Don't hate the player. You can't send mail with E2E encrypted headers and you can't leave payment data and expect Proton to violate regulations and delete it.
Signal has to deal with neither of these issues.
this post was submitted on 12 Mar 2026
862 points (91.6% liked)
Privacy
9321 readers
321 users here now
A community for Lemmy users interested in privacy
Rules:
- Be civil
- No spam posting
- Keep posts on-topic
- No trolling
founded 2 years ago
MODERATORS
Proton can do what it likes when it comes to messages being sent between different proton accounts. Use of meta data rich protocols like standard email, instead of, e.g., the signal protocol, is absolutely something they can be blamed for.
As is choosing operate from a jurisdiction that can comple them to collect IP addresses.
Use of meta data rich protocols like standard email, instead of, e.g., the signal protocol
Brother...its an email product though...if you can use Signal, use Signal. But it's a different product entirely.
When my bank sends me verification info and banking statements over Signal I'll be elated. Until then, we unfortunately have to continue dealing with email.
As is choosing operate from a jurisdiction that can comple them to collect IP addresses.
There is no such requirement. They collect them necessarily in order to function.
load more comments
(6 replies)
They are a Mail provider. You can't blame a mail provider for providing a mail service.
You are basically asking for them to make it seem like you send mail, but in reality you send the message via some other protocol when it's send to Proton users. At that point you might as well not send mail at all.
As for their jurisdiction: The data protection laws changed after they were founded. They are also lobbying against them and have in fact threatened to stop investing in or even leave Switzerland.
load more comments
(1 replies)
The annoying part is them marketing themselves as like operating from Swiss “privacy haven” when swiss privacy laws aren’t that good and the parliament is actively destroying them as we speak.
load more comments
(1 replies)
load more comments
(1 replies)
The FBI had the payment data and served Proton with a subpoena, they had no choice but to tell which account it was for. The data is still encrypted, though.
The FBI did not serve the subpoena directly to Proton Mail.
"We want to first clarify that Proton did not provide any information to the FBI, the information was obtained from the Swiss justice department via MLAT," said Proton AG's head of communications, Edward Shone. "Proton only provides the limited information that we have when issued with a legally binding order from Swiss authorities, which can only happen after all Swiss legal checks are passed. This is an important distinction because Proton operates exclusively under Swiss law."
Meanwhile, on Proton's homepage:
Highest standards of privacy
Proton is incorporated and headquartered in Switzerland, meaning your data is protected by some of the world's strictest privacy laws.
The standard for email privacy
From newsrooms, activists, and international organizations to academics, Nobel Prize winners, and movie characters, Proton Mail is the trusted choice for secure and private communication.
load more comments
(1 replies)
load more comments
(2 replies)
load more comments
(2 replies)
That is exactly what they did, the user used a credit card with their damn name on it, while Proton even allows you to send them cash money for the service.
The FBI filed a MLAT (Mutual Legal Assistance Treaty) request which was processed by the Swiss Federal Department of Justice and Police.
The Swiss gave a legal binding order to Proton to hand over information that they had, the only information that was handed over was the payment identifier.
I don't get why people get hung up on a company complying with a legal order by their justice system, especially with Proton that could not hand over any more information.
Same. It’s not like these companies can just say no to legal orders within the bounds of their laws. Even solo FOSS devs with their fledgling privacy centric messager apps would have to comply with their country’s laws. I also think a fair number of users that get outraged over it aren’t big on actually reading the privacy policies for the services they use. IMO Proton didn’t do anything surprising here if one reads that policy.
load more comments
(14 replies)
One is a messenger the other is using the e-mail protocols, aren't there differences in how the metadata is possible to be encrypted between those too. Just wonder if this is a fair comparison.
load more comments
(4 replies)
…email will inherently be a lot less secure than messaging, no matter what you do.
If you truly want to be private about something, don’t email it lol
no matter what you do.
Even PGP?
...TBF, getting your counterparty to also use PGP is the heavy lift there.
Security yes, privacy not especially.
