This is feedback from Proton Mail Team I got about this matter:
"Thank you for reaching out and sharing your concern. We understand why this story is alarming, and we want to give you a clear picture of what actually happened.
First, Proton did not provide any information to the FBI. The data was obtained by the Swiss Federal Department of Justice through a Mutual Legal Assistance Treaty (MLAT) process. Proton operates exclusively under Swiss law and only responds to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is clearly stated in our TOS and Privacy Policy.
In this specific case, Swiss authorities determined that the legal bar was met because a law enforcement officer had been shot, and explosive devices were involved during an incident in 2024. Switzerland has one of the strictest privacy frameworks in the world, and legal assistance is only granted in cases involving serious criminal matters.
Importantly, the only information that could be disclosed was a payment identifier because the user chose to pay by credit card although Proton accepts gift cards, cryptocurrency and cash. No emails, no message content, and no communications metadata were handed over. This actually demonstrates how little data Proton holds by design, our end-to-end encryption means we cannot access email content even if ordered to.
We hope this provides some reassurance. Please don't hesitate to reach out if you have any further questions.
Let me get this straight: The FBI was monitoring a protestor’s bank account and spotted a Proton Mail purchase. They contacted the Swiss DOJ, requesting a subpoena based on the specific Order ID, date, and credit card digits of the bank account being monitored. The Swiss DOJ agreed, approached Proton Mail, and the company complied with the official legal request under Swiss law.
The real scandal here isn't Proton Mail's compliance. It is that the FBI is seemingly monitoring the financial transactions of millions of citizens' bank accounts.
This can happen with Mullvad too. If the FBI spots a Mullvad Purchase on anyone's bank account, they can go up to Mullvad with the Order ID, date, and credit card digits, and request Mullvad to redirect VPN traffic of that specific Order ID to the FBI's own monitoring servers.
I think 404 Media has an ethical obligation to provide Proton Mail’s response outside the article’s paywall. The word “Helped” in the headline is more sensational than stating that Proton “was required by Swiss law to provide...”
For readers who do not want to pay to read the article, the headline leaves incomplete context and creates a misleading impression of the story. That damages Proton’s reputation, and the missing context is only available if someone pays for the article, reaches out to Proton, or searches forums for substantive information.
> The records provide insight into the sort of data that Proton Mail, which prides itself both on its end-to-end encryption and that it is only governed by Swiss privacy law, can and does provide to third parties.
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
> Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
In what sense? Germany has among the strongest judicial oversight for invasion of privacy in Europe. Due process is followed when securing search warrants that provide access to subscriber data (Germany does not have administrative subpoenas like in the US and other countries).
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
Yes. If you send an email from a protonmail account to a gmail account that email is in google's system. Same if in the other direction. Would anyone using protonmail not know this. I would guess at least 99.9% of proton users understand this.
This should surprise exactly nobody after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
>after it was disclosed back in [checks notes] 2021 that ProtonMail gave up user data to law enforcement and also changed their TOS.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
Proton Mail complied with a legal demand they had no choice but to comply with, providing the basic shred of information the user willingly and knowingly provided.
You want to be anonymous? Don't use your credit card! Don't connect from your home internet connection. (I don't know whether this person did because I can't read the story due to login-requirement). Either way, total non-story. Anyone whose potential adversary is a powerful government should already know this stuff.
Either way, Proton didn't help the FBI. The article title is deceptive and implies a degree of insidiousness or dishonesty that has not been demonstrated by Proton in this case.
If I'm not mistaken, proton didn't give anything to the FBI, they provided what was required by law to the Swiss government who then gave it to the FBI. It's a small distinction but it matters.
As a proton user I know I am not completely anonymous. I pay them for their bundle of services because I get VPN, encrypted password storage and email that isn't scanned for ads and other purposes.
Privacy and anonymity are a gradient. If I needed real opsec from government threats I wouldn't tie a credit card to a service.
Readit News
"Thank you for reaching out and sharing your concern. We understand why this story is alarming, and we want to give you a clear picture of what actually happened.
First, Proton did not provide any information to the FBI. The data was obtained by the Swiss Federal Department of Justice through a Mutual Legal Assistance Treaty (MLAT) process. Proton operates exclusively under Swiss law and only responds to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is clearly stated in our TOS and Privacy Policy.
In this specific case, Swiss authorities determined that the legal bar was met because a law enforcement officer had been shot, and explosive devices were involved during an incident in 2024. Switzerland has one of the strictest privacy frameworks in the world, and legal assistance is only granted in cases involving serious criminal matters.
Importantly, the only information that could be disclosed was a payment identifier because the user chose to pay by credit card although Proton accepts gift cards, cryptocurrency and cash. No emails, no message content, and no communications metadata were handed over. This actually demonstrates how little data Proton holds by design, our end-to-end encryption means we cannot access email content even if ordered to.
We hope this provides some reassurance. Please don't hesitate to reach out if you have any further questions.
Best Regards, The Proton Mail Team"
The real scandal here isn't Proton Mail's compliance. It is that the FBI is seemingly monitoring the financial transactions of millions of citizens' bank accounts.
This can happen with Mullvad too. If the FBI spots a Mullvad Purchase on anyone's bank account, they can go up to Mullvad with the Order ID, date, and credit card digits, and request Mullvad to redirect VPN traffic of that specific Order ID to the FBI's own monitoring servers.
a little snippet of the article can help reduce the number of people who have a knee-jerk reaction to whatever the headline says
For readers who do not want to pay to read the article, the headline leaves incomplete context and creates a misleading impression of the story. That damages Proton’s reputation, and the missing context is only available if someone pays for the article, reaches out to Proton, or searches forums for substantive information.
The Proton user had bad opsec by using a credit card to pay for the account.
Had Proton just turned data over to an out of jurisdiction LEA, then it's more of a complaint. But they followed their policy and law here.
Proton offers a Tor address for accounts requiring anonymity rather than just privacy. The crux of this is on the account user
Didn't Proton already say that they were physically relocating their servers outside of Switzerland because the Swiss government couldn't be trusted?
Although I guess the server location didn't matter in this case since all they wanted was the billing information and the credit card info to identify the person.
They said they want to relocate to Germany which I would say in a polite way, is much worse in this regard.
Former attempts at surveillance have been struck down in the Bundesverfassungsgericht, and the right to privacy has even been affirmed for foreigners (as opposed to other countries like the US that reserve that foreign nationals have zero due process rights for invasion of privacy).
Their end-to-end encryption is pointless because the vast majority of any recipients will just leak the plaintext emails via their own account providers anyway. It only works under very specific circumstances (all parties are using it). I think their marketing overstates what their secure private email actually means.
You shouldn't even need that. A warrant isn't a strongly worded letter that they can just turn down. It's the law. Therefore you should assume that if the police can get a warrant, they can get your data. Even for people who don't follow the law (criminals), there's no guarantee they won't snitch on you.
You want to be anonymous? Don't use your credit card! Don't connect from your home internet connection. (I don't know whether this person did because I can't read the story due to login-requirement). Either way, total non-story. Anyone whose potential adversary is a powerful government should already know this stuff.
Either way, Proton didn't help the FBI. The article title is deceptive and implies a degree of insidiousness or dishonesty that has not been demonstrated by Proton in this case.
> Proton Mail complied with a legal demand they had no choice but to comply with
Are you trying to say that any compliance is by definition help? Like if the FBI subpoenas my public key and I comply, that’s helping them?
Privacy and anonymity are a gradient. If I needed real opsec from government threats I wouldn't tie a credit card to a service.
Whether they store such info for cryptocurrency payments as well (no chargeback risk) would be telling.