404 Media has a story about Proton Mail giving subscriber data to the Swiss government, who passed the information to the FBI.
It’s metadata—payment information related to a particular account—but still important knowledge. This sort of thing happens, even to privacy-centric companies like Proton Mail.
Doug • March 20, 2026 7:37 AM
Proton had a nice rebuttal to the article. The TL;DR is that any company has to comply with legal orders. Proton takes care to not keep data so no user content is available to the authorities. The users have an option to pay with cash or crypto or credit card. If the user needed/wanted anonymity, then cash/crypto is the way to go. I’m comfortable with these constraints and it’s a quantum improvement over google.
I do not know the proton system but posteo.de has separated payment and accounts. It’s not possible to get the user account from any payment action. If you use cash no trails at all are available
Nablax • March 20, 2026 8:55 AM
OPSEC failed !
Encryption ≠ anonymity. these are not the same thing and never have been.
Proton did exactly what they said they’d do – encrypted your emails and complied with lawful Swiss legal orders. that’s the whole deal. that’s what you signed up for.
The credit card used to pay for your “anonymous” account was never part of the encryption, that was always traceable. that was always a liability.
And here’s the kicker – Proton literally accepts Monero and cash. They gave the tools, chose Visa is not the good way…
John • March 20, 2026 11:36 AM
If this person was only legally protesting, then the FBI wouldn’t have any cause to look deeper. I live in Metro Atlanta. I don’t mind law enforcement having a place to train here.
When people trespass on private property and vandalize equipment, that’s illegal. If you are going to break laws, then you need to have better OPSEC.
Going after a single account with a warrant is reasonable. Freedom of speech is not absolute anywhere, including the USA. Inciting illegal activities is not protected speech, ever. Doesn’t matter if that happens online or in front of a crowd on Jan 6th that ends up killing 8 people.
Winter • March 20, 2026 12:11 PM
This is really a non-story, clickbait, or a desinformation campaign.
There is this is the old truism that the only secrets that are safe are those no one knows. [1]
Whatever Proton knows, they can be forced to divulge, by legal or illegal methods.
If you want to use Proton Mail anonymously, use their free tier from Tor or another cloaking service. If you have to use a paid tier, use Proton’s anonymous options.
[1] As Benjamin Franklin famously wrote: ‘Three can keep a secret, if two of them are dead.’
lurker • March 20, 2026 1:36 PM
I guess this blows Pedro’s alibi.
At the end of a 1957 Stan Freberg episode of Bang Gunleigh – US Marshall Fields, the sidekick Pedro is introduced.
“Pedro? Is he Mexican?”
“No Senorita. Sweess. Thees way we don’t offend nobody.”
Clive Robinson • March 20, 2026 3:28 PM
@ ALL,
Just a reminder,
Encryption only hides message content if done properly.
The use of a VPN or Tor does not give you rooting anonymity unless done properly.
The use of any kind of service provision does not stop trackable usage / habits traced unless done properly.
And several more layers going up the “communications stack”.
Not doing things properly enabled the Iranians to locate spys in their country who were communicating on a CIA designed system. The Iranians passed the method they used onto the Chinese and they used it to locate spys communicating with the CIA from their country.
Because even the CIA could not do things properly at all layers a lot of people died or worse.
Knowing how to do things properly at all layers on what is an “Open Network” of Client, Routers and Servers requires considerable expertise.
But you also need to consider the Software at both the Client and the Server from the lowest level of “the physical layer” all the way up to and beyond the “presentation layer” in the ISO OSI Stack. And that includes the layers you can not see down in the physical layer.
You need to consider how you break things up in size and time and how you build and use “Store and Forward” mechanisms
Get any of it wrong and you have painted a target on your back. Tor does this simply because your traffic labels you at the entry and exit because neither you nor in most cases the server is part of the Tor network (something I talked about with the “Fleet Broadcast System” here in the past).
I’ve said all of this here especially about Tor in the past and been told I’m Paranoid or wrong.
Unfortunately for those who have been caught many have not been able to talk about it or even knew how they were caught.
I’m not “Paranoid or Wrong” as the Fan Boi’s used to claim –just thoughtful about how systems are vulnerable and thus their users are found– and never was, it’s just that people who thought they were smart like the UK SiS with the “Rock in the Park” in Moscow and the CIA with their Internet based system and many others got it wrong.
Others are thinking about these issues now and Tor is being replaced by other less vulnerable mix nets, and one system called “Invisable Internet Project”(IIP or I2P) is a “bit improved” but none of them solve all the problems that I’ve previously identified…
And to be honest I don’t think that even the supposed professionals have got it right either. In fact they mostly have not kept up and that spells trouble or worse for the users.
Consider the fact that if you fall under suspicion your mobile phone will betray you just by it being in your pocket even if “supposedly turned off”. It will log every WiFi and BlueTooth ID in range where ever you go. All this info goes vack to Google and Data Brokers and “Third Party Commercial Records” at the Service providers who “sell it on” and we know the US DHS agencies and “Feds” and “State” Law Enforcement buy it up and Palantir amongst several others build “connection and habit maps/charts” of any and all… And “de-anonymize” at all layers of the various stacks they get access to.
