Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency
Key topics
Proton Mail suspended journalist accounts at the request of a cybersecurity agency, sparking controversy over their commitment to privacy and free speech, with many users expressing distrust and considering alternative services.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
36m
Peak period
85
0-6h
Avg / period
14.5
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 12, 2025 at 5:20 PM EDT
4 months ago
Step 01 - 02First comment
Sep 12, 2025 at 5:56 PM EDT
36m after posting
Step 02 - 03Peak activity
85 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 16, 2025 at 4:12 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
This is the weakness of cloud services.
I would expect their own apps to be open source, are they not?
If you, or someone else, like please audit the repos. Could be cool to see trusted forks of some of the clients.
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
t was - without anyone admitting to it - probably KrCERT who requested the account suspension. KrCERT don't seem to have any legal jurisdiction in Switzerland.
"KrCERT/CC, which is an internal division of KISA, is a CSIRT with national responsibility and a focal point of contact for Korea on international cybersecurity incident handling." -- https://en.wikipedia.org/wiki/Korea_Internet_%26_Security_Ag...
I'd like to think if they 'tapped on the shoulder of the CTO ' of a company headquartered in Switzerland, he'd say "maybe, come back with an order from a relevant court or security agency in Switzerland and I'll get my team right on that".
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
https://proton.me/mail/pricing#compare-plans
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
Soon or later we will default to analog means. It’s not looking good.
Most CERT requests are valid and good and should be obliged.. but there should be a manual check involved.
Especially when an appeal is filed. Especially when the content is obviously security reporting.
Both extremes are wrong - don't ignore CERTs and don't mindlessly oblige them. Find one of the many reasonable middlegrounds.
I suspect there's a few email providers where the marketing and reputation management teams are hurriedly adding "check the user and the user's affiliated social media reach before suspending this account, and before responding to any support requests from the user."
My new elevator pitch: We proactively research all of our customer's users and new signups to assign them a social media reach score. We then automate escalating external account action requests or user support calls for highly ranked users to senior staff and providing details and evidence of their social reach and industry affiliations. While we generate revenue from these customers, our primary revenue stream is the aggregated data we acquire while doing this, and selling access to that data to law enforcement, the insurance industry, and Nation State intelligence organisations across the globe.
Or even have checked how busy the account was.
Or check their received legal mail.
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
They currently do cooperate and they go get the odd bad press about this.
So doing what they actually claim to do would change nothing. Their current stance is just a cop out.
While I like the idea of a safe and uncompromising service, proton seems less so now.
Sadly https://lavabit.com/ currently just says "We are not accepting new users at this time. Mail services remain online, while we work on improving our website code. "
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
I don't know about Switzerland, but in Germany, no company will be available "over the weekend". Almost everything on the internet in DE is Mo-Fr 9-17.
Before 31 December 2020, the Swiss Airforce famously only operated during office hours....
and yet suspending the account...
What about those of us nobodies with no influence?
Maybe a tool with DRM embedded would be an appropriate analogy?
Maybe take a look at https://posteo.de/en
With good cause, in this case, but the crowds wielding pitchforks don’t much care either way.
Ever heard of linkable systems? They can detect when multiple proofs come from the same person, even if they can't identify who that person is. The system can also force reuse of the same secret, which stops the "infinite proof factory" problem.
Unique secrets can also be tied directly to identity. For example, if the ZKP is about knowledge of a secret key bound to your identity, then you can't just mint 5000 independent proofs unless you also have 5000 identities.
There's also the concept of nullifiers, used in privacy-preserving identity protocols. A nullifier is basically a one-time marker derived from your identity secret that prevents double-use of a proof.
On top of that, zk-SNARK-based credentials or verifiable credentials can prove "I am a unique registered person" without revealing which one. These systems enforce uniqueness at registration, so you can't magically spawn 5000 ZKPs that all look like 5000 humans. Similar ideas exist with linkable ring signatures and even biometric-based ZK proofs.
So there are plenty of ways to counteract your "5000 ZKPs per human" story (what's usually called a Sybil attack).
If you're being pedantic, yes: a bare ZKP alone doesn't enforce "one proof = one person", but ZKP + uniqueness enforcement (nullifiers, credentials, commitments, etc.) does, and that's what I had in mind. I thought it was obvious, but then again, nothing is obvious, and I should have specified. My bad.
In any case, people ought to know just how powerful and useful these ZKP-based systems can be when designed properly. I think this is the only way forward if we want to preserve our privacy, and at the same time we want to prove we're human without sacrificing anonymity, or verify we know the password without revealing it, or prove we're eligible to vote without revealing our identity, or demonstrate we meet age requirements without showing our birthdate, or verify we have sufficient funds without disclosing our balance, or show we're authorized to access something without revealing our credentials, or verify our qualifications without exposing personal details, and so on.
