Proton Mail Suspended Journalist Accounts At Request of Cybersecurity Agency

An anonymous reader quotes a report from The Intercept: The company behind the Proton Mail email service, Proton, describes itself as a "neutral and safe haven for your personal data, committed to defending your freedom." But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. After a public outcry, and multiple weeks, the journalists' accounts were eventually reinstated -- but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.

Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton's services as alternatives to something like Gmail "specifically to avoid situations like this," pointing out that "While it's good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most." Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions. Shelton noted that perhaps Proton should "prioritize responding to journalists about account suspensions privately, rather than when they go viral." On Reddit, Proton's official account stated that "Proton did not knowingly block journalists' email accounts" and that the "situation has unfortunately been blown out of proportion."

The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation -- what's known in cybersecurity parlance as an APT, or advanced persistent threat -- had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC. The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky, a notorious North Korean state-backed APT sanctioned by the U.S. Treasury Department in 2023. As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what's known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident. Phrack said the account suspensions created a "real impact to the author. The author was unable to answer media requests about the article." Phrack noted that the co-authors were already working with affected South Korean organizations on responsible disclosure and system fixes. "All this was denied and ruined by Proton," Phrack stated.

Phrack editors said that the incident leaves them "concerned what this means to other whistleblowers or journalists. The community needs assurance that Proton does not disable accounts unless Proton has a court order or the crime (or ToS violation) is apparent."

Alternatives?

[Galactic Dominator]

Is there a good one?

Re:Alternatives?

[OrangAsm]

Yes, the one you run yourself.

Re:

[Anonymous Coward]

Oh, yeah, great idea. Because nobody can figure out who you are when you are running your own domain with A records for your email server.

Re:Alternatives?

[h33t l4x0r]

Or MX records for that matter.

Re:

[Anonymous Coward]

Yes, and if done correctly it shouldn't be *publicly* available. I mean you *CAN* put your real name and address on the registrar, or you can have them cover it up for you. I'm not sure that having cloudflare or route53 hide the registrar info and running your own is more or less safe than protonmail. https://github.com/selfhostmail/selfhostmail [github.com] like this one even has wireguard and selinux built in to the build profile.

BUT.....Most journalists probably don't have the ability to just run and maintain

Re:

[ole_timer]

doh - mx records HAVE to be public...have you even read the rfc? how do you think email works?

Re:

[gweihir]

The person you responded to is an obvious incompetent. Yes, your DNS registrar can keep it private who you are. Until law enforcement comes with a warrant. Same for your data-center hoster or ISP. Running your own service can make you anonymous only with respect to the user population you have on your server. If that is one or a small number, forget it.

Re:

[ole_timer]

yep. domain registration is not the same as mx for mail servers which necessarily have to be public.

Re:Alternatives?

[itsme1234]

Yes, the one you run yourself.

That doesn't work, even if nominally email still works across providers and is all standard and everything you have nearly no chance to escape being blacklisted, no matter if you're coming from your ISP, or some hosted server basically anywhere.

Plus, given that nearly nobody does it it's a chicken and egg problem, even if there is free software for everything it's absolutely daunting to have a complete working system. One would think these days you'd have a simple package running on a Raspberry Pi, heck even your router and give you all services with some minimal configuration like the DNS and similar. Nope, just the opposite, it's tricky and a big headache even for people that did it from scratch more than 25 years ago. Never mind for some journalist that doesn't even understand how email works beside being able to use some webmail from a provider.

Re:

[eneville]

Debian's postfix out of the box has mostly sane defaults.

Problems are more or less the stuff you put around it, like webmail, or imap and brute force logins. Personally, mutt in ssh is best, but not for everyone.

No

[Anonymous Coward]

The problem is that spammers have absolutely ruined the ability of SMTP to work on the open internet. Mail sent from regular domains just gets spam-filtered or blackholed. Even if you have the domain expertise to get your system up and running, then you run into the problem that the mail server is very clearly tied to you. You need a confederate with no apparent connection to you to set everything up (and this would need to be set up in a special way to be police-raid resistant) and THEN you run into the pr

Re:Alternatives?

[fph il quozientatore]

There are a few all-in-one "batteries included" solutions based on Docker. They include a mail server, webmail, automated letsencrypt, a web-based administration UI, and they tell you clearly which entries to put in your DNS. Personally, I've had a good experience with Mailcow Dockerized, but that's not the only option.

Re:

[allo]

Works really great to stay anonymous .....

Re:Alternatives?

[Tony Isaac]

How so?

