I can't read the full article because of the paywall, but duh? If you aren't paying physically or in crypto you can assume your government (and probably others!) already has that transaction on record, and to my knowledge those aren't totally secure either.
this post was submitted on 06 Mar 2026
117 points (86.3% liked)
Privacy
9170 readers
262 users here now
A community for Lemmy users interested in privacy
Rules:
- Be civil
- No spam posting
- Keep posts on-topic
- No trolling
founded 2 years ago
MODERATORS
Bad opsec. Of course Proton will comply with court orders. It's your responsibility to not leave data they can hand over.
they shouldn't pretend to protect your privacy if they can't
one time they did this and only then after changed their website where it said they wouldn't log your info
https://technologymagazine.com/cloud-and-cybersecurity/protonmail-under-fire-over-data-handover
Payments are very different. Any company is required to keep track of their finances, the tax authorities don't fuck around. If you electronically pay for something and expect anonymity, you are not very, um, educated. If you feel like you need their paid plans, pay cash and only ever access it through TOR running Tails. I feel like that's a reasonable level of opsec for most activists.
You know that, I know that, people here probably know that.
But out in the real world where people are doing real world activism and are concerned about real world problems, they don't necessarily know that. They are concerned about a whole lot of things that are not digital infrastructure and technology.
They should be able to trust a service that promises security and anonymity for payment. In particular one that is touted as well renowned.
They should be able to trust a service that promises security and anonymity for payment. In particular one that is touted as well renowned.
Especially since other groups can manage it properly, e.g. Signal can't link transactions to a specific user account
Yeah, there are plenty of services that manage exactly this. Most prominently VPNs and Mullvad is battle proven by the swedish police department.
Should is doing too much work here. Its been doing too much work for our society as a whole. While I agree with your idealist sensibilities I regret to inform you that this needs to stop, you cannot trust institutions built on corporate profit seeking. Like that's just a hard no, it changes on a dime to seek profit somewhere else
Hence the romanticism of migrating to Proton needs to be argued every time somebody brings it up. Obviously Proton VPN too is easily compromised. Teach people to spend their money on Mullvad or another service that is able to decouple payment from service account activities.
Seeing this comment downvoted in a privacy community is a little disheartening.
Comments like "If you electronically pay for something and expect anonymity, you are not very, um, educated" is technically true in a descriptive sense maybe, but in a prescriptive sense, the comment tells us "You should have known what were know. You didn't, and you deserve what you got for that."
It seems unhelpful to assume our knowledge is automatically universal, and not a result of some combination of luck and circumstance.
Indeed
But shouldnt it be encrypted on their servers?
Payment data? Never.
Technically stored encrypted, but they also have the keys
Honest a case of "Well Duh".
Proton is for data privacy, not true anonymity. They'll keep your data safe from data collectors and the like, but they still have to comply with the law if they want to continue being a business.
So ofc if you pay for your Proton account by conventional means tied to your identity, then your details are tied to your account. Proton says as much on their website.
The only way around that is to use a service like Posteo that accepts posted cash or cryptocurrency - where they physically can't know who you are. But even then you're busted if you ever access that account without a VPN... which you would also have to pay for with cash or cryptocurrency, and hope to god they have a robust no-logs policy.
I'm still relatively new to Proton, but I thought I read early on that they would still have to comply with legal requests. I believed that their system was mostly in the realm of two secure accounts being able to hide the messages themselves. I use a card, so I am tied to my account. Does using whatever coin they take (if any) help with this? I remember reading they wanted to open more doors to alternate payment methods. I think it was to help privacy but also in large part so that they could still collect money if they ever get slapped down by other processors for making someone big mad for their privacy setup.
EDIT: I thought I had replied to something like this before. Found it. https://a.lemmy.world/lemmy.world/post/15148279 It seems to me that some just overestimate what the service is.
I can't read the article because it's behind a paywall, so I'll ask here: What information was handed over specifically? The IP address of when the account was created? The payment details? Unencrypted data? Login information? Device data? Something else?
they handed over payment info with the real name
This is concerning for anybody who has ever paid proton using a traceable method. If I have a free email address, but I paid for VPN on the same account five yards ago, it sounds highly likely that Proton could give someone my name based on that half-decade-old payment.
Sounds like the best way to subvert this is to create a brand-new account and never submit payment info, but good luck creating a brand-new account without some extra identifier. From an older conversation among several people:
Proton does require a recovery email address if you sign up to a mail forwarding service or similar, right after creating the account. In that case the account remains locked...
In the article it says that that’s a one-time verification address. Though that leaves the question if/how long it’s stored.
Proton doesn’t allow you to use certain domains for recovery addresses... when I first joined Proton they wouldn’t allow me to set a duck.com or simplelogin.com or addy.io address as a recovery email.
Other comments point out how Proton isn't doing a great job of relaying privacy and security concerns to new users who may be unfamiliar with them.
protonmail without PGP only has encryption for other protonmail users
Everybody seems to confuse privacy with anonymity. If Proton doesn’t comply with the law, Proton will cease to exist.