ago, and it was with an online service. I was not happy.

This is why one of my personal golden rules of privacy is to always contact customer service anonymously. That means that unless it is absolutely necessary to identify myself, I never contact customer support with the email address that is linked to my account with them. I don’t want them to know my account info if they don’t need to answer my question.

BINGO!

D) PROTON’S ANONYMOUS PAYMENT OPTIONS VIA RESELLERS ARE EXTREMELY LIMITED.

Tuta. Addy. SMS Pool. SimpleLogin. They all allow their gift cards to be purchased anonymously via resellers like the Proxy Store, which accepts cash and Monero.

Not Proton.

The Proxy Store is a popular digital store in the privacy community that is supported by many privacy companies.

a) Proton doesn’t sell their gift cards in the Proxy Store.

Proton sells subscription vouchers that can only be used to buy a subscription and nothing else. You cannot credit your account with them like you would with Tuta, Addy, SMSPool, or even SimpleLogin. This is a huge limitation

b) Proton’s Proxy Store vouchers are exclusive to new users.

An existing Proton subscriber cannot use them to renew their subscription. If they want to use them, they have to cancel their current subscription, which means losing any discount if you’re on a lifetime discount.

Even if you are a new user and you purchase a subscription anonymously via the Proxy Store, you cannot renew it via the Proxy Store. You will always have to cancel your current subscription or wait for it to expire in order to purchase another one the same way. That is not practical at all.

Any existing Proton subscriber should be able to renew their current subscription anonymously and automatically. And any new subscriber should be able to do the same.

c) Proton vouchers in the Proxy Store are not widely available

Some services that Proton supported (Proton Mail) are not supported anymore, and it seems that Proton is deliberately withholding those vouchers from the Proxy Store. I know this because I spoke directly to both Proton and the Proxy store about it.

Via their competition, Proton has plenty of great examples of services that support anonymous payments directly and via resellers. And yet, Proton refuses to follow that model. They refuse to follow the model of SimpleLogin, their own company. None of their direct payments are anonymous, and their indirect payment methods are deliberately limited so that only first time users can benefit from them, and only for the first year.

PROTON DOESN’T WANT TO SUPPORT ANONYMOUS PAYMENTS

It’s the only conclusion one can come to when you look at their deliberately poor implementation. They need to do better because they are outshined by their competition in this department.

If Proton truly supported anonymous payments, they would allow direct cash payments for gift cards and also sell those gift cards via privacy friendly resellers like the Proxy Store. They don’t. In addition, they would not require you declare your username for cash payments.

If Proton truly supported anonymous payments and were completely transparent about their data retention policy, many of their public controversies would have been avoided.

You own text cited, indicate that the Lugano convention is for civil and commercial matters.

The curent case was a criminal one, so it would not apply.

PS: Unless an update is available, ProtonMail is force to keep some data on users:

I guess this explain why they did comply with law enforecement Orders 8,313 times in 2025 !

ProtonMail also gave backup email and IP adress in the past.

For the payment method, sorry I don’t know.

Sure. For criminal cases, the Budapest Convention applies, the latest (more privacy invasive) iteration of which was put out for signatories to join pretty recently. Regardless, whatever marketing claims Proton and Quad9 are making fall flat.

I know? I cited Lugano to make it clear that Proton’s marketing that Swiss laws (as far as LEA is concerned) are some kind of a shield is a farcical claim at best.