The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Proton Mail unmasked user to Swiss authorities who assisted the FBI

Privacy-focused Proton offers end-to-end encrypted productivity tools, such as Proton Mail and Proton Drive. These tools are similar to Gmail and Google Drive, but the Switzerland-based company markets itself on the security and privacy advantages afforded by Swiss privacy laws, which prevent it from sharing users’ information with foreign law enforcement. But according to 404 Media, Proton provided Swiss authorities with data associated with a previously unidentified activist’s account, and in turn, authorities provided this data to the FBI. As required under Swiss law, Proton must comply with valid legal requests from its own government for the data it collects on users, which in this case included the payment information tied to the targeted email address. Through a mutual legal assistance treaty, the Swiss justice department provided the FBI with details about the Atlanta-based activist.

What you can do

  • Remember: Proton is not for anonymity. Proton is great for what it does, but it’s simply not made to protect your identity. It makes temporary logs of IP addresses, which may be loosely tied to your location. Swiss authorities have made similar requests for these IP addresses, which led in at least one case to another activist being unmasked. According to its transparency report, Proton Mail received over 9,000 legal requests and complied with about 89% of them in 2025, as it is obligated to do under Swiss law. It may also provide recovery email addresses to authorities. Even if Proton doesn’t give user data to foreign authorities directly, Swiss authorities may compel the company to share any information it collects, and pass that on to foreign law enforcement actors. There’s nothing wrong with using these services, so long as you understand their limitations. Most people should assume you are identifiable when using Proton.
  • End-to-end encrypted email is still email, so it has many limitations. Under the hood, Proton is using PGP, short for Pretty Good Privacy — an encryption suite that can be used to encrypt files and text. When you send a Proton email, what you’re really doing is encrypting the body of the email. But because it’s still a regular old email, the subject line is not encrypted, and the email necessarily comes with some information about who sent it, and when. Emails between Proton and PGP users are end-to-end encrypted, but if you email someone else on another service like Gmail, now Google can read your email. Compare this to Signal, which is always end-to-end encrypted. Just remember that you really get the most out of Proton if you are using it with other Proton users.
  • Read our guide to using Proton Mail. If you want to dive deeper on Proton Mail, my teammate, Harlo Holmes, walks through everything you need to know about using the service as safely as possible. Check it out.

Updates from our team

  • Harlo and another colleague, Davis Erin Anderson, are doing an “Ask Us Anything” webinar for Doc NYC on Thursday, March 26, at noon Eastern time. Sign up here and submit your questions.
  • For my J-school educators: Do you want to learn more about teaching digital security? We’re putting together a project intended to help journalism school instructors integrate digital security education into their curricula. Please help us understand your interest and availability. Fill out this quick intake survey.
  • Web applications run on servers — and servers can get hacked. That’s why FPF’s SecureDrop team made WEBCAT, a tool for web browsers to verify the origin of code before they run it. Help us test out the WEBCAT Firefox extension.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation