Proton: FBI user identification shakes Swiss data protection

The encrypted email service Proton from Switzerland is once again at the center of a debate about anonymity and state access. The FBI has succeeded in uncovering the identity of a person behind a supposedly anonymous account, reports 404 Media. The account belongs to the protest movement "Stop Cop City", also known as "Defend the Atlanta Forest". The activists used the address as the official contact for their blog and social media.

Proton actively promotes privacy and its location in Switzerland. However, the case illustrates the realities of international law enforcement that stand in the way. According to the report, the flow of data went through the official channels of international legal assistance. The US authorities submitted a request to Switzerland based on a state treaty on mutual legal assistance in criminal matters from 1973. Since the account in question was a paid account, Proton could and had to release payment data upon judicial order.

This information, which is inevitably generated when using credit cards, ultimately enabled the FBI to identify the account holder. Proton's Head of Communications, Edward Shone, now emphasizes that the company did not transmit any data directly to the FBI. It merely responded to legally binding orders from the Swiss judiciary. For the person concerned, this legal nuance makes no difference in the consequence.

The long arm of legal assistance

Proton justifies its cooperation by referring to serious offenses such as the shooting of a police officer and the use of explosive devices. However, research by The Guardian casts doubt on this narrative. The affidavit for the FBI's search warrant contains no mention of a shooting. Only an incident from January 2023 is known, in which police shot and killed activist Manuel Paez Terán after he allegedly injured an officer. The discrepancy between the justification for releasing the data and the investigation files is causing further criticism of the provider's transparency.

A look at Proton's transparency report indicates that such incidents are not isolated cases. In 2024, the company passed on user data to authorities in over 10,000 cases. The service legally opposed the orders in less than six percent of these cases.

In its own privacy policy, Proton points out that third-party providers such as the US service Chargebee are used for credit card payments. Anyone who leaves such traces cannot rely on the promised anonymity if, for example, there is an interest in criminal prosecution. US providers often try to inform their users about such requests. The Swiss legal situation, on the other hand, stipulates that such notification must be made by the authorities themselves. In practice, this often does not happen during ongoing investigations. Lawyer Martin Steiger explains: In Switzerland, "cooperation with authorities is the norm."

Change of strategy and limits of anonymity

Proton's strategic direction seems to be changing anyway. After plans for a revision of the Swiss surveillance ordinance became known, the company announced last summer that it would increasingly invest in infrastructure in other European countries. The company has already closed its data center at its headquarters in Geneva. For users, the realization remains that while encryption protects the content of communication, the identity of the sender is far less secure for paid services and international cooperation with authorities than the marketing promises.

(nie)