Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester

PurpleDime:

Did you read my comments when I used the bank deposit analogy?

I don’t understand the problem with a Proton employee knowing that this account has been subscribed to and is using Premium. This information is completely useless and is almost certainly accessible to employees at any time. But whatever.

Please take a look at my other thread, ‘Help with my email setup’. I may soon be facing a high-risk scenario (political) and therefore need completely anonymous email access.

The plan was originally to pay Addy anonymously with Proxy Store and use free Proton, but this could be a thread. So I could just create, lets say five free Proton accounts and use them anonymously.

But maybe you can look there into my generel email setup, because you seem more knowledgeable than me.

The issue is not just that a Proton employee will see that you have a premium account. It’s that the Proton employee will see and know so much more about you because they can see your whole profile.

ID at Liquor Store Analogy

Imagine you go to a liquor store, and they ask you to present your ID to prove that you’re over 18. When you present your ID, the cashier doesn’t just see that you’re over 18. They see your date of birth; hence, they know that you’re 25, not 50. They also see your gender, your full legal name, your address, your height, etc…

It’s the same with Proton. They don’t just see that Jordan Smith has a premium account. They know your name is Jordan Smith. Likewise, they know how many Proton addresses you have and what they are. They know that the last time you subscribed, it was with a credit card from Germany, but this time they noticed your cash payment came from Japan. There is a difference between a Proton’s computer system knowing that vs. a Proton employee.

1Password example

Last year, I received an email from 1Password, telling me that they were going to start charging taxes to customers from certain countries, including the one they assume I am from based on my credit card info. That means I was going to pay more for the same subscription, which I didn’t like.

I also didn’t like that 1Password assumed I was in Germany just because my credit card is German. I could be living in India for all they know. So before the tax could be applied to me, I went into 1Password’s settings and manually changed my country of residence to one where I wouldn’t be taxed.

Suppose that within a month after doing that, I contact 1Password support for a completely different issue, a bug I am noticing in their app. As the customer agent is helping me, they notice that I changed my country of residence to India when it was Germany for 10 years. They could ask me:

Hey, we noticed that you changed your country of residence to India. Do you actually live there?

I did not contact them to answer questions about my country of residence. I contacted them to report a bug I noticed in the app.

Do you see how this is invasive?

Proton example

A Proton agent could notice upon applying your cash payment that there are multiple websites for which you have 3 aliases (e.g., 3 Instagram accounts), which is not allowed and against their ToS. You did not know that (most people don’t), and the Proton agent decides to reprimand you for it with or without warning.

All you did was send cash to renew your subscription, and instead of just applying the payment, a Proton agent took it upon themselves to look at your profile and make changes to it that you did not ask for.

Can you see how your privacy was compromised?

Took a look at it and replied.

Thanks a lot for mentioning and checking this. I was desperately looking for an option or explanation of this and agree with your conclusion, that this seems very on purpose.

And to add to this, posteo has some mechanism that makes linking of payment and account impossible:

Out of principle, we do not connect data that we receive during payment with email accounts. For this purpose, we developed our own Posteo payment system in 2009 with which we carry out all payment processes in a privacy-friendly way. In 2015, we expanded it once again so that all payments could continue to be processed without any connection to email accounts despite new legal requirements.

Explained here: Email green, secure, simple and ad-free - posteo.de - Payment

Banknotes is relatively easy. Just pay with cash, and use the change (also avoid shops who use automatic machines for handling cash obviously).

Fingerprint seems way harder, but also less likely to be an issue. They would bother only if you are a very high-value target, while noting the banknote number is relatively easy.

@PurpleDime I am pretty sure Proton employees don’t have access to the list of all your alliases. I would imagine they scope this access to a specific team working there.

That was just one example I gave of the type of info that the average Proton support employee can likely see. The point I was trying to make is that they have the ability to see beyond what you want them to see. Hence, why it’s better if you can avoid them seeing anything at all by dropping the requirement of usernames for cash payments.

