545
Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency (theintercept.com)
submitted 2 weeks ago by Captainautism@lemmy.dbzer0.com to c/technology@lemmy.world
108 comments fedilink hide all child comments

cross-posted from: https://ibbit.at/post/52938

The company behind the Proton Mail email service, Proton, describes itself as a “neutral and safe haven for your personal data, committed to defending your freedom.”

But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. After a public outcry, and multiple weeks, the journalists’ accounts were eventually reinstated — but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.

Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton’s services as alternatives to something like Gmail “specifically to avoid situations like this,” pointing out that “While it’s good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most.” Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions.

Shelton noted that perhaps Proton should “prioritize responding to journalists about account suspensions privately, rather than when they go viral.”

On Reddit, Proton’s official account stated that “Proton did not knowingly block journalists’ email accounts” and that the “situation has unfortunately been blown out of proportion.” Proton did not respond to The Intercept’s request for comment.

The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation — what’s known in cybersecurity parlance as an APT, or advanced persistent threat — had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC.

The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky, a notorious North Korean state-backed APT sanctioned by the U.S. Treasury Department in 2023.

As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what’s known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident.

Saber and cyb0rg created a dedicated Proton Mail account to coordinate the responsible disclosures, then proceeded to notify the impacted parties, including the Ministry of Foreign Affairs and the DCC, and also notified South Korean cybersecurity organizations like the Korea Internet and Security Agency, and KrCERT/CC, the state-sponsored Computer Emergency Response Team. According to emails viewed by The Intercept, KrCERT wrote back to the authors, thanking them for their disclosure.

A note on cybersecurity jargon: CERTs are agencies consisting of cybersecurity experts specializing in dealing with and responding to security incidents. CERTs exist in over 70 countries — with some countries having multiple CERTs each specializing in a particular field such as the financial sector — and may be government-sponsored or private organizations. They adhere to a set of formal technical standards, such as being expected to react to reported cybersecurity threats and security incidents. A high-profile example of a CERT agency in the U.S. is the Cybersecurity and Infrastructure Agency, which has recently been gutted by the Trump administration.

A week after the print issue of Phrack came out, and a few days before the digital version was released, Saber and cyb0rg found that the Proton account they had set up for the responsible disclosure notifications had been suspended. A day later, Saber discovered that his personal Proton Mail account had also been suspended. Phrack posted a timeline of the account suspensions at the top of the published article, and later highlighted the timeline in a viral social media post. Both accounts were suspended owing to an unspecified “potential policy violation,” according to screenshots of account login attempts reviewed by The Intercept.

The suspension notice instructed the authors to fill out Proton’s abuse appeals form if they believed the suspension was in error. Saber did so, and received a reply from a member of Proton Mail’s Abuse Team who went by the name Dante.

In an email viewed by The Intercept, Dante told Saber that their account “has been disabled as a result of a direct connection to an account that was taken down due to violations of our terms and conditions while being used in a malicious manner.” Dante also provided a link to Proton’s terms of service, going on to state, “We have clearly indicated that any account used for unauthorized activities, will be sanctioned accordingly.” The response concluded by stating, “We consider that allowing access to your account will cause further damage to our service, therefore we will keep the account suspended.”

On August 22, a Phrack editors reached out to Proton, writing that no hacked data was passed through the suspended email accounts, and asked if the account suspension incident could be deescalated. After receiving no response from Proton, the editor sent a follow-up email on September 6. Proton once again did not reply to the email.

On September 9, the official Phrack X account made a post asking Proton’s official account asking why Proton was “cancelling journalists and ghosting us,” adding: “need help calibrating your moral compass?” The post quickly went viral, garnering over 150,000 views.

Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled. Our team is now reviewing these cases individually to determine if any can be restored.” Proton then stated that they “stand with journalists” but “cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.”

Proton did not publicly specify which CERT had alerted them, and didn’t answer The Intercept’s request for the name of the specific CERT which had sent the alert. KrCERT also did not reply to The Intercept’s question about whether they were the CERT that had sent the alert to Proton.