You can spoof your own headers, but you can't spoof the headers added by the email servers you connect to. And the web is clamping down on unsigned emails, requiring DKIM, DMARC, and SPF in order to even relay messages to recipients. Major providers are quickly closing loopholes in these requirements. Your private server won't help you stay private.

Re: Alternatives?

[Ronin Developer]

Hackers have already found a hole in the system on Apple devices. They are using calendar messages (aka invites) with malicious content in the subject that use Apple as the sender. Headers are intact; thus bypassing that protection.

I've seen a few of these in my inbox.

Re:

[Tony Isaac]

How does this relate to a private email server being a way to stay anonymous?

Re:

[allo]

By sarcasm. There is no way to send an anonymous mail from a server your rented yourself. That's why people choose providers like proton that (claim to) protect their data and allow them to send mail without traces to them attached.

Re:

[Tony Isaac]

Ah, sorry, missed the sarcasm.

And I agree with your emphasis on services that "claim" to offer anonymity or privacy.

Cryptocurrency was supposed to provide anonymous payment systems. And yet time after time, governments have succeeded in locating and confiscating funds held in crypto wallets by criminal organizations.

Anonymity is always an illusion, or temporary at best. Most of us are anonymous *enough* because we don't matter enough to anyone, to entice them to spend the time and money to locate us. But if

Re:

[ole_timer]

the payment is anonymous (sort of) but the wallet is not, which is what gets confiscated.

Re:

[allo]

Yes, at some point you most likely need to touch something that can be connected to you. Payment is a very large part of the problem and the crypto coins that aim to solve that are rather unpopular, so there is no solution.

The only viable option are the freemium privacy mail providers or donation based services, where the donations coming from accounts that do not have much to hide finance the mailbox of the whistleblower.

Re:Alternatives?

[Tony Isaac]

The trouble is, you can't just run your own email server yourself. You ultimately have to connect it to other email servers. The same authorities that can ask Proton to disable an account, can ask your ISP to disable your connection to the internet, or ask email providers to blacklist your emails.

Re:

[rsilvergun]

The problem with running it yourself is that now all the security is on you.

So let's say the authorities decide you're going down the river. They're going to seize your equipment with warrants and then they're going to take some professionally purchased cracking software and run it against your server.

If you don't have everything patched and set up exactly right that software is going to go right in and get access to everything.

The thing that I find surprising is the number of people who will si

Re:

[Galactic Dominator]

Are you speaking from experience or aspiration?

Re:

[XXongo]

Hushmail has been around for ages, and has been doing encrypted mail since the turn of the century.

Searching:
https://www.techradar.com/revi... [techradar.com]
https://cyberinsider.com/email... [cyberinsider.com]
https://en.wikipedia.org/wiki/... [wikipedia.org]

Cause of course

[locater16]

If the for profit corporation is advertising how much more responsible of a corporation they are than the other corporations your first question should always be "if you like responsibility over profit so much, why are you a for profit corporation?"

Re:

[Monoman]

Because they are willing to prioritize other things, like privacy, over profit. "For profit" does not have to be all or nothing. Unfortunately, some investors, shareholders, and leaders, are driven solely by profit.

Tech illiterate

[magamiako1]

Damn we are becoming tech illiterate as fuck.

If you actually give a damn about security, encourage whistleblowers and journalists to get yubikeys and generate PGP keys and communicate that way. Encrypt e-mails.

Signal offers a decent alternative for less painful secure communications. But PGP is definitively the way to go if you want to securely share information.

Re: Tech illiterate

[bradley13]

Encryption was not the issue here. Access to email was.

And because some über-nerd is going to suggest it: running your own email server is not any sort of realistic option.

Re: Tech illiterate

[getuid()]

If course it is.

They presumably work for a news agency, or anh kind of organisation. As in: there's bound to be 1/4 a position somewhere to give to an admin to set up and run their email server.

I get it that the average journalist can't do it... but c'mon, they also can't build a car, fly a plane, make paper, or install Windows. Yet they use cars, planes, notebooks and laptops all the time. And running an email server isn't Gandalf-style hi-tech, you know... Just f-ing pay someone to do it. Put them on your

Re:

[buck-yar]

Troll. If setting up an email server was so easy, every spammer would do it. I think in the 90s they did, and then popped up a slew of countermeasures that make it harder for a 1 off email server to pop up and join the mail network. I'm sure an expert will be along soon to put you in your place

Re:

[mattr]

I run my own email server, just for myself. Dealing with SPF/DKIM was a pain and the unending spam/malware email has ruined it but not going to give it up yet.. But yeah gmail is my secondary. The modern threat landscape (not just email) is a bit much for a single person to handle as a hobbyist. And it does nothing to protect a relative who is not on your system from being scammed.

