It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
Email is a critical infrastructure these days. Most people have neither the time nor the will to deal with emails failing to send and/or be delivered. (Send or receive)
1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.
The CEO once expressed support for Gail Slater as head of antitrust and subsequently criticized lack of effective work towards tech regulation on the Democratic side in the same social media thread.
Calling that "love for the current US admin" (which hadn't even taken office when those statements were made) is pure disinformation.
People of all kinds can say certain positive things about the Republican Party for different reasons in specific contexts and not be fanatics you know. That's how using actual reasoning and nuanced discourse works in the world of not throwing your brain in the garbage through ideological rigidity.
What about those of us nobodies with no influence?
With good cause, in this case, but the crowds wielding pitchforks don’t much care either way.
According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
and yet suspending the account...
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
There are better or less shitty companies like Fastmail, Runbox (tried them), even Purelymail (but 1 or 2 people setup), Mailbox (shitty support, solid setup; I am a customer), Migadu (good name, I have never used them), there's Tuta (but somehow they seem off to me; like Proton they also do not allow IMAP/POP - Proton allows with some circus), MXRoute has good name at places like LET forum. There's even Zoho if you just a mail service (but then if you use Zoho then only reason to not use Google or MSFT will be cost or just the middle finger :D) … and many more.
So there are options.
PS. as per self hosting email - I can't self host my seedbox properly on a VPS, I don't think I should even try email :)
True, but sadly too many people don't care.
Look at how many people will happily throw $$$ per month at Claude when it is basically absolutely impossible to contact a human being at Antrhopic.
> is Proton Mail the least shitty of companies that provide email services?
Tutanota could be worth a look.
Question: How do you manage the security on such a box? Is there any simplification I missed?
I couldn’t keep up with it. So many patches, unrelated to mail, broke something in the stack, bringing the server into a critical state. Often, I had to lock down everything before going up again, consuming a day’s effort or two. These were two days without mail.
Anyway, the problem is "trust" which boils down to IP reputation. And since we are all still on ipv4, your IP was reused. Which means you need to spend months cleaning it. And you won't have a guarantee that you won't lose this IP in the future.
[0]: https://mailu.io/
You'll find plenty of people telling you to not do it, but they mostly seem to think that others shouldn't do things because they can't.
The biggest problem with self-hosting email is deliverability, and it's easily handled by smarthosting through a reputable service, so anyone who says it can't be done hasn't really thought things through very much.
For my parents, I registered a domain on OVH and they use the free email accounts they come with. So that's an independent, ready to migrate, email account for about 8 euros per year.
I'm not saying email self hosting should not be done, I just say a bit of planning should be done.
DNS seems like the most annoying part, it is SPoF by design. The problem can be mitigated, but seems like cannot be solved. For example, owning multiple domain names in multiple jurisdictions. And round-robin them. You cannot eliminate SPoF for any one specific service you want to login using email. But you won't lose access to everything at once.
Edit: P.s. At the same time, owning your domain for mail seems to be one of the most impactful things to do to reduce digital serfdom. Banned at *mail? Just switch those MX records and go on.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
One year, to be exact: https://proton.me/support/inactive-accounts
... for free accounts only, after 12-24 months of not having logged in at all.
> And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
They allow you to physically send in cash.
> I’m not even asking for something unreasonable
I don't disagree in principle, but the way you're asking for these things does in fact make you come across as an unreasonable customer.
The amount of hate that Proton gets here for the above still ambiguous situation (and in many other comment threads) is bizarre and oddly hive-minded.. The company is far from perfect but compared to the overtly parasitical openly done deep scanning of your email content and utter disregard for any responsiveness to user complaints from any major American tech company's email service, Proton is positively saintly by comparison. Id' suggest growing and regularly watering a bit of perspective.
EDIT: I see a number of comments about Proton's "jankiness" and service unreliability here too. I haven't experienced any of that either on desktop or mobile.
Hi everyone,
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
Thank you for your understanding, The Proton Team
"We have good relationships and trust this CERT so we carpet bombed all accounts they send us without even looking at them."
I wonder what would have happened to accounts or users without the reach on socials.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
Could you elaborate more on this?
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
Or a very bizarre LLM offering: https://news.ycombinator.com/item?id=44657556
https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
I've never encountered a bug
There was also that whole IMAP data loss issue. Unsure if that ever got resolved.
I'm glad it works for you, but their offering is frequently buggy and broken for me.
Fastmails interface is very plain, and it works very fast and works well.
They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted
That said, because I’ve not experienced any failure, I’ve not experienced how well Fastmail handles failure, which is the real measure of a company.
The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.
The rebranding and "revamp" is limited to the logo and colour changes :D everything under the hood is still the same good old OX inferiority. Hell, you may never want to use their webmail either (my 99.9999% mail usage is via IMAP clients). They are fine other than that.
Fastmail is pretty good if their price and offerings are not an overkill for you. You should check Runbox as well - really good.
