Proton Mail suspended journalist accounts at request of cybersecurity agency

Posted by lehi 9/12/2025

Proton Mail suspended journalist accounts at request of cybersecurity agency(theintercept.com)

371 points | 210 commentspage 2

drnick1 9/13/2025|

And this is why I host my own email server, even if I am not a journalist investigating governments or anything of the sort. It's a matter of control over my computing.

abnercoimbre 9/13/2025|

Common folklore is that this is extremely onerous to self-host (and have it work successfully.) How did you go about it?

ziml77 9/13/2025|||

Also, how do you mask your identity if you self-host? I can have as many mailboxes as I want but they're all trivial to correlate because they share a domain that isn't providing email accounts to large amounts of users. And then there's the matter of a VPS not actually being under my control. It's a VM running in a datacenter. I could run the mail server locally, but then I'd still need to relay through a VPS to mask my IP address. And that's still only protecting from a casual adversary...

drnick1 9/14/2025||

What do you mean by "masking your identity"? If you self-host at home, then your IP will be discoverable through DNS, but no one but the ISP will know who the account holder is. Registering a domain also normally requires providing a name and address, but no ID is normally required and it is an open secret that a large proportion of WHOIS information is fake.

drnick1 9/13/2025|||

The common folklore is just FUD. The main issue is deliverability to the likes of Google, Microsoft, Yahoo, etc. You need a clean fixed IP in non-residential block and a sufficiently aged domain or your mail will be flagged as spam or rejected. Alternatively, you can use a relay service for outbound email. Besides the deliverability issue, hosting email is fairly trivial from a technical standpoint; on Linux, the standard utilities are Postfix, Dovecot and OpenDKIM. The server is for my own use, so I don't even bother with spam and AV filters.

Even if you can't send email at all (unlikely if you use an outbound relay), there are very significant privacy benefits to having your own server. I send very few emails relative to the number I receive. You couldn't pay me enough to go back to one of big commercial providers.

bigiain 9/13/2025|||

> You need a clean fixed IP in non-residential block

Feels like that's carrying a lot of load there?

Where do you get those? I doubt any inexpensive VPS provider has any clean IP addresses? AWS charge you $5/month for an elastic IP address, and I bet you'd need to cycle through their pool of those looking for one that hasn't been blacklisted recently?

There's another thing to consider here too. I was selfhosting my own mail, but back in 2013/14 I investigated all my mail, and even though I'd avoided Google/Microsoft,Yahoo et al. - over 80% of my personal email was on their servers because that's where my correspondents were. I pretty much gave up maintaining my own (slightly over complicated) stuff and gave in and chose to accept the "Do no evil" company at face value. 4 or 5 years later that company no longer existed, even though they continue with the same name today.

drnick1 9/14/2025||

I get my IP through work, but another way of obtaining one would be subscribing to a business account with a regular ISP. Normally, this also allows you to set a reverse DNS. You will likely have to pay more for your Internet, but considering that you won't have to pay for any cloud service anymore, you will probably still come out ahead and gain a huge amount of sovereignty over your computing. A VPS could be an option, but many (cheap ones) may have tainted IPs or outright filter the SMTP port.

crossroadsguy 9/13/2025|||

If I may say so, did you not just show in this very comment that that common folklore about self-hosting email "successfully" is not really FUD? :D

segmondy 9/12/2025||

When people show you themselves, believe them. Proton is no longer to be trusted. Use at your own risk.

sitzkrieg 9/12/2025||

proton always glowed but just straight up bending to unnamed agencies puts em rank and file with every single other provider

lo_zamoyski 9/12/2025|

Is refusal realistic? It's nice in the abstract, but in practice, there are plenty of ways to coerce illegitimate compliance.

bigiain 9/13/2025||

No company is gonna seriously refuse when their jurisdiction's equivalent of the FBI or NSA turn up with a court authorised order. As James Mikkens said: "YOU'RE STILL GONNA BE MOSSAD’ED UPON"