Re: Tech illiterate

[getuid()]

I run my personal server too, without any secondary email address. (I do have corporate ema addresses left and right, but I'm pretty much aggregating all on my private IMAP, and only using corporate SMTP to send in corporate roles.)

And on average over the past 15 years I've had less downtime than any job related email server I've known, about en par with gmail (which was down a couple of times).

It's complex and annnoying, but it's a matter of knowledge, not of time investment. It's nowhere near a full time

Re:

[znrt]

As in: there's bound to be 1/4 a position somewhere to give to an admin to set up and run their email server.

how does running your own email server work out when it is shut off from the network, which authorities have ample margin to do without even a court order, and is the equivalent of what was the case here? bullying proton to suspend an account is just as easy as bullying an isp to block your email server's ip.

running your own email server might help with privacy, but will not guarantee access. only anonymity will do, given you're able of staying under the radar while still being able to reach a sensible numb

Re: Tech illiterate

[getuid()]

It doesn't.

But in the current case there wasn't a governmental agency bullying anyone, it was a private entity as far as I understand the issue. Of a foreign nation at that.

Not essential here, but my own server also runs within my own 4 walls so they'd have to bully an internet provider (not impossible, but more difficult) and/or a DNS TLD provider.

Re:

[Anonymous Coward]

I've run my own servers for decades. It's practically impossible because your servers will be banned, always, by someone somewhere. It's a CONSTANT fight with the primary providers: Microsoft, Google, etc that CONSTANTLY ban everything under the sun that isn't their servers. It's monopolistic and in decades no one has even considered doing anything about it.

Google even takes it a step further and if your IP is somehow "suspect" you will be banned or at the least impeded on most of the entire internet. I gue

Re:Tech illiterate

[rta]

What are you addressing here?
The problem is that Proton cut improperly suspended some email accounts, not that any were compromised or spoofed. So not seeing how PGP enters the convo.

Re:

[pixelpusher220]

the problem of having a 3rd party account vs their work email; specifically a news agency email account. FAR harder to get them to cave.

The PGP is so anyone can email that corporate email account with the text encrypted.

Re:

[LaughingRadish]

That's good for dealing with snooping. This is an issue of a government squelching speech because it knows what servers to attack. Maybe a webmail provider that works through TOR would be better.

Re:

[buck-yar]

Everyone needs an offline computer, even if it is a Raspberry Pi

Why not have most of the computers in your house offline except for a few? With all the constant vulnerabilities that come out, why keep most devices or pc's online? Maybe connect them briefly to update? With how they say if your computer stops getting updates then your security turns into swiss cheese, full of holes, why not treat online like a dangerous state opening up a system to any number of unknown attacks? Microsoft would of course disagree because how can you continue being a product for them if th

Re:

[tlhIngan]

If you actually give a damn about security, encourage whistleblowers and journalists to get yubikeys and generate PGP keys and communicate that way. Encrypt e-mails.

You do realize that doing this makes you a bigger target right? Sending encrypted emails back and forth is evidence a lot of governments use to determine nefarious intentions. And this has been true for decades, which is why journalists don't use PGP/GPG or other encryption system - it makes them a bigger target. Especially if they're filing rep

Re:

[jmccue]

Do not know why you were down-voted. But you can create a fake gmail/yahoo/whatever account for one/short time use. Encrypt your article and name it article.doc then email it. Plus all communication is sent as attachments as a fake doc too.

This will make people think it is a word doc and if they cannot "open" it they may think it is corrupted document and move on.

This would be some legal measure.

[robbak]

Seems clear that they received a legal demand that included a non-disclosure provision. While they may not be a provision established by legislation for this in Switzerland, judges usually have a fair amount of freedom in writing injunctions.

Re:

[rta]

Nope. no court order.
Just normal notification from a CERT as they said so themselves.

In support is also that the specific accounts were re-enabled as soon as the thing went viral on X. If it had been a court order they couldn't have changed direction so quickly.

That reddit response / deflection is kinda trash

[rta]

This is "very concerning". I'm mulling moving from google universe to proton, exactly to get away from the possibility of random shutdown w/ no process or reason.

Never imagined Proton does the same. That initial denial / defense on reddit is weak. I mean i appreciate that they made it at all, which most companies would not even say that much, but ... seems very tone deaf to not address the deactivations just because "someone said" and w/o asking the user first. (i'm not clear how long the accounts wer

Re:

[rta]

Heh. forgot to read TFA. yeah, they banned the accounts, ghosted attempts to reinstate them for 3 weeks. Then only reinstated them AFTER complaints went viral on twitter.