PGP lets you encrypt the messages and sign them to digitally prove you sent them.
It doesn't help with the problem here which is that the metadata of who you are (the IP used to log into the webmail and the email address of the sender) and who you're talking to (the email of the recipient) and when (timestamps etc.) were able to be leaked.
In fact, depending on the implementation, PGP could be considered slightly worse for privacy because you'd have the added identity proof of the message having a signature that only you could create with your private key (although that's encrypted, it's a stronger identity proof than the sender email address). It also generally leaks the recipients' key IDs too (although that's configurable) PGP is great for accountability, message confidentiality and non-repudiation. Not so much for privacy. For that you'd need other systems.
load more comments
(1 replies)
People like Jeffrey Epstein running one of the biggest blackmail networks in the planet and at the same time blatantly emailing each other about it from gmail really amazes me. Either they are that stupid or powerful enough that they just don't care.
load more comments
(11 replies)
I don't like Proton after the CEO posted the pro-Trump statement and did not use them after that.
Its really weird how people are blaming Protonmail when it was the Swiss government that complied with the FBI. That to me is really suspicious. The US government is currently not a trusted source of accuracy, and for the Swiss to readily agree to it?
Worse, the chuds blaming the proton user?
Protonmail is used by a lot of reporters/whistleblowers. As what point is their work also a threat to the US government and will the Swiss force Protonmail to hand that over too?
Switzerland has been a proud fascist collaborator for at least a hundred years. Why wouldn't they cooperate with the US?
load more comments
(4 replies)
load more comments
(5 replies)
Service A is compelled to hand over all the data it has on a user
They comply
Service B is compelled to hand over all the data it has on a user
They comply
"And that's how it's done!"
Proton has the disadvantage of having to work with other email services as well, so there's protocol limitations. When mailing from one Proton mailbox to another, they do intentionally avoid SMTP for this reason, but Signal has the advantage of "owning" the whole protocol, too.
I imagine if you donate with a CC to Signal, they might also be forced to turn that over. The weakness is not in Signal or Proton, but in the Visa/Mastercard duopoly and CC processing in general. Cryptocurrency has some advantages here, but they are outweighed by the abuse, fraud, speculation, and general dishonestly (and just general failure to be good currencies for "normal" purchases.)
The criticism is that better privacy can be achieved by not saving data, it is a good criticism but I don't know how legit it is because I don't know if credit card payments can be processed without saving the data (i would assume yes, if tokenized)
This comparison makes no sense.
Signal doesn't have payment data. It's not a paid service. Proton is a paid subscription service and that payment data needs to be accessible in order to charge the user and they're not a payment processor.
The fact that it's a paid service doesn't mean they have to keep your PID and payment info on file. I use posteo.de for my email, which is a paid service. But my payment info is only used during the payment process and they don't keep it on file once they receive the payment. You buy like 12 or 20 months and have that many credits. When it starts to get low, you buy some more.
load more comments
(3 replies)
load more comments
(4 replies)
God, I wish more people used Signal
I've been using Signal more to test if I can recommend it to other people... it's mostly like WhatsApp, which is good...
Except, can we please disable all of those god damn popups. Everyday: "Hey! Verify your pin!", "Hey! Verify your LONG ASS recovery key!", "Hey, plz donate!", "HEY! I couldn't start a backup", "HEY LOOK AT ME!"
- I have never been asked to verify my recovery key.
- It asks to verify pin once a month. Which I think is fair, since it can help you recover from a lockout / transfer your device.
- backups are important, but they can also be disabled
- Donating to open source projects is important, as it's a large portion of their funding.
load more comments
(5 replies)
load more comments
(1 replies)
One problem with Signal is that it can be difficult to connect with someone who is on there.
I've run into this a couple of times myself. And I've had friends run into it too. We know for a fact someone is using Signal, but you can't find them in the search, even though you have them in your contacts with the correctly formatted number.
