Executive Summary

The FBI uncovered the identity of an activist behind a purportedly anonymous Proton account – not by breaking encryption, but through legal mutual legal assistance and payment data. The case demonstrates that the Swiss email service's advertised anonymity is significantly limited in state investigations. Proton handed over user data to authorities in over 10,000 cases in 2024, but resisted in fewer than 6% of them.

People

Topics

  • Data Protection and Anonymity
  • International Mutual Legal Assistance
  • Government Access to User Data
  • Encryption and Its Limits

Clarus Lead

The FBI identified an activist from the "Stop Cop City" protest movement through Proton's paid subscription – not through decryption, but via Swiss mutual legal assistance and payment data. Proton was forced to release credit card data based on a court order, processed through the US service Chargebee. Relevant for decision-makers: The affair reveals the boundary between technical encryption and organizational anonymity – a central risk for political organizations and whistleblowers.

Detailed Summary

The procedure followed the classic diplomatic path: US authorities made a request based on a 1973 state treaty. Proton CEO Edward Shone emphasizes that the company did not cooperate directly with the FBI, but only responded to Swiss court orders – a legal nuance that has no practical relevance for the affected party.

Particularly critical: Proton justified the data disclosure with serious allegations such as "shots fired at police officers" and "use of explosive devices." Guardian investigations contradict this characterization. In the affidavit for the FBI search warrant, there is no mention of shootings – only known is an operation in January 2023 in which police shot an activist.

Proton's transparency report shows: This is not an isolated case. In 2024, the company handed over data in over 10,000 cases, but resisted legally in fewer than 6% of them. Swiss law allows authorities to not inform users about requests – unlike US providers. Attorney Martin Steiger explains: "In Switzerland, cooperation with authorities is the norm."

Key Findings

  • Payment data is the weak point: Credit card transactions via US services make anonymity revocable, regardless of encryption.
  • Mutual legal assistance works: Data access was completely legal and followed international treaty – Proton could not refuse.
  • Lack of transparency: Proton complied in 94% of government cases in 2024 without resistance. Users are not notified.
  • Marketing vs. Reality: The advertised anonymity is a technical feature, not a guarantee against government identification.

Critical Questions

  1. Evidence/Sources: What evidence does Proton have for the allegations (shooting, explosives) that Guardian's investigation questions? Were these allegations later confirmed in indictments?

  2. Conflicts of Interest: To what extent does Proton's dependence on US payment service providers (Chargebee) consciously or unconsciously affect its data protection policy?

  3. Causality: Does the low resistance rate (under 6%) reflect legal impossibility, strategic decision, or resource shortage at Proton?

  4. Feasibility: What technical alternatives exist for activists to make payments anonymously without using commercial providers like Chargebee?

  5. Side Effects: How does Proton's announcement to relocate infrastructure abroad (due to planned Swiss surveillance legislation) affect data security?

  6. Transparency: Why does Proton not actively inform users about government access, as US providers often do?

Sources

Primary Source: Proton User Identification by FBI Shakes Swiss Data Protection – heise.de

Supplementary Sources (from article):

  1. 404 Media – Original research on the FBI case
  2. The Guardian – Criticism of Proton's justification for data disclosure
  3. Proton Transparency Report 2024

Verification Status: ✓ 2024

This text was created with the support of an AI model. Editorial Responsibility: clarus.news | Fact-checking: 2024