Has made no explanation since, though it's only been 3 days. This is... not exactly inspiring confidence.

Re:

[pixelpusher220]

and lets remember the CEO of Proton was all in for Trump. Because he *believed* Trump would break up Big Tech. lulz

If he's that astute in other biz matters...be afraid, be very afraid

unspecified cybersecurity agency

[fahrbot-bot]

Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency.

Any bets on if that "unspecified cybersecurity agency" was the one actually doing the hacking and it's a 3-letter agency? [Not UCA :-)] /CrazyNotCrazy

Re:

[sikiriki]

Possibly. Or they snooped on the attackers and they needed to delay something getting public.

Neutral and safe

[Rosco P. Coltrane]

Yeah, sure... [techstory.in]

Is anybody surprised by this?

I know Yen retracted his statement, but that's not good enough. I don't trust him like I wouldn't trust Elon Musk if he apologized for the Nazi salutes, because doing it once kills your credibility forever - or at least makes it exceedingly hard to prove you're not that person later on.

Proton should have thrown Yen out immediately after that incident if they had wanted to preserve their reputation and they didn't. So I don't trust Proton.

Re:

[pixelpusher220]

Even if you believe the apology...

He believed Trump would break up Big Tech...like, your judgement is wildly in question after that Mr. CEO.

Re:

[Slayer]

Is anybody surprised by this?

Proton should have thrown Yen out immediately after that incident if they had wanted to preserve their reputation and they didn't. So I don't trust Proton.

I am glad, that you found a cancel mob's rationale to ditch Proton. Anyone using Proton should take a closer look at the Crypto AG story [washingtonpost.com]. If you think, that Swiss companies are neutral, humane and fair, then you will be in for a rude awakening, They're in it for the money, and if you are in the way, you're gone. Or betrayed. Or both.

How and why?

[mukundajohnson]

Easy, lip service. It's your regular joe business in the end that doesn't actually give a hoot about what they sell themselves as.

So which is it?

[cascadingstylesheet]

Should governments be able to regulate those awful tech bros however they want to, or should we have the ability to choose digital privacy if we want?

The Slash-geist seems to lurch dramatically between the two ...

I'm good

[too2late]

Thanks but I'll keep using proton while the easily triggered blowhards waste energy here whining and pretend they're going to stop using it.

Re:

[rta]

Thanks but I'll keep using proton ...

until one day you try to log in a can't because they decided to shut you down and there's nothing you can do about it

Disturbing

[Ronin Developer]

Protonâ(TM)s reputation is based on their privacy. Seems the willingly (or unwillingly) compromised their intergrity.

I wonder if this is related

[ddtmm]

to the article a few days ago about Switzerland, changing their policies, prompting proton to possibly move their servers to Europe

https://yro.slashdot.org/story... [slashdot.org]

Fool Me Once...

[Local ID10T]

Fool me once, shame on you.
Fool me twice, shame on me.
Don't be fooled again!

(Their claims were never believable, and have now been proven false. If you care, take your business elsewhere.)

E-Mail Was Never Secure

[dragonturtle69]

E-Mail has never been secure. So their emails were found, authorities were concerned (probably) that the "news" story would compromise an investigation, and Proton followed the law.

As others have noted, the email racket serves itself. A message from my Proton account was blocked by Outlook dot com, too much spam the denial message read.

If you want to send a secure message, stay within a VPN or other encrypted email provider, like Proton to another Proton account, or try text -> encrypt -> zip. Of c

Re:

[ksw_92]

You kinda of missed the point of your own header: Email was never secure. Encryption of the contents doesn't help as SMTP can bounce all over place, including through relays that bad actors have access to and keeps a record of where it's been, right in the header.

Anyone needing real secure comms won't use email, regardless of how "bulletproof" the provider claims to be. Use something E2E like Signal. OSS E2E platforms are also significantly easier for people to set up and operate on their own vs. email. Hop

That sucks!

[jenningsthecat]

I have a paid Protonmail account. One of my reasons for choosing them was their avowed commitment to privacy, security, and fairness.

I understand that mistakes happen; but suspending the accounts for weeks - without stating detailed reasons, and without responding to the account holders until after a huge public outcry - speaks of a major attitude problem. It's the kind of FOAD attitude that I associate with Google.

I expected better from Proton, and if they don't come up with a sincere 'mea culpa' and a mor

criminals only

[Lehk228]

so proton mail is for criminals only, not for journalists or activists