Proton’s Privacy Promise Has an Asterisk: what 40,000 government orders actually tell us

I’ve been paying for a Proton account for years. I’ve also spent the last several months reading every word of their privacy policy, terms of service, transparency report, data processing agreement, and the Wayback Machine archives of pages they quietly deleted. This isn’t a “switch to Gmail” post. Gmail reads everything you send and builds ad profiles from it. Proton doesn’t do that. But Proton markets itself as a mathematical privacy guarantee, and that claim doesn’t hold up when you go through the actual documents they publish.

Here’s what I found.

The numbers they published themselves

Let’s start with Proton’s own transparency report, because the headline number gets buried.

From 2017 to 2025, Proton received 45,667 legal orders for user data. They complied with 40,389 of them. Do the math: that’s a 94% compliance rate, or a 6% contest rate, depending on which way you want to frame it.

In 2017 they got 26 orders. By 2024 that number was 11,023, of which they complied with 10,368. That’s a 423x increase in seven years. The contest rate peaked at 21.2% in 2021, which is interesting because 2021 was when the French climate activist case became public and put them under scrutiny. After the spotlight moved, the contest rate dropped. By 2024 it was 5.9%, while order volume nearly doubled year-over-year.

Martin Steiger, a Swiss attorney who tracks Proton’s transparency data, attributes part of the 2024 jump to Switzerland switching from per-request billing to a flat-rate compensation model for law enforcement data requests at the start of that year. When filing a request costs less friction, more requests get filed. Proton got bigger, the government made the paperwork cheaper, and the fight rate cratered.

The thing people usually say here is “they have to comply, it’s the law.” But if that were true, the rate would be 100%. The 6% they do contest proves fighting is legally available. OVPN beat a Swedish court order in 2021 and got zero data handed over. Mullvad got raided by Swedish police who left empty-handed because the architecture genuinely held nothing. The “resistance is impossible” argument is cope for companies that choose cooperation.

Now compare Proton Mail’s numbers to Proton’s own VPN product. Proton VPN denied 100% of all legal orders from 2020 to 2025. Every year. Every order. Not because they’re braver than the mail team because the VPN architecture holds no logs to hand over. Compliance is technically impossible.

And compare to Tuta, which operates under German law, not Switzerland, not some privacy utopia. Germany. Tuta’s transparency report for the second half of 2025 shows 220 requests received, 58 complied with. That’s roughly a 75% rejection rate. First half of 2025: 227 requests, 54 complied with. Tuta fights three out of four requests by lodging objections based on the argument that they’re a telecommunications service (the CJEU ruled they’re not, but Tuta uses the legal angle anyway because it works some of the time). Proton hasn’t found a comparable angle, or hasn’t looked.

What “zero-access” actually means (it has an asterisk)

Proton’s marketing page, verbatim: “Proton Mail’s zero-access architecture means we can never access your emails. As a result, we cannot hand your emails over to anyone.”

Their homepage: “Our end-to-end encryption and zero-access encryption mean that no one (not even Proton) has the technical means to access your data without your permission. At Proton, privacy isn’t a promise, it’s mathematically ensured.”

Now their own privacy policy, also verbatim: “unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses… Such inbound messages are scanned for spam in memory, and then encrypted and written to disk.”

To understand why this matters technically, you need to understand how email works.

When someone sends you an email from Gmail, that message arrives at Proton’s SMTP gateway in plaintext (or TLS-encrypted transport, which Proton decrypts at the edge since they’re the TLS endpoint). Before Proton can encrypt that message with your public key and write it to disk under zero-access encryption, their servers have to see the plaintext. That’s not a flaw. It’s a fundamental constraint of how SMTP email interoperates with encryption systems. You can’t encrypt something for someone without a brief moment where you hold the plaintext and the recipient’s public key simultaneously.

