The Post wants to double down on national security reporting but just laid off the reporter it has INSIDE Russia, which is a rare asset for any newsroom.
New submission. @phrack Congrats @ProtonPrivacy I know @TutaPrivacy will r/t lol.
==Phrack Inc.==
Volume 0x11, Issue 0x49, Phile #0x09 of 0x12
|=------------------------------------------------=|
|=--=[ PHRACK PROPHILE ON ProtonMail ]=--=|
|=------------------------------------------------=|
|=---------------=[ Phrack Staff ]=---------------=|
|=------------------------------------------------=|
|=---=[ Specs
Name: Proton AG (formerly ProtonMail)
Handle: ProtonMail, Proton
Handle origin: "Proton" from CERN proximity marketing
AKA: "Swiss Privacy Company" (contested)
Country: Switzerland (incorporation) / Global (operations)
Website: https://t.co/DwGgdlR1I0
GitHub: ProtonMail (selectively open source)
Founded: 2013
|=---=[ Background
Proton Mail launched in 2013 riding the Snowden wave, marketing themselves as the "secure email" solution based in privacy-friendly Switzerland. Founded by CERN scientists, they leveraged that academic credibility hard.
Initial crowdfunding raised $550k from privacy advocates who believed the pitch.
The reality check started September 2021 when they logged French climate activist IP addresses for Swiss authorities, contradicting their "no logs"
marketing.
They retroactively edited their privacy policy after getting caught. Their defense?
"We never said we don't log IPs under legal orders" - except they literally did in their marketing materials.
|=---=[ Technical Architecture
Client-side encryption using OpenPGP.js - except:
- Webmail serves JavaScript that could be backdoored per-user
- Mobile apps are closed source blobs
- Bridge software for desktop clients: partially open
- No reproducible builds for verification
- Zero-access encryption claim relies on trusting their servers
The "Swiss privacy" angle? Switzerland has mutual legal assistance treaties
(MLATs) with 70+ countries. They're also not EU, meaning no GDPR protection.
Their Zug incorporation is more about taxes than privacy.
|=---=[ Compliance Track Record
2021: Logged French activist IPs, led to arrests
2022: Suspended accounts flagged by Europol without user notification
2023: Confirmed providing recovery emails to authorities
2024: Implemented automated scanning for "illegal content"
2025: Mass suspension of Korean journalists/whistleblowers (June)
2025: Account terminations without explanation (August-September)
Pattern: Claim technical inability to comply, then comply anyway when
pressured. Their transparency reports show thousands of data requests
honored annually.
|=---=[ The Whistleblower Problem
August 15, 2025: Proton disables account used by anonymous source providing
documentation about Korean government surveillance programs.
August 16, 2025: Multiple journalists report suspended accounts after
receiving leaked documents about Ministry of Unification operations.
Proton's response: "Terms of Service violation" with zero specifics. Appeals
process: Kafka-esque bureaucracy requiring government ID to restore
"anonymous" accounts.
The KISA (Korea Internet & Security Agency) connection appears in their
compliance logs but Proton refuses to confirm or deny specific government
requests. Classic transparency theater.
|=---=[ Business Model Reality
"Free" tier: You're the product being sold as "privacy-conscious users"
Paid tiers: $120-360/year for basic functionality
VPN bundle: Separate subscription because synergy is expensive
Drive/Calendar: Half-baked addons to justify price increases
Venture funding: $17M from Charles River Ventures and FONGIT
Translation: Your "privacy company" answers to VCs who need ROI.
Marketing budget dwarfs security audits 10:1.
They spend more on YouTube sponsorships, than on reproducible build infrastructure.
|=---=[ Security Theater Examples
"End-to-end encrypted": Only between Proton users. External email? Plaintext.
"Zero-access encryption": They generate and store your private keys.
"Anonymous signup": Requires SMS or payment verification.
"Onion site": Serves the same backdoorable JavaScript.
"Open source": Core components only, apps remain closed.
PGP implementation quirks that break compatibility with standard clients because "enhanced security" sounds better than vendor lock-in.
|=---=[ Alternative Reality Check
Proton positions itself as the privacy alternative while:
- Operating centralized infrastructure (single point of failure/surveillance)
- Requiring trust in their good intentions
- Actively complying with government requests
- Preventing users from verifying security claims
- Marketing to dissidents while cooperating with their prosecutors
Real alternatives require:
- Self-hosted infrastructure
- Federated protocols
- Client-side encryption with user-controlled keys
- No single entity controlling the service
|=---=[ The 2025 Incident Analysis
The pattern is clear: Proton receives government request, suspends accounts, claims ToS violation, provides no evidence, demands government ID for appeals.
