I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
j-bos · 1h ago
> Phrack reached out to Proton in private multiple times, and Proton ghosted them.
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
commmentator · 1h ago
You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
j-bos · 1h ago
That's a great point. I guess at this point it'd be ideal for them to treat this an incident and do a proper postmortem with timelines and decision calculus.
commmentator · 1h ago
Definitely agree. A frank postmortem would be a good thing to see.
alsetmusic · 1h ago
But that would be contrary to their clear intention thus far: to sweep this under the rug. /s
I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.
nsagent · 1h ago
To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time.
a0123 · 1h ago
Sorry but doubt.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
baxtr · 35m ago
On a positive note: having reach on social media can solve problems nowadays.
a0123 · 1h ago
Which the reddit fanatics on their sub are bending over backwards to defend and explain away when there is no two ways about it tbh.
nsagent · 1h ago
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
0xbadcafebee · 52m ago
Fastmail is fine. It's somewhat limited in its UX, but technically speaking, everything works, and it's snappy. Very few outages. I really like their integrations with calendars, contacts, and mail for 3rd party sites/services. Not a ton of features or deals re: custom domains or multiple users, but it's fine if it's just for yourself. edit They literally -JUST- turned on Offline support for their app and web interface, so my only real complaint is gone. Go with Fastmail.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
idle_zealot · 1h ago
I'm using Fastmail and Mullvad. Both seem to work pretty well and are reasonably priced. You could also host your own on VPSs if you're feeling adventurous.
GCUMstlyHarmls · 26m ago
This 9-year-old issue me a bad taste for mailbox...
> constant bugginess and jankiness of their offerings
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
teekert · 1h ago
Same here, no bugs in Proton apps and I’m still a happy subscriber.
throwway120385 · 57m ago
For me the jank is in their billing and the plans I can purchase. I can either have a Business Mail Essentials plan or a Business Password plan, but if i want both at the same time I have to buy a plan that's three times as expensive or drop my custom domain name.
esseph · 15m ago
I do dislike their billing options when it comes to feature / service selection.
nsagent · 54m ago
Proton seems to have a lot of cheerleaders that come
out of the woodwork when anyone complains. I'm happy that somehow their code is magically bug free for you, since you've somehow never encountered any bugs whatsoever in their code (despite their release notes mentioning literal bugs they've fixed).
I'm glad it works for you, but their offering is frequently buggy and broken for me.
dotnet00 · 16m ago
It'd be useful if you pointed out bugs instead of just implying that anyone who doesn't share your experience is some sort of shill
esseph · 16m ago
I would imagine this is the universal case, otherwise they would be out of business.
People that feel very satisfied or dissatisfied with something are most likely to comment. I've just been very satisfied.
2cents5ewe27366 · 1h ago
I've been happy with Startmail, good customer service, they don't offer any of the non-email cloud services though.
aryonoco · 53m ago
I moved from Proton to Fastmail (and Mullvad for VPN).
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
mulmen · 1h ago
I use Fastmail and I’m mostly happy with it. Their design team is thoughtless so their web and mobile offerings are disappointing. The mail hosting itself seems to be excellent though.
gruez · 2h ago
Can proton even win here? The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals.
autoexec · 1h ago
> The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
a0123 · 1h ago
No.
They currently do cooperate and they go get the odd bad press about this.
So doing what they actually claim to do would change nothing. Their current stance is just a cop out.
rvnx · 1h ago
It is very naive to believe that email providers and VPNs do not have to respect the laws.
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
Hizonner · 1h ago
And what specific law did you have in mind, exactly?
You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?
dotnet00 · 13m ago
Hmm going to wait and see how this plays out, maybe it's time to look at alternatives, assuming that my custom domain email isn't somehow locked to them.
BrandoElFollito · 2h ago
The silence of proton can only be interpreted to their disadvantage. This is not very smart and will make everyone doubt on them.
While I like the idea of a safe and uncompromising service, proton seems less so now.