Personally, this issue has become a stumbling block for getting people I know to use it more.
load more comments
(4 replies)
Proton was legally forced to record IPs for this account (as per the linked article). Theoretically that could happen to Signal just as well if the laws allow it in their jurisdiction. There was nothing in the article about message content or metadata being handed over to authorities.
As far as I know in France you can‘t have an anonymous phone number so technically using TOR and Proton Mail you can achieve a higher level of privacy than with Signal
Huh wait does using Tor actually help with mail privacy in any way? I know Tor hides pretty much as much as can be hidden about the user, but for mailing, don't you need to give out your personal details to sign up regardless?
Not generally but since in this case they had to record and hand over the IPs used to access the Proton Mail account, if he had used TOR they couldn’t have handed over anything useful
Aha got it
load more comments
(5 replies)
Just saw someone claim Signal was a honeypot the other day, no sources of course. Then this info comes out.
I hate this sentiment. I was part of a bachelor party, and we had a group chat going. Had Android/iPhone users, so it was just a MMS chat. I suggested we use signal, and one of the iPhone users goes on a rant
"I'm not gonna use Signal. It's just a honeypot for the CIA. Why else would they fund it if they didn't get any value out of. It's obviously a honey pot"
I'm not gonna use Signal. It's just a honeypot for the CIA.
No you're thinking of telegram.
So there is actually disinfo about it being funded by the CIA. I had heard it was, and tbh didn't care too much. I figured they funded it because they used it and got value. It's well audited so I trust it. Only learned it's disinfo when I looked for a source to include in my original reply
https://euvsdisinfo.eu/report/us-intelligences-services-control-the-signal-app/
It is goofy for sure. Nobody that claims it is one ever supplies proof beyond “trust me, bro” or they get screechy and hostile when you ask for sources.
load more comments
(2 replies)
When a service can only hand over a timestamp, that’s when you know the encryption is doing its job. 🔐
On one side you have a free software, on the other you have a paid service. If you pay for that service with a credit card, of course they'll have your name.
This is like comparing walking across town to hiring an Uber and being annoyed the Uber keeps a record of the transaction.
This is why it's always struck me as unreasonable for proton to claim they care about user privacy. If they did, they wouldn't provide an email service, as it is inherently impossible to adaquately protect the metadata if it is sent to a different mail server. A better approach would be for them to explain why you can have email or privacy, but not both, and to point people to a separate service if they insist on email, so it is decoupled from any of their other services. Accepting payment through a means that isn't tied to your personal identity would be a good step too.
Accepting payment through a means that isn't tied to your personal identity would be a good step too.
They do accept bitcoin, and if that's not private enough, they also let you mail them cash in an envelope.
Mailing cash is probably less private. Your mail is postmarked, and can be tracked. The serial numbers on the bills can be tracked too. Not to mention the envelope itself, fingerprints, possible DNA in the saliva when you licked it to seal it, your handwriting or printing to address it, how unique the stamp is...
Only if all that information is collected and stored. Digital finance systems tend to track every transaction and keep a record of them (because of legal requirements among other reasons). With cash in an envelope a government can't check all the info you suggested a year after the payment has happened, perhaps not even after a few days.
load more comments
(1 replies)
Sorry frongt, but I think you're wrongt, haha. I don't think mailing cash is less private than other methods.
If anyone was concerned enough to the point they were sending cash, they might also take precaution to send coins instead of notes, wearing gloves when handling them, folding their own envelope - do people still lick envelopes anymore? - using lettering stamps instead of handwriting...
Forgive me for the joke on your username, made me laugh.
load more comments
(2 replies)
load more comments
(1 replies)
load more comments
(2 replies)
if i ran a privacy focused company, i would keep records that are just wrong and dont link to correct people at all. If i actually need to make records maybe i would make somekind of system where i personally can use them, kind of like extra cypher on top of everything else that would transform/pick the useless data into actual data. So if someone demands the records and i just have to give them, i'll just give them -> they cant get anything out of them anyway.
Can't demand me to be competent too 🤷♂️ maybe i would give excuse that i used ai to wibe code the thing
view more: next ›