Now consider AI to be on your mobile phone and all computers with “Client Side Scanning” all those Apps “Doing an ET Phone Home to the MotherShip” even your HP printer.
Why do you think all this new “think of the children” age verification nonsense is being forced into the lowest layers of the OS including in FOSS?
Within a year or two at the most all “electronic communications” will be identifiable to the “individual” so even “burner” systems will nolonger be available. Oh and not being “connected where ever you go” grounds for suspicion.
The thing is I tell you all of this but others won’t, just bits of it, and you have to piece it together. Worse you don’t know if you have all the pieces because they don’t come in a box with a picture on top. The only way you know is to put it all together…
Another person who is trying to fill in some of the bits you don’t get told is,
https://m.youtube.com/watch?v=t3TmOjunjdk
Not sure if she will succeed but give her time.
Another I’ve mentioned before is Rob Braxman, who is a little behind the times.
As for “journalist” organisations what most of them recommend will get you caught in next to no time…
Do they care? Well some might but most editors see a potential news story in you getting caught on the “if it bleeds it leads” principle. The shareholders just see sales thus value increase and so on.
Look up Bezos, Khashoggi, and the House of Saud for background on this.
This is “their side” so treat with caution,
‘https://www.politico.eu/article/jamal-khashoggi-saudi-arabia-britain-istanbul-death-new/
Especially as it leaves out why Bezos got “outed”,
‘https://www.theguardian.com/world/2020/jan/21/revealed-the-saudi-heir-and-the-alleged-plot-to-undermine-jeff-bezos
Then there is the less well known “Project Ravens” of the US SigInt operatives and the UAE monarchy that amongst other targets such as dissidents and journalists and any others the Arab Royal Family wanted “dealt with”.
‘https://www.reuters.com/investigates/special-report/usa-spying-raven/
Every so often a little corner of the rug gets lifted and we get a glimpse of what has been swept under there… It’s up to you to “think bad” and “put the pieces together” in the worst possible way. Then you might stand a chance (but probably not because of the other breadth of knowledge required).
Ismar • March 20, 2026 5:03 PM
Proton mail has never claimed it could provide anonymity. It’s main selling point is to make large surveillance harder by requiring access to end devices in order to decrypt data as data is never stored in unencrypted form on Proton mail servers
QuestionForClive • March 21, 2026 3:57 PM
@Clive Robinson,
your 3:28 post, is that Youtube channel the same lady as is behind the Ludlow Institute. If not then the Ludlow institute is another source of relevance for online freedom related topics you might want to occasionally keep up to date with:
https://www.ludlowinstitute.org/articles
jason • March 31, 2026 10:04 AM
Yes, Tor is not secure as most people believe. I found errors in the code that could be exploiited. I have also
noticed the change in ISP attitude shifting to accommdate government reach on controlling dissent. I noticed an increase in the physical layer being exploited by nation states. I found an exploit in qualcomm chipset on Android 11 which gave danngerous permissions on bootup turning a device into C & C by changing settings to Roaming in celluar ISP settings detaching your carrier ISP to C & C ip address by inserting another mobile info . Reported to Google and was patched in later updates.
Does anyone have any comments or even noticed that on Android OS, you can not only see but toggle certificates off from various countries but you cannot toggle off various emergency alerts whereas on iPhone iOS certifiicates sre hidden preventing any visible way to view or toggle off cerrtificates of other countries.but you can turn off all emgency alerts? Reason I asked is that deep state was using alert system to gain access to insert an exploit to monitor activity. This was on Android 11. I just find it odd between mobile devices OS that they are opposite where you cannot have both.
Apple removes custom VPN clients from Russian App Store amid Telegram crackdown.
Clive Robinson • March 31, 2026 2:14 PM
@ jason,
With regards,
“Yes, Tor is not secure as most people believe. I found errors in the code that could be exploiited. I have also
noticed the change…”
And so the list goes on.
Dare I say that these days this is,
“Just normal”
This is not to belittle anything or any one but simply point out that,
“Bad things are happing faster and faster and with more and more varied coverage.”
But bad as that is, the depth and breadth of knowledge required for adequate defence is rising geometrically.
In short things are not sustainable in the way we are currently encouraged to do them for defence.
The talk of “AI will solve all” amongst senior management types is just not true with Current AI LLM and ML systems in the US. Where people are finally realising they don’t scale in the way that’s been claimed in the US Investment Hype Bubble…
So we have to find alternatives and fairly quickly, and mostly we are,
“Fresh out of ideas”.
Which means we are going to have to “fall back” on older proven but quite limiting techniques.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Doug • March 20, 2026 7:36 AM
Proton had a nice rebuttal to the article. The TL;DR is that any company has to comply with legal orders. Proton takes care to not keep data so no user content is available to the authorities. The users have an option to pay with cash or crypto or credit card. If the user needed/wanted anonymity, then cash/crypto is the way to go. I’m comfortable with these constraints and it’s a quantum improvement over google.