That being said, you are correct. I can confirm from first-hand experience, that only certain teams of Proton employees can see your aliases, but there is no way for you to know which team the Proton agent who is registering your cash payment belongs to. I can also tell you that I have had my privacy and consent violated by general and senior Proton team members, and they apologized for it.

Look, please be specific. Look like a lot of accusations, but not much proofs or evidence.

There are plenty of indisputable examples of how Proton agents can see many details about your profile that you did not explicitly discuss with them. Much of the metadata about your account is visible to them. This is common knowledge and should not be news to you. As an example, if you have multiple Proton addresses under the same account, Proton agents can see all those addresses.

Suppose your default Proton address is jordan.smith@pm.me, but you have multiple addresses under the same account, including fresh.cow@pm.me, which serves as your anonymous address. You decide to email Proton support for an issue you’re having, and you deliberately do it from your anonymous Proton address. Guess what? Proton support will reply to your personal address, jordan.smith@pm.me because it is your default Proton address.

Imagine emailing Proton as Fresh Cow, and they reply with Hi Jordan!

This is unacceptable IMO. Proton should reply to the address you emailed them from. That has happened to me in the past, and is definitive proof that Proton agents can see details about your profile, even if you never discuss those details with them.

And to be clear, I was never under the illusion that if I emailed Proton from my anonymous Proton address, they would not see my personal address with my real name.

All this doesn’t alter the fact that Proton agents have access to your profile, and can see things you may not want them to see. And it’s not like Proton denies it. If you have Proton Unlimited or Proton Mail Plus and you email support with one address, ask them if they can see your other addresses, and they will tell you the truth.

If you are referring to my mentioning that Proton violated my privacy and consent, it is not an accusation. It is a fact. I will tell that story in due time, once the matter is resolved. It is an important lesson people need to understand about privacy.

Are you reffering to this feature ?

91bf6cfb-8b99-46db-a56c-1b148c9b09b61047×522 26.5 KB

Yes.

How does it work with those adresses?

How does what work?

The point I’m making is that Proton agents can see all the addresses you create under the same account. It’s common knowledge.

Please provide some form of proof of this. I have a hard time believing they’d take the time to find your alternate email and draft a response to it instead of letting whatever support system they use (zendesk?) take care of responses.

The fact that you’re asking me this suggests that you didn’t know this and were under the assumption that Proton agents cannot see all the addresses that are linked to your account. I have to be honest, this astonishes me.

It’s like going to the bank to make a deposit into your checking account, and assuming that the bank teller cannot see from your profile all the other accounts you have with them. That they cannot see that you have a savings account, an investment account, and two credit card accounts. In my opinion, it’s very naive to make such an assumption.

The specific anecdote I shared happened to me years ago. I don’t believe I still have the emails. And even if I did, the only way to prove it to you would be to share screenshots by revealing my Proton addresses, which I do not wish to do for privacy reasons. It’s also possible that Proton has since corrected this issue so that they always reply to the address that emailed them, even if it’s not the default.

The story I shared is not the point. It is just an illustration of my point.

If you do not believe Proton agents can see all the email addresses under your account, contact Proton Mail support and ask them. They will confirm it.

Every time a Proton agents shares with you information about your account that you did not explicitly disclose to them in your request for support, they are confirming to you that they have access to significant metadata about your profile.

I think you’re confused as to what the issue is. You’re claiming that first level proton support agents have access to your entire account hierarchy. That is a completely different issue from higher level support at proton being able to see deeper levels of info about your account.

Does it really matter if it’s first level support, a different team, or senior level support?

This post is about a Proton user who was outed and identified via their payment information. My argument is that Proton cash payments should not require we disclose our usernames, or that a Proton agent manually add our payment for us. There are plenty of examples of privacy services that accepts cash payments and don’t have these requirements. SimpleLogin is one of them.

I do not wish to draw attention to certain things about my account when I interact with a Proton support agent. Especially when it is avoidable. And sharing my username when making a payment that is supposed to be anonymous is easily avoidable. It is also not necessary for a Proton agent to manually add cash payments for us.