The infrastructure knows who you are (payment info, IP logs under "legal compulsion", device fingerprints) while marketing anonymity.
When confronted, they pivot to legalese about Swiss law requirements while continuing to market themselves as the privacy solution. The cognitive dissonance is profitable.
|=---=[ Bottom Line
Proton Mail is security theater for people who want to feel protected without doing the work. They're a centralized email provider with good marketing and
selective compliance with government requests.
Using Proton for sensitive communications is like using a "privacy VPN" that logs everything - technically encrypted, practically surveilled, definitely
not what was advertised.
Want actual security? Run your own infrastructure. Can't? Then understand you're trusting someone else's promise, and Proton has repeatedly shown their
promises are marketing copy, not operational reality.
The Swiss privacy paradise is a myth.
Proton is just Gmail with better marketing and higher prices.
At least Google is honest about reading your
email.
|=---=[ References
- Swiss Federal Act on International Mutual Assistance in Criminal Matters
- Proton Transparency Reports (note the careful wording)
- Case No. 2021/7689 (Paris Court of Appeal)
- MLAT agreements database
- Their own blog posts contradicting their marketing
- Warrant canary: Conspicuously absent
Kill the mythology. Email is fundamentally broken for privacy.
Proton is just monetizing the cope.
|=-------------------------------------------------=|
If you’re heading to #RSAC this year—now’s your chance to snag a free copy of @josephmenn's CULT OF THE DEAD COW. He’ll be giving a talk about the book at @ReversingLabs’ booth 4428 on 4/30 at 2pm, & attendees will receive their free copy (before they run out).
"We have ceded so many of the core operations of our lives and institutions to tech, we must recognise that strong encryption isn’t the enemy of security — it *is* security." - Signal President @mer__edith in @FT on the war on encryption.
https://t.co/yglPVp3FBA
Making sure to post my story about alleged wrongdoing by one oligarch’s company on the platforms owned by the other oligarchs. Free, no-strings signup link in next post. #amazon#ai#antitrust#whistleblower
The problem that I have with the "impost costs" philosophy of cyber defense is that I don't think that our defenses of civilian-run infra are sufficient to withstand any sequence of escalations. Our offense is great, it's the defenses across our society that we need to shore up.
A US judge finds NSO Group liable for exploiting a bug in WhatsApp to spy on 1,400 users and that WhatsApp is entitled to sanctions against NSO (@josephmenn / Washington Post)
https://t.co/uuzSI3Eell
https://t.co/uLZlE8s38e
https://t.co/ZOzeer1FAj
New from me: Inside @CISAgov as Trump prepares to take power.
Employees are worried that he'll end key projects, drive away star talent, and generally weaken the agency's role in protecting the government and the nation from hackers.
My @WIRED story: https://t.co/ztKAQkOaLE
4/ Here's the thing. The tech made by @Cellebrite is widely used by law enforcement for uses many would say are legitimate.
But that doesn't give the company a free pass when its gear is used for repression... or to plant spyware.
By @josephmenn
https://t.co/E4cLnDvGIb
This is everything wrong with this platform and our current era. An "influencer" tweets a completely bogus claim. (There is no way in hell that Biden is giving Ukraine nukes). A US Member of Congress retweets it. Then, a Putin-controlled "media outlet" retweets that. Insane.
Harris (now 74.3M votes) just surpassed Trump ‘20 (74.2M) to become the third-highest U.S. presidential vote-getter of all time.
Biden ‘20 (81.3M) still easily the most votes ever, w/ Trump ‘24 (currently 76.8M) easily second-highest.
🚨🚨🚨Washington Post exclusive: "As Gaza’s hunger crisis worsens, organized gangs are stealing much of the aid Israel allows into the enclave, operating freely in areas controlled by the Israeli military"
https://t.co/GChFAum5BF
Two aid trucks entered the starvation zone in northern Gaza for the first time in a month and a half, reaching a school-turned-shelter. Israeli soldiers prevented Gazans from reaching the food then set the shelter on fire, burning the aid down with it.
https://t.co/Hvr4JBMHdg