[

Related

Proton Mail Says It’s “Politically Neutral” While Praising Republican Party](https://theintercept.com/2025/01/28/proton-mail-andy-yen-trump-republicans/)

Later in the day, Proton’s founder and CEO Andy Yen posted on X that the two accounts had been reinstated. Neither Yen nor Proton explained why the accounts had been reinstated, whether they had been found to not violate the terms of service after all, why had they been suspended in the first place, or why a member of the Proton Abuse Team reiterated that the accounts had violated the terms of service during Saber’s appeals process.

Phrack noted that the account suspensions created a “real impact to the author. The author was unable to answer media requests about the article.” The co-authors, Phrack pointed out, were also in the midst of the responsible disclosure process and working together with the various affected South Korean organizations to help fix their systems. “All this was denied and ruined by Proton,” Phrack stated.

Phrack editors said that the incident leaves them “concerned what this means to other whistleblowers or journalists. The community needs assurance that Proton does not disable accounts unless Proton has a court order or the crime (or ToS violation) is apparent.”

The post Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency appeared first on The Intercept.

From The Intercept via this RSS feed

top 50 comments
sorted by: hot top controversial new old
[-] artyom@piefed.social 311 points 2 weeks ago

The author omitted the complete statement from Reddit:

Hi everyone,

No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.

In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.

Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.

Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.

Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.

The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.

[-] Confused_Emus@lemmy.dbzer0.com 100 points 2 weeks ago

How dare you provide context in an online discussion thread!

(/s for the challenged)

[-] massive_bereavement@fedia.io 48 points 2 weeks ago

The review only happen AFTER Phrack publicly complained on Twitter about it and a 150k people saw it, not before.

This is not the first time Proton drops the ball massively and then spins a tale to save their name.

[-] artyom@piefed.social 16 points 2 weeks ago

You can blame them for being slow but I don't think you can reasonably assert that they're malicious, which I think is the implication.

[-] limer@lemmy.ml 8 points 2 weeks ago

The important thing to me is not maliciousness, but reliability under political , social and legal pressure.

All of this is hard to understand, much of what is happening is opaque.

Also this does not apply to all people. Depending on hundreds of variables, one person’s issue is not relevant to another.

I am in a country that can exert legal pressure on them; and so I cannot use their services

load more comments (7 replies)
load more comments (1 replies)
[-] ViatorOmnium@piefed.social 48 points 2 weeks ago

So, if say, Saudi Arabia's CERT tells them to block a list of reporters accounts, they will gladly do it without demanding any evidence?

[-] fatalicus@lemmy.world 51 points 2 weeks ago

You block then investigate yes.

Just like every other company in existence does it, since the first thing you want to do is stop continued spread/misuse.

[-] TigerAce@lemmy.dbzer0.com 17 points 2 weeks ago

You're also arrested when suspected of a crime. If it turns out you were innocent, they will let you go.

First response: stop everything to prevent possible malicious/criminal activity. Then investigate to see if it was the right call. If it was, nice. If it wasn't: "sorry bud, just doing our jobs. Have a nice day."

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
[-] shreyan@lemmy.cif.su 35 points 2 weeks ago

Classic damage control.

Our team has reviewed these cases individually to determine if any can be restored.

Would they have done this if there wasn't a public backlash? I would bet money the answer is no.

We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.

What were the TOS violations?

load more comments (1 replies)
[-] bigchunga@feddit.online 14 points 2 weeks ago

Still shows that Proton suspended the accounts because some CERTS told them to. That's not a court order.

[-] artyom@piefed.social 11 points 2 weeks ago

Yeah I mean what's the alternative? Just allowing ALL Proton accounts to continue to be abusive until proven otherwise? How do you think that would impact not only the company but also the users/customers of that company? They were temporarily suspended, and reinstated after investigation.

[-] kadup@lemmy.world 9 points 2 weeks ago

They were temporarily suspended, and reinstated after investigation.

Would this sequence of events have happenned if it was an average joe nobody cared about, rather than a public outcry?

load more comments (6 replies)
[-] bigchunga@feddit.online 8 points 2 weeks ago

In the past Proton stated that they only act on claims from legitimate law enforcement with a court order. Now they acted on some organizations request. If Protons own mechanisms for detecting malicious use trigger, yeah, they should suspend the account and investigate further, but not from a third party that has zero authority.

load more comments (1 replies)
[-] ProdigalFrog@slrpnk.net 59 points 2 weeks ago* (last edited 2 weeks ago)

Quite damning of Proton, but unfortunately isn't too surprising after the CEO's pro-trump comments.