Clearly, you have doubts about what first line Proton support agent can see about your account, and that is fair. You are entitled to those doubts. This is why I invite you to ask Proton yourself. The idea that a first line Proton agent cannot see anything about your account other than what you have explicitly shared with them in your email, is preposterous to me.

Also, I am confident that first line Proton agents have access to past tickets, and if you have interacted with senior support agents before, they likely can see what was shared.

Yes, does it displays under a different mailbox or the same?

I think those mailboxes are different from an allias. The concerning thing would be if any support employeed had the list of all the SL aliases you created.

Yes. I assume that a company that cares about privacy would minimize the amount of data employees can see. First level supports assign tickets and work off of a script (have you cleared the cache? Have you tried logging out and logging back in?) I can’t see a reason why they’d need in depth info on accounts to do that.

I was specifically talking about Proton addresses (@pm.me) not aliases. If you have multiple addresses under the same account, Proton agents can see them.

Aliases are a different matter. I assumed that first line agents could see my aliases, but now I know from first-hand experience that only senior agents can.

In regard to your mailbox address it is unclear. You gotta remember that Proton support has different contact addresses for their different products (Proton Mail vs Proton Pass/SL). However, it is unclear if there is a dedicated support team for each, or if most first line agents, respond to tickets about multiple services. I contacted support enough times to notice recurring names, but I don’t remember if it was always for the same Proton service.

I would be surprised if a first line Simple Login support agent could not see your mailbox address, but I know for a fact that senior agents can.

I agree. However, as I previously said, I am pretty confident that first line agents can see your past tickets. And if you had a discussion with a senior agent in a past ticket, where sensitive information was discussed, I believe a first line agent can read it. I say this based on the fact that I have been asked about passed tickets by first line agents.

I guess it depends on the kind of issue you are reporting and the type of questions you ask.

I may be wrong, but following quote from Proton legal/tos seems to make an exception to Swiss law exclusivity:

If you are a consumer user residing in the United States of America, you consent to the extent permitted by law to the jurisdiction of the courts of the Canton of Geneva to settle any dispute or claim (including non-contractual disputes or claims) arising out of or relating in any way to these Terms or its subject matter or formation and agree that any such claim that is brought in Switzerland shall be governed in all respects by the substantive laws of Switzerland. You further agree that for any disputes, actions, claims, or other controversies arising out of or relating in any way to these Terms, your Account, the Services, your use of (or lack of use of) or access to (or lack of access to) your Account or the Services, or any advertising, promotion, or other communications between you and the Company, whether based in contract, warranty, tort, statute, regulation, ordinance, or any other legal or equitable basis, if brought in the United States and found to have jurisdiction in the United States, shall be construed and enforced in accordance with the laws of the state where you reside; provided, however, that the arbitration provisions herein shall be governed by the Federal Arbitration Act and the American Arbitration Association (“AAA”) Consumer Arbitration Rules (the “AAA Rules”), as described more fully below in Section 13.1.

I was disappointed to find out that unencrypted messages are scanned,and the unecrypted and saved as I see from following quote from Proton Privacy Policy :

We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.

It is not clear for what purposes encrypted correspondence is kept if its not accessible.

In addition to not being able to erase at least one plastic card data, that was used to pay for subscription without cancelling subscription or adding data of a different payment method, I could not figure out how to delete paid invoices from past. I also noticed that invoice for 2026 has more data, such as user id and billing address of card.

Suggestions of solid alternatives (only email, no bundled services are needed) are welcome. Tia

The first thing is probably something you’re forced to do if you have customers in the US but I don’t get how it should be bad tbh. As far as I understand it only matters if you as a US customer start a dispute. So for US customers it’s probably a plus and for the rest it doesn’t matter as far as I can tell.

For the second thing: Where exactly is your problem here? Isn’t that like the best case? You’ll always have incoming mails that are unencrypted and by design of e-mail the provider is able to read that. Proton saves it to disk in such a way that the can’t technically read the contents and on top of that apply spam filters. That is a good engineering, not a downside.

Can’t speak about “plastic card data” but it seems to either be a very unfortunate bug or a error on your side.