The technical path goes:

1. Sender’s mail server establishes a TLS connection to Proton’s inbound SMTP gateway (mx.protonmail.ch).
2. The message is decrypted at Proton’s TLS termination layer.
3. Proton’s spam and virus filters run against the message body and headers in memory. This is body-level filtering, not just header analysis – header analysis alone catches maybe 30-40% of spam. You need content signals.
4. The plaintext message is encrypted with the recipient’s public key (derived from their Proton account).
5. The ciphertext is written to disk. From this point forward, Proton’s servers genuinely cannot decrypt it without your private key.

Steps 3 through 4 are the window where Proton’s systems hold your plaintext. That window is brief. It is also real. Their own X account confirmed this: “we briefly see the contents of the email before immediately and automatically encrypting it without ever being able to access it again.” They called it a “limitation imposed upon us by providers like Gmail who do not use PGP encryption by default.”

That’s technically accurate. It’s also a direct contradiction of “not even Proton” can see your data. You can’t run body-level spam filtering without reading the body. That’s how reading works.

chompie, who runs IBM X-Force Offensive Research, posted about this and got 1.1 million views: “Not only can Proton Mail read your emails, but they’re subject to the same subpoenas and lawful government requests as Google. Real privacy requires end-to-end encryption, which users have to actively adopt, and most don’t because it’s hard and annoying.”

The only case where Proton genuinely can’t read your message content is Proton-to-Proton email, because both sender and recipient have keys managed by the Proton system, and E2E encryption can be applied before the message ever leaves the sender’s device (via the web crypto API or the mobile clients). The moment one party is on Gmail or Outlook, which is most of the email most people receive, that guarantee goes away.

What Proton actually has access to

Even setting aside the inbound email scanning, the metadata picture is worse than most people realize.

Proton’s privacy policy lists what they hold as standard account data:

Email metadata (always accessible to Proton):

• Sender and recipient email addresses for every message
• IP addresses from incoming message headers
• Attachment names (not content, but names – “divorce_settlement_draft.pdf” is an attachment name)
• Message subjects (not encrypted, ever)
• Send and receive timestamps for every message
• Total message count and storage usage
• Last login time

Subject lines deserve special attention. “Your prescription refill from CVS.” “Whistleblower submission received.” “Re: meeting with immigration attorney.” “Termination notice.” Subjects often carry the most information-dense summary of what an email is about, and Proton has them all, for every email you’ve ever sent or received, unencrypted.

Ask any intelligence analyst whether they’d rather have message content or metadata – sender, recipient, subject, timestamp, frequency, attachment names and they’ll say metadata. Metadata is structured. You can run pattern analysis on it. You can build a social graph from it. Content requires reading. Metadata requires a database query.

The account-level data Proton holds also includes recovery email or phone number you provided during signup, account creation date, and device identifiers.

Calendar metadata (stored unencrypted): event start and end times, time zones, recurrence rules, event creation and update times, event status. Your entire schedule.

Drive metadata: file and folder creation and modification times, permissions, the username that created or uploaded files, and for shared URLs, creation time, last access time, and number of accesses.

That’s what 40,389 orders have been requesting.

The IP logging they tried to quietly erase

In January 2021, Proton’s homepage said, and I have the Wayback Machine archive to prove it: “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”

Then, in September 2021, it came out that Proton had logged and handed over the IP address of a French climate activist to French authorities via Europol and Swiss MLAT channels. The technical specifics matter here.

The activist was part of Youth for Climate, an environmental group occupying buildings in Paris. Swiss authorities received an MLAT request, approved it, and Proton was compelled to begin IP logging on that specific account going forward (Proton doesn’t log IPs by default, but they can be ordered to start for a specific account). The IP they collected, combined with a recovery email address also handed over, led investigators to an Apple ID, which led to the activist’s identification and arrest.

The forensic chain here is a useful illustration of how metadata compounds. Proton provided two data points: an IP address and a recovery email. The IP resolved to an ISP subnet. The recovery email was tied to an Apple account. Apple, served with its own request or through iCloud, produced account details. The target was identified. None of this required anyone to read their emails.

