A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.
This is concerning for anybody who has ever paid proton using a traceable method. If I have a free email address, but I paid for VPN on the same account five yards ago, it sounds highly likely that Proton could give someone my name based on that half-decade-old payment.
Sounds like the best way to subvert this is to create a brand-new account and never submit payment info, but good luck creating a brand-new account without some extra identifier. From an older conversation among several people:
Proton does require a recovery email address if you sign up to a mail forwarding service or similar, right after creating the account. In that case the account remains locked…
In the article it says that that’s a one-time verification address. Though that leaves the question if/how long it’s stored.
Proton doesn’t allow you to use certain domains for recovery addresses… when I first joined Proton they wouldn’t allow me to set a duck.com or simplelogin.com or addy.io address as a recovery email.
Other comments point out how Proton isn’t doing a great job of relaying privacy and security concerns to new users who may be unfamiliar with them.
This is concerning for anybody who has ever paid proton using a traceable method. If I have a free email address, but I paid for VPN on the same account five yards ago, it sounds highly likely that Proton could give someone my name based on that half-decade-old payment.
Sounds like the best way to subvert this is to create a brand-new account and never submit payment info, but good luck creating a brand-new account without some extra identifier. From an older conversation among several people:
Other comments point out how Proton isn’t doing a great job of relaying privacy and security concerns to new users who may be unfamiliar with them.