Simple Login alt: addy.io? Fastmail and Mailbox (auto-deletes in 30 days unless you "touch" it :D) also have disposable email as part of email offerings. Don't know about Runbox.
I heard using your own domains solves the migration issue but that makes your email pretty identifiable just by looking at your domain.
I wonder whats a suitable replacement candidate after Mozmail and Simple Login? One of the reasons I migrated away from Mozmail to Simple Login was that you can't initiate a email sending, which made it difficult to contact support if needed. Plus Mozmail are on Amazon SES.
https://relay.firefox.com right? Or there's another service?
> that makes your email pretty identifiable
Agreed. I have also stopped abusing the catch-all of my domains. It became a pain very soon. Not only privacy issues but I couldn't possibly block those emails/spam that were coming on usernames like sales and many more.
I like fastmail they seem to have a move slow and don't break things mentality that I like from my email.
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
Most CERT requests are valid and good and should be obliged.. but there should be a manual check involved.
Especially when an appeal is filed. Especially when the content is obviously security reporting.
Both extremes are wrong - don't ignore CERTs and don't mindlessly oblige them. Find one of the many reasonable middlegrounds.
I suspect there's a few email providers where the marketing and reputation management teams are hurriedly adding "check the user and the user's affiliated social media reach before suspending this account, and before responding to any support requests from the user."
My new elevator pitch: We proactively research all of our customer's users and new signups to assign them a social media reach score. We then automate escalating external account action requests or user support calls for highly ranked users to senior staff and providing details and evidence of their social reach and industry affiliations. While we generate revenue from these customers, our primary revenue stream is the aggregated data we acquire while doing this, and selling access to that data to law enforcement, the insurance industry, and Nation State intelligence organisations across the globe.
They currently do cooperate and they go get the odd bad press about this.
So doing what they actually claim to do would change nothing. Their current stance is just a cop out.
I’d like more details about the initial CERT contact if anyone knows anything
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
While I like the idea of a safe and uncompromising service, proton seems less so now.
Sadly https://lavabit.com/ currently just says "We are not accepting new users at this time. Mail services remain online, while we work on improving our website code. "
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?
Even if you can't send email at all (unlikely if you use an outbound relay), there are very significant privacy benefits to having your own server. I send very few emails relative to the number I receive. You couldn't pay me enough to go back to one of big commercial providers.
But it'd be nice to be able to expect your email provider to not cave in to a request from some other counties CERT organisation without pushing back for evidence and some sort of proper judicial authority behind the request.
That's not what Phrak says here: https://phrack.org/issues/72/7_md
Where they say "Proton was used only for email and only to communicate with South Korea"
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
This is the weakness of cloud services.
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
Soon or later we will default to analog means. It’s not looking good.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.
Hence I am reinforced to continue being a strong supporter of Proton.
"Big Tech CEOs are tripping over themselves to kiss the ring precisely because Trump represents an unprecedented challenge to their monopolistic dominance.”
They don't know how this is going, from what I see Trump threatens something not to change something, but to get something. If there is any anti-trust drive it's there to shake the tree, not to break up big tech. Trump loves big US corporations, like those in the 50s and 60s, those pre-Bell-breakup.
Just a warning
So if someone downloads proton vpn and uses it that way, then I always considered it to be the best vpn (even better than mullvad) but I guess I was wrong...
I would still use protonvpn but I will try to migrate towards quite frankly more services from now on.. Email should just be a way to discuss what should be your matrix account or xmpp or even signal...
Another thing that I want to point out is that I had once went into network permissions etc. in proton docs and tried to write a comment and write stuff etc. and I am not sure about the writing stuff but although these do feel "encrypted" but I saw a thing in the api response when I did curl or something which showed logs so I assumed proton keeps logs..
Another problem I feel is that since proton is only encrypted via your password which you enter into the system and it seems that you can change the password if you have something like phone verification. Fundamentally something like this can only work if they have the keys, so they are having the keys to your encrypted account. I am sure that there are ways of adding your own private key too but how many people using proton are doing that?
Fundamentally, this is how the stack will work or has to work imo. You are trusting them because of lack of conflicts. They have built their name on privacy and so everyone will leave if it they are less private but the thing is, is that they might be using some open source tech that might have an update that couldn't be audited or somehow get hacked themselves and since proton might have some juicy targets like journalists. People's lives may be on the cutting edge.
I heard this somewhere that I wish to share, you want technologically private solutions not because you don't trust someone but rather that it should remove the need of trusting in the first place. Proton hasn't / can't reach it imo.
I don't mean any hate towards proton but that was my understanding. I still use it and in fact Please let me know if I caught something wrong or what I am saying is correct. My purpose is not to spread misinformation but rather inform my opinions/correct them if I am wrong.. (I may be wrong, I usually am [my most loved line from the book how to win friends and influence people])
I feel as if we need to get things like pi etc. or whatever and atleast to me hosting something like matrix seems okay-ish I am not sure. Email just doesn't feel as if a good protocol for privacy.