The ProtonMail FBI Incident: On Privacy, Anonymity, and the Mask You Think You’re Wearing
Switzerland has a reputation. Neutral ground, numbered accounts, fortress banks carved into Alpine granite. It’s the kind of geography that gets mythologized — the place where secrets go to retire. So when ProtonMail, headquartered in Geneva and held up as the gold standard of secure email, helped the FBI identify a user, the privacy community reacted as though the mountains themselves had switched sides.
The reaction was understandable. It was also based on a fundamental misreading of what ProtonMail does, and what it was never designed to do.
What Actually Happened
The FBI was investigating an email account tied to “Stop Cop City,” a protest movement in Atlanta. To unmask the person behind the address, agents submitted a legal assistance request to the Swiss Justice Ministry. It met Swiss legal standards, and Proton was obligated to comply.
Here is the part that matters: ProtonMail did not hand over the contents of a single email. Its zero-access end-to-end encryption held. The messages remained unreadable to everyone except their intended recipients. What Proton surrendered was something else entirely: payment data (the account had been paid via credit card through a US processor) and a recovery email address. Two data points. That was enough.
It wasn’t the first time. In 2021, Proton provided the IP address of a French climate activist. In 2024, data relating to a member of a Catalan independence movement. Each time, the same pattern: the content of communications protected, the metadata surrounding them surrendered.
Privacy and Anonymity Are Not the Same Thing
This distinction is the entire story, and it gets collapsed constantly.
Privacy is about content, about who can see what you’re saying. Closing the curtains in your house is privacy. Anonymity is about identity, about who knows that you’re the one saying it. Wearing a mask in a crowd is anonymity. ProtonMail is a privacy tool, and a very good one. It was never, by itself, an anonymity tool.
The mistake people make is intuitive enough. “Secure” has a totalizing quality to it. If a service is secure, it feels like it should be secure in all directions at once. But encryption protects the message, not the messenger. If you pay for your secure email with a personal Visa card, log in from your home Wi-Fi, and connect a recovery address that traces back to your name, you haven’t disappeared. You’ve built a highly secure vault with your name on the front door.
ProtonMail hasn’t failed anyone. It functions exactly as a legal entity operating in a constitutional state must function, and it cannot protect data you voluntarily hand it.
What Actual Anonymity Requires
For most people, ProtonMail is exactly the right tool. It keeps advertisers out, protects email content, and provides a meaningful upgrade over Gmail. But for journalists protecting sources, whistleblowers, or activists operating in hostile environments, private email is only one layer of a much larger problem. The others require deliberate effort.
IP addresses are the most obvious exposure. Every time you connect to a service, your IP address travels with the request, and that number is tied directly to your internet account or physical device. Tor, a network that bounces traffic through a series of relays before it reaches its destination, masks the origin. ProtonMail maintains an official .onion address so that Proton-over-Tor traffic never has to leave the encrypted network at all.
The device itself can be a liability. Standard operating systems accumulate traces, including logs, temporary files, and cached data, that persist long after the browser is closed. Tails is a portable operating system that runs from a USB drive, routes all traffic through Tor, and leaves no record of the session on the machine when the computer is shut down. It is designed around the assumption that the device may eventually be seized.
Money always leaves a trail. The activist in the ProtonMail case was identified partly through a credit card payment. Privacy-oriented cryptocurrency like Monero, which obscures transaction details in ways that Bitcoin does not, or physical cash (Proton accepts it by mail) removes this link. Using the free tier removes it entirely.
Recovery information is a direct bridge between an anonymous identity and a real one. A recovery email or phone number exists precisely so the service can reach you when you’re locked out, which means it’s a record connecting your account to something traceable in your real life. If losing the account is an acceptable cost, that field should stay empty.
Compartmentalization matters more than any individual tool. Logging into an anonymous account and a personal social media profile in the same browser session, or on the same device, or from the same network, creates linkages that are difficult to untangle later. Identities that need to stay separate have to be treated as genuinely separate at every layer.
The Discipline Behind the Tools
None of this is complicated in principle, but it requires consistency. A single lapse, one login from home Wi-Fi, one payment with a card, one recovery email added just in case, can collapse the entire architecture. Tor and Tails and encrypted email are instruments, and they require someone who understands both what they do and what they don’t.
ProtonMail did what it said it would do: protect the content of its users’ communications. What it couldn’t do was protect users from the trails they left in getting there. That part was always their responsibility.
True anonymity isn’t a subscription. It’s a practice.
Sources
Proton Mail Helped FBI Unmask Anonymous “Stop Cop City” Protester
ProtonMail logged IP address of French activist after order by Swiss authorities
ProtonMail criticised for passing arrested French climate activist’s IP address to police
ProtonMail deletes ‘we don’t log your IP’ boast from website after French climate activist reportedly arrested
Important clarifications regarding arrest of climate activist
Encrypted services Apple, Proton and Wire helped Spanish police identify activist