After this went public, Proton quietly updated their homepage. The “we do not keep any IP logs” language disappeared. The Register documented the before and after with Wayback Machine screenshots. Bruce Schneier wrote about it. Proton’s current privacy policy now says: “If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.”

More telling is a disclosure buried on a Proton VPN support page (not the main privacy policy, not the marketing pages but a VPN support article): email “is generally not no-logs and can require IP disclosure in the event of a Swiss criminal investigation. That’s why if your threat model requires hiding your IP from Swiss authorities when using Proton Mail, we recommend using a VPN or Tor.”

The privacy product has a gap, and Proton’s documented solution is to buy their other privacy product.

The Phrack incident: cluster-banning journalists on a non-legal tip

In September 2025, Proton suspended the accounts of Phrack Zine. If you’re not familiar with Phrack, it’s been publishing since 1985 — before Google, before most of Proton’s employees were born. It’s one of the foundational texts of security research, the kind of publication that DEFCON speakers cite in their acknowledgments.

Two journalists publishing under pseudonyms Saber and cyb0rg had been doing responsible disclosure on a sophisticated intrusion into South Korean government systems — the Ministry of Foreign Affairs and the military’s Defense Counterintelligence Command — attributed to Kimsuky, a North Korean state-sponsored threat actor that CISA and the NSA have both published advisories about. They notified KrCERT/CC, South Korea’s national CERT, before publishing. They were using Proton specifically because they’re journalists working on sensitive national security material.

Proton suspended their dedicated disclosure email account after receiving a tip from a CERT. The next day, they suspended Saber’s personal Proton account too. Phrack emailed Proton on August 22nd requesting restoration. No response. September 6th, a follow-up. Still nothing. September 9th, Phrack went public on X. September 10th, Proton responded.

Proton’s official response: “We were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.”

A “cluster.” Proton cluster-banned accounts in the vicinity of the CERT tip without verifying which were legitimate. CERTs are advisory bodies. They have no legal enforcement authority. They issue recommendations. A CERT tip carries the same legal weight as an email from a stranger. Proton’s own terms of service say they act on “orders from the competent authorities” — a CERT is not a competent authority.

Andy Yen, Proton’s CEO, jumped in to defend it: “Honestly, this is a ridiculous take. We investigated, verified the tip, and enforced our ToS.”

But if the investigation verified the tip, why did they reinstate the accounts? If the accounts genuinely violated the ToS, restoring them makes no sense. If they didn’t, Proton suspended legitimate journalism accounts for weeks based on an unverified advisory from a non-legal body, ignored multiple appeals, and fixed it only when the internet started watching.

There’s also a technical contradiction here. Proton’s privacy marketing says they can’t see what’s in your account because of zero-access encryption. But they also claim they “investigated” account activity to enforce ToS. You can’t have both. Either you can see what users are doing, or you can’t. When Yen was asked directly whether the alleged violation was malware or hacking, he couldn’t answer. Because there was no real investigation.

March 2026: the Stop Cop City case

On March 5, 2026, 404 Media published an FBI affidavit showing that Proton Mail handed over payment data that identified a Stop Cop City protester in Atlanta. The account was [email protected], listed publicly on the Defend the Atlanta Forest Facebook page.

The FBI submitted a request through the US-Switzerland Mutual Legal Assistance Treaty. Swiss authorities approved it. Proton provided a credit card payment identifier — specifically, a Chargebee transaction ID, since Proton processes payments through Chargebee, a US-based subscription management platform. The FBI traced that identifier through Chargebee to the issuing bank, and the bank identified the cardholder. The person was arrested at Atlanta’s airport.

A few things worth unpacking here.

The charge was trespassing. The investigating agent was from the FBI’s Domestic Terrorism squad. An international treaty request, routed through Swiss federal legal channels, was used to identify someone arrested for a misdemeanor-level offense. That’s the practical scope of “Swiss privacy protection” when a determined law enforcement agency decides it wants your data.