~~I would say they have proven themselves untrustworthy and mostly concerned with profit-seeking, and would suggest moving to alternatives if you use their services.~~

Mullvad is a solid VPN (Tor is better), and Posteo, Tuta, or Disroot are good email providers (don't use email for anything sensitive, private providers only give protection against survailence capitalism).

EDIT: With more context provided by @artyom@piefed.social, this recent action by them was, perhaps, not as cut and dry as it seemed. (Though I still am skeptical of their integrity, personally)

[-] Funky_Beak@lemmy.sdf.org 19 points 2 weeks ago* (last edited 2 weeks ago)

Proton have always reaked. Given some real nordvpn pia vibes. My hot take is: Mailbox, Filen, Mullvad,local dns, Run containerised cloned vms and burn after use. All in one solutions keep biting me in the arse.

load more comments (2 replies)
[-] cmnybo@discuss.tchncs.de 17 points 2 weeks ago

There aren't many VPN providers that have port forwarding and allow P2P. Proton is about the only choice if you want to seed.

[-] ProdigalFrog@slrpnk.net 11 points 2 weeks ago

Unless something has changed, I believe Windscribe also allows port forwarding.

AirVPN does as well, but as they are based in Italy, I think they may have to comply with the new Italian VPN anti-piracy law enacted there.

load more comments (1 replies)
[-] theskyisfalling@lemmy.dbzer0.com 10 points 2 weeks ago

Air VPN has port forwarding, been using them for years.

load more comments (3 replies)
[-] shifty@leminal.space 15 points 2 weeks ago

Their recruitment practices are also profit-seeking. Job applications require your salary expectations and they don't post their salary range.

load more comments (9 replies)
[-] NotForYourStereo@lemmy.world 43 points 2 weeks ago* (last edited 2 weeks ago)

Proton is poisoned. Stop using it.

They are not the alternative to mega technofascist companies. They are one of them. Everybody was hand-waving the Trump support, "well, that Andy guy isn't DIRECTLY involved with this or that, so it's fine" but it's not.

Stop using and stop recommending it.

load more comments (2 replies)
[-] Doomsider@lemmy.world 30 points 2 weeks ago

So the shoe finally drops!

I have been mocking Proton users for years now. Buying privacy from a corporation that openly cooperates with governments was asinine.

[-] LordKitsuna@lemmy.world 27 points 2 weeks ago

Anyone who genuinely thought that privacy was going to be perfect was an idiot. But they're going to be better than Gmail and they are. The only way to achieve any type of true privacy would be to start up your own Data Center , run your own email , and then be the one that's dealing with the government knocking on your door. Have fun with that.

Put frankly privacy on the internet does not exist and anyone that thinks it's achievable on the modern internet is honestly an idiot. We can only select the least shitty option there is no good option. And the problem is even that is a moving Target I'm not going to keep changing my email provider every couple years to whatever the new current popular privacy option is.

[-] kadup@lemmy.world 13 points 2 weeks ago

Everything related to privacy and security requires as a fundamental premise that you select your threat model. Who are you? What data do you want to protect? From whom, and how bad would it be to fail?

Most people skip this step, and then keep acting either surprised or over/under reacting to any given news. There are people out there that can't use email - regardless of who hosts what. There are people out there that would be fine with Gmail.

load more comments (2 replies)
[-] philpo@feddit.org 30 points 2 weeks ago* (last edited 2 weeks ago)

Proton doing another shady thing?

Colour me surprised!

[-] Lumisal@lemmy.world 28 points 2 weeks ago

The reality is the only option you'll have (for those asking for alternatives) is self hosting, if you're worried about things like this. Eventually one of them may get compromised or emshitified.

Tuta, for example, is in Germany. All it takes is one election where the AfD wins and now Tuta is compromised. Either you'll be hopping around continuously, or you settle for the best possible option, or you self host.

[-] ILikeBoobies@lemmy.ca 11 points 2 weeks ago* (last edited 2 weeks ago)

Because email is federated self hosting doesn’t matter.