Edit: excuse the technical brain dump, I literally just woke up. I hope this helps to clear up some things, however.
Happy to dig deeper if you want.
I wanted to try Proton out when they were having a sale, but I could not complete the purchase because I was on Mullvad's VPN.
I created a ticket, and when they got back to me 5 days later, they told me to disconnect from the VPN to sign up for Proton.
Email is a critical infrastructure these days. Most people have neither the time nor the will to deal with emails failing to send and/or be delivered. (Send or receive)
1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG.
And yes, some quotes, references, or a modicum of argumentation around a divisive point of view is also a good idea.
I wanted to try Proton out when they were having a sale, but I could not complete the purchase because I was on Mullvad's VPN.
I created a ticket, and when they got back to me 5 days later, they told me to disconnect from the VPN to sign up for Proton.
People of all kinds can say certain positive things about the Republican Party for different reasons in specific contexts and not be fanatics you know. That's how using actual reasoning and nuanced discourse works in the world of not throwing your brain in the garbage through ideological rigidity.
I never saw any outrage. Only memory holing and denial
You probably aren't looking hard enough. There was plenty of outrage, and congressmen excoriated tech companies for "suppressing right-wing voice"
Well, why or why not doesn't matter; there _was_ backlash. And to my recollection, he made some rather bizarre defensive posts on Reddit that were later deleted and replaced with a corpo response.
The CEO once expressed support for Gail Slater as head of antitrust and subsequently criticized lack of effective work towards tech regulation on the Democratic side in the same social media thread.
Calling that "love for the current US admin" (which hadn't even taken office when those statements were made) is pure disinformation.
But it'd be nice to be able to expect your email provider to not cave in to a request from some other counties CERT organisation without pushing back for evidence and some sort of proper judicial authority behind the request.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
I'm glad it works for you, but their offering is frequently buggy and broken for me.
So I responded in kind, because I've definitely seen company cheerleaders, and I'll have no part of it. I'm glad you all are happy with Proton. I'm not telling you to leave.
And if you really want to see complaints, you don't have to look far. Read the other comments on this thread. I don't have to spell everything out for you.
The VPN has always just worked, too.
If you're using desktop apps for things, really can't help you there as I have no experience with any proton offerings for that piece.
https://old.reddit.com/r/ProtonMail/comments/t8vwhf/deleting... https://news.ycombinator.com/item?id=33432296 https://old.reddit.com/r/ProtonMail/comments/yjz3yu/proton_b... https://old.reddit.com/r/ProtonMail/comments/1j79x7j/has_the...
(The temerity of the customer service response on that last one, saying they have no clue about the bug being asked about is galling, but par for the course for them).
BTW, make flippant responses, get responses in kind. Normally I'd ignore this idiocy, but today was your lucky day. Anyway, it's clear you're just a troll and I've indulged you enough.
People that feel very satisfied or dissatisfied with something are most likely to comment. I've just been very satisfied.
There was also that whole IMAP data loss issue. Unsure if that ever got resolved.
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
Or a very bizarre LLM offering: https://news.ycombinator.com/item?id=44657556
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
That would at least move your needle around a lot, even if it isn't bringing along the haystack of all the other VPN customers sharing their endpoint IP addresses. You couldn't consider this sufficient protection against TLAs or Mossad. Or disgruntled Magic The Gathering players burnt by MtGox...
1) Use your VPS OS's native software upgrade mechanism
2) Build, test, and deploy immutable images
For 1), you configure your OS (Ubuntu LTS let's say) to do automatic unattended upgrades only for security updates (check documentation for instructions). They're designed to be backwards compatible so this is safe and automatic. May require you to periodically reboot the box. When that version of Ubuntu is eventually end-of-life, they usually provide a manual upgrade procedure to upgrade in-place to a newer version of Ubuntu. A couple manual steps over an hour or two and you're set until the new version goes EOL (many years for Ubuntu LTS).
For 2), you would build either a container or a disk image with your OS, preferred software, configs, etc. Build the image (Packer for disk image, Docker for container), write a simple test to run it and make sure it's working. Now you can install that new container or disk image onto your VPS, and you know it'll work. This is more work, but the resulting image is guaranteed to work the same way every time. So every time you upgrade, you just build a new image. If the new image doesn't work for some reason, just go back to the last image that did work. Set all this up on a CI/CD platform (GitHub Actions, CircleCI, etc) and you can just keep using that setup forever, no need to get it set up on your laptop again if you reinstall your laptop OS.