I’d like more details about the initial CERT contact if anyone knows anything
antonymoose · 1h ago
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
coppsilgold · 1h ago
> defines unused in some opaque sense where receiving but not sending emails is “unused”
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
I had the mobile app and login. That wasn’t enough. Reading emails was not enough.
dotnet00 · 15m ago
I almost never use my protonmail to send emails, just reading, mostly on phone too. Has been fine so far.
nicce · 1h ago
Do they still use that old shady billing? You could get "credits" from coupon to upgrade your plan, and once it ends, it automatically subscribes and your account bill goes to negative. Unless you pay that, your account is locked. Happened to me some long time ago and haven't used Proton since.
NullPrefix · 29m ago
Is this for paid accounts too? If you prepay for 5 years and get lost at sea for 3 years, should you expect your proton to still work?
pagansRpedos · 1h ago
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
segmondy · 1h ago
When people show you themselves, believe them.
Proton is no longer to be trusted. Use at your own risk.
daft_pink · 2h ago
You either die a hero, or you live long enough to see yourself become the villain.
luqtas · 1h ago
not all heroes wear capes, much less releases personal AI assistant to navigate your own data while the MAIL CLIENT AND CALENDAR APP is on beta on Linux for YEARS
0xbadc0de5 · 1h ago
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
sitzkrieg · 1h ago
proton always glowed but just straight up bending to unnamed agencies puts em rank and file with every single other provider
lo_zamoyski · 36m ago
Is refusal realistic? It's nice in the abstract, but in practice, there are plenty of ways to coerce illegitimate compliance.
SilverElfin · 2h ago
I thought Proton was a confidentiality / privacy oriented thing. How do they even know who owns the accounts?
guywithahat · 2h ago
You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
gruez · 1h ago
>and I don't think new accounts get encryption services unless they pay.
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
You are trusting them. They control the client, how the keys are created/stored, etc. Javascript, etc. If they were to suddenly turn one day, they could.
This is the weakness of cloud services.
rvnx · 1h ago
It is very possible for them to inject custom JS to a specific user.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
j-bos · 1h ago
Trusting them is almpst guaranteed, but it doesn't have to be, sort of. The client's are opensource so you literally clone, audit, and run the clients locally.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
HeatrayEnjoyer · 1h ago
Or just use an open source email client.
I would expect their own apps to be open source, are they not?
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)
gruez · 2h ago
Second paragraph of the article:
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
mr90210 · 1h ago
They all are until they get threatened.
Soon or later we will default to analog means. It’s not looking good.
IncreasePosts · 1h ago
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
I'm glad it works for you, but their offering is frequently buggy and broken for me.
People that feel very satisfied or dissatisfied with something are most likely to comment. I've just been very satisfied.
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
They currently do cooperate and they go get the odd bad press about this.
So doing what they actually claim to do would change nothing. Their current stance is just a cop out.
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
You do know what law required Proton to act as it did at each step in the story, right? You wouldn't just come up with random non-sequiturs, right?
While I like the idea of a safe and uncompromising service, proton seems less so now.
I’d like more details about the initial CERT contact if anyone knows anything
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
<https://proton.me/support/inactive-accounts>
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
https://proton.me/mail/pricing#compare-plans
This is the weakness of cloud services.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
I would expect their own apps to be open source, are they not?
If you, or someone else, like please audit the repos. Could be cool to see trusted forks of some of the clients.
As if disabling the issue tracker and stonewalling pull requests wasn't bad enough, seeing how it is built out of multiple layers that communicate via gRPC was what made me instantly lose all trust in Proton. I don't know who's been doing their hiring but just from one look at that kludge it's evident they've lost the plot altogether.
(There's a third-party alternative called Hydroxide, but it's experimental. Haven't been able to send emails through it from Thunderbird yet, though I've only looked into this for a few hours recently.)
>But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency
Soon or later we will default to analog means. It’s not looking good.