Proton Mail suspended journalist accounts at request of cybersecurity agency

Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this.

I'll go out on a limb and say it: it's an American cybersecurity agency. Proton's CEO/Proton[1] loves the current US admin. I wouldn't be surprised if they comply now and ask questions later, if at all.

1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.

Which the reddit fanatics on their sub are bending over backwards to defend and explain away when there is no two ways about it tbh.

On a positive note: having reach on social media can solve problems nowadays.

> Phrack reached out to Proton in private multiple times, and Proton ghosted them.

According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356

They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."

To answer your question, from my limited experience: no.

There are better or less shitty companies like Fastmail, Runbox (tried them), even Purelymail (but 1 or 2 people setup), Mailbox (shitty support, solid setup; I am a customer), Migadu (good name, I have never used them), there's Tuta (but somehow they seem off to me; like Proton they also do not allow IMAP/POP - Proton allows with some circus), MXRoute has good name at places like LET forum. There's even Zoho if you just a mail service (but then if you use Zoho then only reason to not use Google or MSFT will be cost or just the middle finger :D) … and many more.

So there are options.

PS. as per self hosting email - I can't self host my seedbox properly on a VPS, I don't think I should even try email :)

> The true value of a company can be measured by our ability to communicate with them.

True, but sadly too many people don't care.

Look at how many people will happily throw $$$ per month at Claude when it is basically absolutely impossible to contact a human being at Antrhopic.

> is Proton Mail the least shitty of companies that provide email services?

Tutanota could be worth a look.

I self hosted for 20 years, worked flawlessly, gave up because of security concerns. I would like to go back to it.

Question: How do you manage the security on such a box? Is there any simplification I missed?

I couldn’t keep up with it. So many patches, unrelated to mail, broke something in the stack, bringing the server into a critical state. Often, I had to lock down everything before going up again, consuming a day’s effort or two. These were two days without mail.

What's your stack? After reading this, self hosting suddenly appeals to me.

> deleting accounts that haven’t logged into their service in some arbitrary amount of time

One year, to be exact: https://proton.me/support/inactive-accounts

> Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time.

... for free accounts only, after 12-24 months of not having logged in at all.

> And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.

They allow you to physically send in cash.

> I’m not even asking for something unreasonable

I don't disagree in principle, but the way you're asking for these things does in fact make you come across as an unreasonable customer.

I've had multiple proton accounts and can vouch for (pure anecdote of course) two of those working fine despite me forgetting to use them completely for at least four years. So not sure how true what you say is. These are both free accounts btw.

The amount of hate that Proton gets here for the above still ambiguous situation (and in many other comment threads) is bizarre and oddly hive-minded.. The company is far from perfect but compared to the overtly parasitical openly done deep scanning of your email content and utter disregard for any responsiveness to user complaints from any major American tech company's email service, Proton is positively saintly by comparison. Id' suggest growing and regularly watering a bit of perspective.

EDIT: I see a number of comments about Proton's "jankiness" and service unreliability here too. I haven't experienced any of that either on desktop or mobile.

I built one that doesn't delete accounts and plan to accept payments in CryptoNote. If anyone wants to try it ping me.

Who is at the top spot now?

If you don't pay, you are not a customer. They are doing you a favour. Don't be a begger.

This makes the situation even worse for me. CERTs lack any legal authority to compel action or enforce compliance. Without a thorough and fast post mortem analysis, this incident is deeply concerning for anyone who relies on Proton as their primary email provider. I guess getting trigger happy just comes as soon as you get a bigger user base but that's exactly when you get caught slipping. Like they did with the false positives it honestly reads like:

"We have good relationships and trust this CERT so we carpet bombed all accounts they send us without even looking at them."

I wonder what would have happened to accounts or users without the reach on socials.

I don't follow. They can't tell if their terms of service have been violated so they took CERT's word for it? How did they decide to restore two accounts then?

Fastmail is fine. It's somewhat limited in its UX, but technically speaking, everything works, and it's snappy. Very few outages. I really like their integrations with calendars, contacts, and mail for 3rd party sites/services. Not a ton of features or deals re: custom domains or multiple users, but it's fine if it's just for yourself. edit They literally -JUST- turned on Offline support for their app and web interface, so my only real complaint is gone. Go with Fastmail.

For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).

I moved from Proton to Fastmail (and Mullvad for VPN).

I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).

Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.

And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.

My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.

This 9-year-old issue me a bad taste for mailbox...

https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...

I'm using Fastmail and Mullvad. Both seem to work pretty well and are reasonably priced. You could also host your own on VPSs if you're feeling adventurous.