But it'd be nice to be able to expect your email provider to not cave in to a request from some other counties CERT organisation without pushing back for evidence and some sort of proper judicial authority behind the request.

crossroadsguy 9/13/2025||

This article, right? https://www.usenix.org/system/files/1401_08-12_mickens.pdf

bigiain 9/14/2025||

indeed

daft_pink 9/12/2025||

You either die a hero, or you live long enough to see yourself become the villain.

luqtas 9/12/2025|

not all heroes wear capes, much less releases personal AI assistant to navigate your own data while the MAIL CLIENT AND CALENDAR APP is on beta on Linux for YEARS

IncreasePosts 9/12/2025||

So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?

drnick1 9/13/2025||

As far as I can remember, you don't even get IMAP access on the Proton free tier. For me, that's a non-starter. The privacy claims are also mostly marketing, as it is basically impossible to verify what Proton actually does when approached by a three-letter agency. I wouldn't use email anyway if I had something to hide, the email protocol wasn't designed with secrecy of communications in mind. For that, Signal seems far better, or perhaps a self-hosted, encrypted Matrix room.

pagansRpedos 9/12/2025||

It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.

bigiain 9/13/2025|

Citation required?

That's not what Phrak says here: https://phrack.org/issues/72/7_md

Where they say "Proton was used only for email and only to communicate with South Korea"

SilverElfin 9/12/2025||

I thought Proton was a confidentiality / privacy oriented thing. How do they even know who owns the accounts?

guywithahat 9/12/2025||

You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.

That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances

gruez 9/12/2025|||

>and I don't think new accounts get encryption services unless they pay.

source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.

https://proton.me/mail/pricing#compare-plans

guywithahat 9/13/2025||

I thought I made a new account a while ago (as the front end for an OSS project) and it wasn't encrypted, and then when I checked encryption was moved to the paid membership. It looks like I may have just been confused though, because you're right it looks like it's still part of the free tier

Sunspark 9/12/2025|||

You are trusting them. They control the client, how the keys are created/stored, etc. Javascript, etc. If they were to suddenly turn one day, they could.

This is the weakness of cloud services.

rvnx 9/12/2025|||

It is very possible for them to inject custom JS to a specific user.

You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?

No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.

This is true for all companies who control the client.

bigiain 9/13/2025||

From what we (at least I) know, this wasn't the police in Switzerland waking up senior management.

t was - without anyone admitting to it - probably KrCERT who requested the account suspension. KrCERT don't seem to have any legal jurisdiction in Switzerland.

"KrCERT/CC, which is an internal division of KISA, is a CSIRT with national responsibility and a focal point of contact for Korea on international cybersecurity incident handling." -- https://en.wikipedia.org/wiki/Korea_Internet_%26_Security_Ag...

I'd like to think if they 'tapped on the shoulder of the CTO ' of a company headquartered in Switzerland, he'd say "maybe, come back with an order from a relevant court or security agency in Switzerland and I'll get my team right on that".

j-bos 9/12/2025||||

Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.

Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.

HeatrayEnjoyer 9/12/2025|||

Or just use an open source email client.

I would expect their own apps to be open source, are they not?

balamatom 9/12/2025|||

Using an email client requires a Proton Bridge thing that acts as a local IMAP/SMTP proxy: https://github.com/ProtonMail/proton-bridge

As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.

(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)

j-bos 9/12/2025|||

Indeed they are: https://github.com/ProtonMail

If you, or someone else, like please audit the repos. Could be cool to see trusted forks of some of the clients.

gruez 9/12/2025|||

Second paragraph of the article:

>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency

mr90210 9/12/2025||

They all are until they get threatened.

Soon or later we will default to analog means. It’s not looking good.

0xbadc0de5 9/12/2025||

Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.

That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.

tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.

Ey7NFZ3P0nzAe 9/13/2025|

I'm worried and surprised to see the many comments here that, contrary to what I'm used to reading here, nobody seems to have dug deeper, looked critically at the evidence. Quite a lot of just ad hominem and insinuations.

This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.

Hence I am reinforced to continue being a strong supporter of Proton.

More comments...