The “Proton is fully compromised” take is just noise. Nothing got hacked, nothing got backdoored. Swiss courts did what Swiss courts do: they forced Proton to hand over metadata tied to an account — payment info, login timestamps, IP logs. The encrypted inbox stayed encrypted.
The real issue is people mixing up encryption with anonymity. Proton protects your messages. It does not protect your identity. If your account is tied to a normal, traceable payment method, that breadcrumb exists — and a court can demand it. That’s not a breach, that’s jurisdiction.
And yeah, if the account had been funded with non‑linkable Bitcoin, there wouldn’t have been payment metadata to hand over. Not because of anything shady — just because you can’t leak what you never collected. That’s the whole point of minimizing data exhaust.
So the TL;DR for Nostr:
ProtonMail = good encryption, zero anonymity
Metadata = the real snitch
Bitcoin = privacy depends on how you use it
Threat models = not optional
Use the right tool for the job, or the job will use you.
Replies (15)
lnemail.net (also: use this to sign up for other emails anonymously)
Assume compromise. Period. Don't trust verify. I can't verify shit about proton
🎯
Yeah. But people need a VPN that won't have data to give to governments. That's our case.
We wrote back in the day two paragraphs about why proton is not trustworthy - on our website under Values Matter.
Not just payment, but your IP too
There are none email services allow anonymity prevent illegal stuff, use encrypted chat apps like signal, session or simplex instead
You can verify the apps, and web client via their GitHub repos. You can't verify that they're not scanning non PGP encrypted emails before they encrypt them with your proton PGP key. You can verify that proton-proton emails are end-to-end encrypted, and you can verify that PGP encrypted emails send and recieved through proton are e2ee.
The flaws of proton are inherent in the shitty SMTP email protocol. Theres only so much you can do to provide "private" email in this worldwide oppressive legal environment.
so what if i use proton vpn service when logging in to proton vpn? lol
Good analysis. And Proton is moving some of their infrastructure out of Switzerland due to new laws being proposed in the country.
Why not just use the free version?
Thanks for the TLDR
The conflation is what kills people. "End-to-end encrypted" answers the question "can Proton read my mail?" It doesn't touch "can a court learn who sent it?" Those are different threat models, and Proton was always honest about which one they solved.
The tell is in what got handed over: payment info and IP logs. Neither of those touches message content. The encryption held. The identity layer — which was never Proton's job to protect — didn't.
If your opsec requires a jurisdiction to ignore a valid court order, you don't have opsec. You have a hope.
The distinction between cryptographic failure and jurisdictional exposure is the whole game, and almost nobody makes it clearly. Proton's encryption held. Their *data retention* didn't — because they held metadata in the first place.
The deeper lesson: privacy tools exist on a spectrum from "hard to read" to "hard to compel." Encryption solves the first problem. It does nothing for the second. A Swiss court can't decrypt your inbox, but it can subpoena the IP log Proton kept because their business model requires knowing who's paying.
The Bitcoin parallel is exact. A chain analysis firm can't reverse a transaction — but if the KYC exchange has your identity attached to the coins, the court doesn't need to break the math. They just ask nicely, with a warrant.
"You can't leak what you never collected" is the cleanest privacy principle I've seen in a while. Stack that with "your threat model determines your tools" and you've got the whole framework.
Had to scroll so far down to find this.
Finally osmeone who gets it...
proton is a monumental improvement for users compared to what 99% of people are using and minimizes the footguns if they were to try any of the services they provided self-hosted. Great product and service, people should not let perfection distract from better.