Sure you aren’t going to lose your email but 90% of it is going to be hosted by Microsoft/Google so those companies can block your email and it’s akin to being frozen.

[-] hector@lemmy.today 8 points 2 weeks ago

Proton immediately froze my account, I am on some brazillian blacklist from my ip somehow, no way to ask for them to allow it anyway there like at tuta.

Those are the only 2 I could find that are acceptable. I do not want linked phone, do not want to be locked out of email if I lose phone or service.

load more comments (2 replies)
[-] SpiceDealer@lemmy.dbzer0.com 23 points 2 weeks ago

I've been using Proton for some years but I'll lost trust in almost all email providers even the ones that I use. They simply can't be trusted. Email was not created with privacy and security in mind. Self-hosting is your only safe option. Tuta and Posteo are suitable alternatives.

[-] philosloppy@lemmy.world 14 points 2 weeks ago

Self-hosting is your only safe option

but then nobody gets your emails because you aren't one of the big boy domains.

Email was not designed for the modern internet and not just on the security front. But we just kept beating at it with a hammer until it was a vaguely square shaped peg and put it in the hole anyways.

load more comments (1 replies)
[-] cupcakezealot@piefed.blahaj.zone 23 points 2 weeks ago

who could have predicted that the company run by the guy who cozies up to authoritarians would work with authoritarians.

load more comments (2 replies)
[-] muusemuuse@sh.itjust.works 22 points 2 weeks ago

Tuta is German so it cannot be trusted since Germany is on the brink of fascism. supposedly can’t search message bodys in tuta either.

Proton is, well, proton.

Self hosting gets blocked everywhere. Since I have my own domain, I’m finding even my Proton address gets blocked a lot.

So wtf am I supposed to do? Has the industry been successful in corporatizing and controlling email now?

[-] KairuByte@lemmy.dbzer0.com 18 points 2 weeks ago

If your own domain is being blocked, you’re likely misconfiguring DMARC/DKIM/SPF on the domain.

load more comments (4 replies)
[-] Hominine@lemmy.world 17 points 2 weeks ago

Finally broke down this week and moved to Tuta mail, but I almost gave Proton a trial run first. After Yen's last fumble, I felt the need to dodge a bullet. What timing.

[-] homesweethomeMrL@lemmy.world 12 points 2 weeks ago

Yeah Proton continuing to pooch it

[-] shreyan@lemmy.cif.su 11 points 2 weeks ago

Selfhosting is really becoming the only option.

[-] rollerbang@lemmy.world 11 points 2 weeks ago

Agreed. But then they'll "simply" seize your domain. Federation is the way, and P2P.

[-] TheLastOfHisName@lemmy.world 11 points 2 weeks ago

I'm too invested to hop providers right now, and I don't know if I have the spoons to self host.

load more comments (1 replies)
[-] unabart@sh.itjust.works 9 points 2 weeks ago

Everything is now paywalled and absolutely none of it is worth jumping through the extra hoops to read. That said, thanks for posting the content in here.

load more comments (1 replies)
[-] jjlinux@lemmy.zip 8 points 2 weeks ago

Webarchive to avoid the paywall that they say is not a paywall.

https://web.archive.org/web/20250912221226/https://theintercept.com/2025/09/12/proton-mail-journalist-accounts-suspended/

[-] robocall@lemmy.world 7 points 2 weeks ago

What email service do lemmy people recommend?

[-] mcbenavides85@piefed.social 18 points 2 weeks ago

Tuta mail

[-] goatinspace@feddit.org 10 points 2 weeks ago

It's not as good as proton

[-] obsidianfoxxy7870 11 points 2 weeks ago

I do agree it's not as pretty as Proton but the encryption once it reaches your account is much better and I feel like they are more upfront about what they are and aren't. Really my main grype with them is there lack of GPG support.

load more comments (2 replies)
[-] philpo@feddit.org 7 points 2 weeks ago

Mailbox,formerly mailbox.org

Tuta,which is often recommended, is sadly another vendor lock in while mailbox is using industrial standards.

load more comments (5 replies)
load more comments
view more: next ›
this post was submitted on 13 Sep 2025
545 points (100.0% liked)

Technology

75701 readers
3339 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws