Proton says they can't read your email. But every email from outside Proton arrives in plaintext and Proton scans it for spam before encrypting it. During that window, they can read it. 'Zero-access' starts after they've already accessed it. Three activists trusted Proton with their lives. A French climate activist was arrested after Proton gave police their IP address. A Catalan independence activist was identified. The FBI got metadata in a protest investigation. Proton complied every time.
What they claim: Proton's marketing positions it as the safe choice for activists, journalists, and dissidents
What we found: In 2021, French police arrested a climate activist after Proton provided their IP address via a Swiss-Europol mutual legal assistance request. In 2024, Proton provided metadata in a Catalan independence activist case. In 2024, the FBI obtained Proton account metadata in the Stop Cop City investigation. Three documented cases of activists arrested or investigated using Proton-provided data.
What they claim: Proton claims 'we do not log your IP address' on their marketing page
What we found: Proton's privacy policy states IP addresses may be collected 'temporarily' and their transparency report confirms IPs are provided to authorities on request. The French activist case proves IPs are logged and can be handed over. Proton recommends using Tor or VPN to avoid IP logging — meaning IP logging is the default they recommend you work around.
What they claim: Proton emphasises Swiss jurisdiction as a privacy advantage
What we found: Proton's compliance rate with government requests is 94% (2024) — higher than Apple (85%), Google (80%), or Meta (88%). Government orders grew from 26 in 2017 to 11,023 in 2024 — a 423x increase. Proton's contest rate collapsed from 21.2% (2021) to 5.9% (2024). The Swiss privacy brand complies with authorities more readily than the Big Tech companies it claims to be better than.
What they claim: Proton Mail is positioned as a de-Googled alternative to Gmail
What we found: Proton Mail Android uses Firebase Cloud Messaging (Google) for push notifications. Exodus Privacy has detected tracker SDKs in the Proton app. By contrast, Tuta Mail uses its own push relay with zero Google dependency and zero trackers on F-Droid. The 'alternative to Google' still depends on Google's infrastructure to notify you about new mail.
What they claim: Proton Mail markets itself as 'email that protects your privacy' with 'zero-access encryption'
What we found: Incoming email from non-Proton senders arrives in plaintext. Proton processes this plaintext email for spam scanning BEFORE encrypting it at rest. During this processing window, Proton can and does read email content. 'Zero-access encryption' only applies after processing is complete — not during the spam scan that happens to every external email you receive.
What they claim: Proton Mail provides end-to-end encrypted email between Proton users
What we found: Email subject lines are NOT encrypted — only the body. Metadata (sender, recipient, timestamps, subject) is visible to Proton and can be provided to authorities. By contrast, Tuta encrypts subject lines. Proton's E2EE protects content but the metadata tells the story: who you email, when, how often, and what it's about.