My experience is the apps are missing very fundamental features. Which would be fine... If you could use other clients. But you can't, except for email, kind of.

Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!

> constant bugginess and jankiness of their offerings

This is something I had not heard (also have been a paying user for a very long time).

I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.

Fastmail is a good product with technical chops, contributes to open source and cares generally about being good members of the international email space, standards etc.

Fastmails interface is very plain, and it works very fast and works well.

They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted

I moved to Fastmail a few years ago. No real complaints, and I’d definitely do it all over again.

That said, because I’ve not experienced any failure, I’ve not experienced how well Fastmail handles failure, which is the real measure of a company.

I've been on Zoho for my (and my partner's) email for 4+ years and it has been great. Chose them because there is no per-domain charge, so I have like 12 domains on it.

The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.

For mail hosting, take a look at Posteo.de (no custom domains though), mailbox.org, runbox.com, mailfence, migadu, and cranemail. All these are cheaper and a lot more affordable than something like Fastmail. All of them support IMAP, using which you can move your email elsewhere (or easily backup/have local copies).

I am a Fastmail customer. Absolutely horrible customer support but pretty solid email. Do not even think about using the "suit" they offer alongside email.

The rebranding and "revamp" is limited to the logo and colour changes :D everything under the hood is still the same good old OX inferiority. Hell, you may never want to use their webmail either (my 99.9999% mail usage is via IMAP clients). They are fine other than that.

Fastmail is pretty good if their price and offerings are not an overkill for you. You should check Runbox as well - really good.

Simple Login alt: addy.io? Fastmail and Mailbox (auto-deletes in 30 days unless you "touch" it :D) also have disposable email as part of email offerings. Don't know about Runbox.

Similar case, I recently migrated from @mozmail to SimpleLogin and wondered if I made the right choice.

I heard using your own domains solves the migration issue but that makes your email pretty identifiable just by looking at your domain.

I wonder whats a suitable replacement candidate after Mozmail and Simple Login? One of the reasons I migrated away from Mozmail to Simple Login was that you can't initiate a email sending, which made it difficult to contact support if needed. Plus Mozmail are on Amazon SES.

Fastmail has an open source API they call jmap. You could probably find or write something that could help convert to the fastmail masked email. I was able to setup an integration with a local llm to read my email and act on it in about an hour.

I like fastmail they seem to have a move slow and don't break things mentality that I like from my email.

I recently moved from Gmail to Migadu and started to use my own domain instead. Works great so far

I've been happy with Startmail, good customer service, they don't offer any of the non-email cloud services though.

I use Fastmail and I’m mostly happy with it. Their design team is thoughtless so their web and mobile offerings are disappointing. The mail hosting itself seems to be excellent though.

> The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals

I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).

It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.

Yes.

Most CERT requests are valid and good and should be obliged.. but there should be a manual check involved.

Especially when an appeal is filed. Especially when the content is obviously security reporting.

Both extremes are wrong - don't ignore CERTs and don't mindlessly oblige them. Find one of the many reasonable middlegrounds.

No.

They currently do cooperate and they go get the odd bad press about this.

So doing what they actually claim to do would change nothing. Their current stance is just a cop out.

> defines unused in some opaque sense where receiving but not sending emails is “unused”

"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."

<https://proton.me/support/inactive-accounts>

Do they still use that old shady billing? You could get "credits" from coupon to upgrade your plan, and once it ends, it automatically subscribes and your account bill goes to negative. Unless you pay that, your account is locked. Happened to me some long time ago and haven't used Proton since.

Is this for paid accounts too? If you prepay for 5 years and get lost at sea for 3 years, should you expect your proton to still work?

Ladar Levison and Lavabit certainly earned themselves credibility there a dozen years or so back.

Sadly https://lavabit.com/ currently just says "We are not accepting new users at this time. Mail services remain online, while we work on improving our website code. "

And what specific law did you have in mind, exactly?

You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?

Common folklore is that this is extremely onerous to self-host (and have it work successfully.) How did you go about it?

Is refusal realistic? It's nice in the abstract, but in practice, there are plenty of ways to coerce illegitimate compliance.

not all heroes wear capes, much less releases personal AI assistant to navigate your own data while the MAIL CLIENT AND CALENDAR APP is on beta on Linux for YEARS

Citation required?

That's not what Phrak says here: https://phrack.org/issues/72/7_md

Where they say "Proton was used only for email and only to communicate with South Korea"

You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.

That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances

Second paragraph of the article:

>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency

They all are until they get threatened.

Soon or later we will default to analog means. It’s not looking good.