For either of these, it helps to use only software that is packaged for your OS, rather than installing custom software. There will be less extra work to perform to get the software to work and configured, and upgrade steps will be smoother.
For 2), it also helps to use a VPS which has a Terraform provider (https://registry.terraform.io/browse/providers?category=infr...) so you can write code to automate updating your VPS's disk image (or restoring an old one).
Could you elaborate more on this?
It’s quite easy to do with openwrt routers.
For the parent commenter: you set up an account at a Dynamic DNS service, and configure your router so when it's online, a dynamic DNS hostname will always point at your router's IP. Then you set up a Wireguard or OpenVPN server on your wifi AP. Then set up your phone, laptop, etc to connect to that server at the dynamic dns hostname. Now you have a VPN server running on your home wifi AP. Connect when you're away from home, and your traffic will go securely through your home ISP connection.
https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!
The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.
https://news.purelymail.com/posts/updates/2025-03-06-a-new-c...
I heard using your own domains solves the migration issue but that makes your email pretty identifiable just by looking at your domain.
I wonder whats a suitable replacement candidate after Mozmail and Simple Login? One of the reasons I migrated away from Mozmail to Simple Login was that you can't initiate a email sending, which made it difficult to contact support if needed. Plus Mozmail are on Amazon SES.
https://relay.firefox.com right? Or there's another service?
> that makes your email pretty identifiable
Agreed. I have also stopped abusing the catch-all of my domains. It became a pain very soon. Not only privacy issues but I couldn't possibly block those emails/spam that were coming on usernames like sales and many more.
> Did you get in via some invite or so?
I signed up normally. It's been a while so I don't remember the details but I didn't receive any invitation or early access etc.
Then there's "Email Protection" which has reply from alias feature, doesn't show any billing. Two other plans with "billed monthly". But all three are still on "Join the Waitlist". Maybe it's not released in my geography yet.
https://i.postimg.cc/FsndSJm5/temp-Image-Vp5r-HT.avif
Here's what I see [2].
[1]: https://support.mozilla.org/en-US/kb/which-countries-firefox...
[2]: https://postimg.cc/q6H9nDQf
https://news.ycombinator.com/item?id=45229681
The rebranding and "revamp" is limited to the logo and colour changes :D everything under the hood is still the same good old OX inferiority. Hell, you may never want to use their webmail either (my 99.9999% mail usage is via IMAP clients). They are fine other than that.
Fastmail is pretty good if their price and offerings are not an overkill for you. You should check Runbox as well - really good.
Simple Login alt: addy.io? Fastmail and Mailbox (auto-deletes in 30 days unless you "touch" it :D) also have disposable email as part of email offerings. Don't know about Runbox.
> I am a Fastmail customer. Absolutely horrible customer support but pretty solid email. Do not even think about using the "suit" they offer alongside email.
I meant to type “Mailbox” (I find their support horrible) but mobile and typo/confusion. Anyway my fault.
Whenever I had something to ask - Fastmail has been stellar! I don’t use it because it’s too costly for me and offers resources I absolutely do not need.
(You might already have guessed I meant mailbox though as I mentioned Fastmail separately later, did you?)
What was horrible about mailbox support? Too many instances and examples and also I wouldn’t want to mention exact examples here as I have those in their forum and also on support tickets.
I like fastmail they seem to have a move slow and don't break things mentality that I like from my email.
Fastmails interface is very plain, and it works very fast and works well.
They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted
That said, because I’ve not experienced any failure, I’ve not experienced how well Fastmail handles failure, which is the real measure of a company.
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
<https://proton.me/support/inactive-accounts>
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?
That's not what Phrak says here: https://phrack.org/issues/72/7_md
Where they say "Proton was used only for email and only to communicate with South Korea"
Even if you can't send email at all (unlikely if you use an outbound relay), there are very significant privacy benefits to having your own server. I send very few emails relative to the number I receive. You couldn't pay me enough to go back to one of big commercial providers.
Feels like that's carrying a lot of load there?
Where do you get those? I doubt any inexpensive VPS provider has any clean IP addresses? AWS charge you $5/month for an elastic IP address, and I bet you'd need to cycle through their pool of those looking for one that hasn't been blacklisted recently?
There's another thing to consider here too. I was selfhosting my own mail, but back in 2013/14 I investigated all my mail, and even though I'd avoided Google/Microsoft,Yahoo et al. - over 80% of my personal email was on their servers because that's where my correspondents were. I pretty much gave up maintaining my own (slightly over complicated) stuff and gave in and chose to accept the "Do no evil" company at face value. 4 or 5 years later that company no longer existed, even though they continue with the same name today.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
I’d like more details about the initial CERT contact if anyone knows anything
50 more comments available on Hacker News