Proton’s X response is almost worth quoting in full because it contradicts itself within three paragraphs. Paragraph one: “Proton did not provide any information to the FBI.” Paragraph three: “only payment info was disclosed.” Edward Shone, Proton’s head of communications, told 404 Media: “We want to first clarify that Proton did not provide any information to the FBI, the information was obtained from the Swiss justice department via MLAT.” That distinction — whether Proton handed the data to the FBI or handed it to Swiss authorities who handed it to the FBI — is the kind of framing that looks like evasion when the outcome is the same.

Proton also characterized the underlying case as involving “a police officer was shot, and explosives were found.” The FBI’s own search warrant affidavit doesn’t mention a shooting. On X, @PplsCityCouncil called this out and noted that the officer involved was shot by another officer, and that the “explosives” appeared to be fireworks. Proton inflated the severity to justify the compliance. The actual charge was trespassing.

Separately: if this user had paid with Monero, there would have been no payment identifier to trace. Proton’s response noted they “accept cash and crypto.” They accept Bitcoin — the cryptocurrency with a public, permanent ledger that Chainalysis and Elliptic have built entire forensics businesses around tracing. Proton didn’t accept Monero at all until September 2025, and even then only through a third-party called ProxyStore, not natively. Their general manager promised direct Monero integration “by end of Summer 2025.” Missed that deadline.

This is the third time we’ve seen this pattern. French climate activist, 2021. Catalan independence activist, 2024. Stop Cop City protester, 2026. Three activists, three countries, three MLAT requests, three times Proton complied and someone got identified.

Swiss privacy: what the jurisdiction actually provides

Proton’s marketing frames Swiss jurisdiction as a force field. Their blog says Switzerland is “outside of US and EU jurisdiction,” that Swiss companies “cannot be compelled to engage in bulk surveillance,” and that “the laws of mathematics cannot be changed or altered.”

The first two points are true in a limited sense. Foreign governments can’t directly subpoena Proton. Requests have to go through Swiss legal channels via MLAT or through the Swiss Federal Office of Justice. This adds a step.

That step has a 94% pass rate.

The MLAT mechanism is worth understanding in detail because it’s how almost all of the high-profile cases worked. A foreign law enforcement agency (FBI, Europol, French Interior Ministry, Spanish authorities) identifies a target and determines they’re using Proton. They draft an MLAT request to Swiss authorities, which goes to the Federal Department of Justice and Police and typically the Office of the Attorney General. Swiss prosecutors review the request, and if the underlying conduct would be illegal under Swiss law, they forward a legally binding order to Proton. Proton is then required to comply (or can contest, at their discretion).

The “underlying conduct must be illegal under Swiss law” requirement is the key process protection. This is why bulk surveillance requests don’t go through this channel easily — Swiss law has no equivalent of US national security letters or FISA requests. But trespassing is illegal in Switzerland. Climate protests can qualify as criminal damage. Independence movements can be framed as various offenses depending on what authorities want to argue.

Proton also doesn’t notify users when their data gets requested. Steiger Legal flagged this: Proton’s position is that it’s Swiss authorities’ responsibility to inform targets, not Proton’s. So your data gets handed over and you don’t find out unless you get arrested or see a news story about it.

The Switzerland pitch also has some geographic inconsistencies. Your encrypted email sits on servers in Switzerland. But your support tickets route through Zendesk, a US company. Payment data goes through Chargebee, Stripe, and PayPal, all US companies. Customer support tickets also go through Atlassian tools. Sales data goes through HubSpot. Customer support subsidiaries exist in Macedonia and Taiwan. “Swiss privacy” has about six asterisks attached to it.

The signup anti-anonymity problem

Try creating a Proton account over Tor. Their “intelligent algorithm” — their own description — determines what verification method you get during signup based on signals from your connection. If you’re coming from a Tor exit node or a known VPN range, the escalation path goes: CAPTCHA → email verification → SMS phone number verification.

