You must log in or # to comment.
From Andy:
There’s some misinformation floating around that I think is worth a post to clarify.
Proton generally only suspends accounts if 1) forced to do so by a Swiss govt order 2) we are sure beyond a reasonable doubt the user breached Protons Terms of Service (ToS) or 3) we detect that the user has been compromised.
Contrary to what some people think, Proton generally only suspends a single service and not all services. For example, let’s say you decide to start sending spam in violation of Proton ToS, Proton Mail may be suspended, but Proton Pass will continue to work. There are of course exceptions to this (for example, if an attacker is hitting your account or has already gotten in, we’ll lock the whole thing down until you get in touch with us).
In general, account suspensions due to (1) and (2) are extremely rare, with (3) being slightly more common. (2) typically happens with newly created accounts with are used for spamming or registering large number of accounts at third party services (such as Instagram, etc). The odds of an account you have been using for a while suddenly being suspended is virtually zero, and even then, we have a 24/7 team you can contact to appeal.
For ToS violations, it is irrelevant who reports the violation to us, if the violation is verified beyond a reasonable doubt, Proton will suspend the account. Proton data is encrypted, but we use OSINT techniques, our datasets of dark web chatter, information shared with us by other tech companies, and various other methods to do verification.
From time to time, there are claims that Proton is suspending accounts improperly. Our policy is not to comment publicly on specific cases, but there is usually more to the story than meets the eye, and the anonymous posters on the internet generally don’t disclose the full story. Such claims should therefore not be taken as fact, as the facts themselves are usually wrong.
To give an illustrative example, recently it was claimed that Proton was blocking the account of journalists. However, these were not “journalists” in the traditional sense, but hacktivists who were involved in a number of hacking incidents, which is a violation of Proton’s ToS, and therefore subject to suspension of all accounts. In this case, I made the decision to exceptionally restore two accounts because hacktivism cases are not always black and white. However, Proton’s policy is that if you use some accounts for illegal purposes, you will also lose access to the accounts where you have not yet conducted illegal activities.
Proton has no choice but to enforce ToS, because if activities which are illegal under Swiss law, or other activities which are technically not illegal but damaging to Proton (such as sending spam) where not forbidden, Proton would unfortunately become blocked by other email providers, hurting legitimate users.
In enforcing our ToS, we show no favor or bias. It does not matter your ideology or which “side” you are on, Proton enforces the ToS uniformly.
Proton’s ToS can be found here: https://proton.me/legal/terms
Proton’s abuse appeal form can be found here: https://proton.me/support/appeal-abuse
Abuse and ToS violations can be reported here (all reports are treated confidentially): https://proton.me/support/report-abuse
Thank you for your understanding.
However, these were not “journalists” in the traditional sense, but hacktivists who were involved in a number of hacking incidents, which is a violation of Proton’s ToS, and therefore subject to suspension of all accounts. In this case, I made the decision to exceptionally restore two accounts because hacktivism cases are not always black and white.
So, either your original judgement to suspend the account (and to reject subsequent appeal) was correct, or you latter judgement to reinstate the account was correct.
I fail to see how you can claim with a straight face that both of your actions were correct, while every other facts about the owner of that account remain the same during the whole drama.
You need to understand a few things. In order to keep email service usable, Proton need to fight any malicious activity. If they didn’t do it, ProtonMail would be quickly blacklisted by other mail providers as it will be interpreted as source of spam. At the same time, they have very limited capabilities to verify this activity by themselves as they cannot read contents of their user’s emails (it is encrypted) and they keep limited logs.
As an article states, here is what happened:
Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled. Our team is now reviewing these cases individually to determine if any can be restored.” Proton then stated that they “stand with journalists” but “cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.”
While Proton does have an obligation to stop spread of SPAM mail, this incident is a bit different. Let’s see -
- Proton was not approached by other Email providers (Gmail/Outlook) about suspected email SPAM campaign originating from their network.
- This matter is NOT even related to SPAM mails.
- krCERT - a Govt agency approached Proton and asked them to disable the account.
- Proton simply complied to that without verification.
- Appeal made by Owner of that email id was rejected.
- Subsequently follow ups were also ghosted.
- Until the tweet from the journalist went viral, Proton was not in mood to reinstate the account.
Note that while Proton Mail (server) is E2E encrypted, but once email exits their network it no longer remains as such. So, whoever (other email provider or incident reporter) reported the incident, should have a copy of unencrypted email to prove abuse of Proton Mail service.
Given that proton now reinstated the account, that proves Proton initially froze that account based on “Trust me, Bro” proof only from krCERT.
In ideal world, any service provider should require a court order to comply with Govt request to remain unbiased in such situation.
Given that proton now reinstated the account, that proves Proton initially froze that account based on “Trust me, Bro” proof only from krCERT.
Pwrhaps ? or are the obligated to comply and wtwre able to reinstate becase krCERT backed down ?
So they simply suspend accounts because “they are evil, trust me bro” and only maybe investigate after? This is either stupid, negligent and/or bullshit.
Maybe I am misunderstanding something here, but this does seem like it could be ripe for abuse. Say I disliked a journalist and knew their proton mail. Could I report it as abuse and have them suspended?
Yes and then the journalist appeal and shows that he is not using his account for abuse and get reinstated. Even a privacy and a security product like Proton has terms of service.
If you read through the article, his appeal was originally rejected, and subsequent follow ups were also ignored.
It’s only the tweet, directed at proton for ghosting them, that went viral and eventually forced Proton’s hand to reinstate the account.
If a journalist has to go through this much trouble, what chance a common person from authoritarian or semi-authoritarian country have.
This loophole will certainly be misused by Governments to gag someone temporarily/permanently.
False story.
Facts?
Yet they keep posting it.
Isn’t the title is misleading ?
Please elaborate, if you will 🙏
I never trusted them to begin with
Them:: ? Proton or The Intercept?
proton
Why not?
they market it as secure email. what does that even mean? they say it’s encrypted, but most people don’t receive encrypted emails. they don’t put in the effort to educate their users about how email encryption works. further, they don’t use standard email servers, and require you to use their own clients. it always seemed like a honeypot, and i’ve seen enough news of them doing nefarious shit to confirm my distrust.
All valid points as far as I can tell. What provider do you use?
I have accounts with riseup, disroot, autistici, deltachat, and google.
Oh wow. You use all those actively?