The people most likely to need phone verification are the people most likely to need anonymity — journalists, activists, people in countries with surveillance infrastructure, people who route through Tor specifically because they have something to protect.

Proton says this is to prevent spam bots from bulk account creation. That’s a real concern. If spammers create thousands of Proton accounts and use them to send spam, Gmail and Outlook will blacklist Proton’s mail servers, which breaks the product for everyone. Anti-abuse is a legitimate problem.

But compare to Mullvad: click “generate account,” get a random 16-digit number, done. No email, no phone, no name, no CAPTCHA. Or Tuta: CAPTCHA and you’re in. The idea that privacy-friendly signup and anti-spam are mutually exclusive is a design choice, not a technical constraint. Proton chose the design that requires identity information from the users most likely to need anonymity.

VoIP numbers are also blocked. Proton’s filters reject around 60% of traffic from known VoIP ranges. So burner numbers don’t work either. If you want a Proton account over Tor, you either give them a real phone number or you email their support team to beg for an exception.

The business VPN logging quiet admission

Proton’s consumer VPN claims a strict no-logs policy, and their transparency report backs this up — 100% denial rate on all orders, 2020-2025. True. The architecture holds nothing.

But Proton’s Business VPN product, documented in their Business Privacy Policy, collects connection and disconnection timestamps, device type and operating system, and the IP address used to connect to VPN servers.

That’s the exact data their consumer VPN claims never to log. The existence of the Business VPN logging proves Proton built the logging infrastructure. They have the code. They deployed it for paying business customers. The consumer no-logs claim is a business decision about which customers get which configuration, not a statement about what’s technically possible.

The Bitcoin wallet from the company that barely accepted Monero

In 2023, Proton launched Proton Wallet. A Bitcoin wallet. Bitcoin has a fully public blockchain. Every transaction is permanently visible to anyone who looks. Chainalysis and Elliptic built entire companies on tracing Bitcoin for law enforcement. The FBI has recovered millions from ransomware operations by following Bitcoin ledgers. This is common knowledge in the cryptocurrency space.

Meanwhile, Monero exists. Monero uses ring signatures, stealth addresses, and Confidential Transactions (specifically RingCT) to obscure sender, recipient, and transaction amounts by default. Mullvad accepts Monero. IVPN accepts Monero. Proton didn’t accept Monero at all until September 2025, and then only through ProxyStore as a third-party middleman — not natively, not directly on their payment page.

[IMAGE SUGGESTION: A two-column comparison of Bitcoin vs Monero privacy properties. Column 1 (Bitcoin): “Public ledger – all transactions visible. Sender address visible. Recipient address visible. Amount visible. Traceable by Chainalysis/Elliptic. FBI standard tool for crypto recovery.” Column 2 (Monero): “Ring signatures obscure sender. Stealth addresses protect recipient. RingCT hides transaction amounts. Not natively traceable by current blockchain analytics tools.” No promotional framing, just the technical properties.]

Proton’s own general manager promised direct Monero integration “by end of Summer 2025.” That deadline passed. Their UserVoice forum has had requests for Monero support for years. The company built an entire Bitcoin wallet product and dragged its feet on the privacy coin for years.

$100 million, CERN, and a DC lobbying firm

Proton brings in over $100 million annually. 585 employees. The primary shareholder is the Proton Foundation, a Swiss nonprofit endowed with Proton shares by Andy Yen and co-founders Jason Stockman and Dingchao Lu. This is marketed as a guarantee of mission integrity — no VC pressure to monetize users.

Andy Yen has a PhD in particle physics from Harvard and did research at CERN on the ATLAS experiment before founding Proton in 2014 in response to the Snowden revelations. That origin story is genuine.

A nonprofit shareholder structure and a CERN pedigree don’t change what the privacy policy says about scanning emails. They don’t change 40,389 complied orders.

Proton received €2 million in EU funding through Horizon 2020 and spends up to €100,000 per year lobbying the EU through APCO Worldwide, a Washington DC-based lobbying firm. Their lobbying focus includes the Digital Markets Act, encryption policy, cybersecurity frameworks, and data retention directives. In December 2022, they met with Commissioner Ylva Johansson’s cabinet about CSAM detection (the same policy area as the EU’s Chat Control proposal, which would mandate client-side scanning of encrypted messages). In March 2025, they met with EVP Stéphane Séjourné about AI competitiveness.

Lobbying on encryption policy isn’t inherently sinister — they may well be lobbying in favor of strong encryption. But “scrappy Swiss scientists fighting Big Tech” and “our lobbyist is APCO Worldwide out of DC” are two narratives that don’t coexist comfortably.

The affiliate machine

Proton runs a partner and affiliate program paying up to 100% commission on referrals, with recurring revenue on renewals. They have a dedicated influencer contact at [email protected]. Their partner page: “Boost credibility and engage your privacy-conscious followers by endorsing secure digital solutions.”

A significant share of the “privacy recommendation” content on YouTube, Reddit, and newsletters that tells you to use Proton is financially incentivized to tell you to use Proton. They’re not lying about Proton being better than Gmail. They’re just leaving out everything covered in this article, because it’s hard to drive signups with “better than Gmail but the marketing overstates the privacy guarantees.”

What actually works

If your threat model requires that no server anywhere sees your plaintext email, use PGP with a provider-agnostic setup. PGP encryption happens on your machine. The ciphertext is what hits any server. No provider sees plaintext, no matter who compels them. You can use PGP with any email provider, including self-hosted setups. The complexity is real — key management, distributing your public key, convincing the people you correspond with to use it — but it’s the only approach that removes the server from the trust chain entirely.

If you need a VPN with genuine no-knowledge architecture (not just a policy), Mullvad generates a random 16-digit account number with no email, username, or password. They accept Monero and cash sent in the mail. When Swedish police raided them in 2023, they found nothing, because there was nothing to find. If you lose your account number, your account is gone — because no identity information was ever collected to allow recovery.

Self-hosting the entire stack is also an option. Email server (Postfix/Dovecot), VPN (WireGuard), password management (Vaultwarden), file storage (Nextcloud). The infrastructure is free and open source. The operational burden is real — you’re responsible for updates, backups, deliverability, and your own security. But you’re not relying on any company’s policy or marketing.

Proton is better than Gmail for most people and that’s genuinely true. It’s worth using for exactly what it is: an email provider that doesn’t read your mail for advertising, that provides E2E encryption for Proton-to-Proton correspondence, that operates under Swiss law with some process protections that most email providers don’t have.

It is not a mathematical privacy guarantee. It is not untouchable by foreign governments. It doesn’t protect your metadata. And it hands over data in response to 94% of government requests it receives.

That’s what you’re buying. Use it with those facts in mind.

The pattern, not the incidents

The French climate activist, 2021. The Catalan independence activist, 2024. The Stop Cop City protester, 2026. These aren’t edge cases or bad luck. They illustrate what happens when a company with 40,389 complied government orders gets a targeted MLAT request about a user whose security model assumed stronger protections than the product delivers.

HideMyAss went through this in 2011. They marketed anonymous VPN, kept connection logs the entire time, and handed over timestamps and IPs when the FBI came for a LulzSec member. After the story broke, they hired an auditor to verify a no-logs policy. By then the trust was gone. The pattern is: company markets absolute-sounding guarantees, users rely on those guarantees, legal pressure arrives, the architecture allows compliance, someone gets identified. The people who needed the guarantee most find out it had an asterisk after it was too late.

Proton is not HideMyAss. But they’re running the same gap between marketing language and architecture, and the transparency report shows the same 94% compliance dynamic. The difference is that Proton publishes the numbers and you can read them yourself.

So read them.

This post first appeared at - The CyberSec Guru