Proton, the Swiss encrypted email provider, has reinstated access to two suspended accounts after a public outcry over whether the suspended users were in fact journalists responsibly reporting on cybersecurity or hackers who broke the service’s rules. The about-face came after days of criticism from security researchers and press-freedom advocates, and a rapidly evolving debate over how encrypted services can police abuse without chilling investigative reporting.
What sparked the suspensions of the Proton accounts
The accounts were owned by the authors of a much-discussed story on an advanced persistent threat (APT) actor that had targeted South Korean government networks, as well as the Ministry of Foreign Affairs and military’s Defense Counterintelligence Command. The researchers set up a fresh Proton address to manage any responsible vulnerability disclosures associated with the story, which eventually landed in the venerable hacker zine Phrack.
About a week after publication, the disclosure inbox was closed down while one co-author’s personal Proton mailbox also was shuttered. Phrack editors publicly hounded Proton on X and the takedown. Proton responded that it had received notice from a computer emergency response team (CERT) that the accounts were being abused by hackers and took action under its terms of service.
After the pushback, Proton restored the accounts and said that its anti-abuse systems can override legitimate activity because it cannot see message content by design. But it argued that the underlying signals were consistent with those of hacking events, not journalism.
Journalism, research and the ‘hacktivist’ label
At the heart of the matter is a challenging trade-off: Responsible security research and reporting routinely involves interacting with compromised infrastructure, testing proof-of-concept exploits, and privately informing victims—a set of activities that may look like malicious operations to automated defenses. CERT alerts play a critical role as a backstop for global incident response, but they are also broad signals that do not always provide context.
Phrack’s involvement added fuel. The publication, born out of the 1980s hacking scene, regularly features deep technical analysis. But critics said such a punishment for publication would have the effect of dissuading contributors from disclosing research that could protect certain vulnerable populations. Proton’s initial position was defended by supporters, who argued that intention is not important so much as actions where tools were employed to gain access to systems without alternatives.
Groups including the Committee to Protect Journalists and the Electronic Frontier Foundation have long warned that blurring investigative work with illicit intrusion can stifle coverage of state-sponsored APTs and critical vulnerabilities. Their advice to newsrooms stresses clear documentation, limited testing on non-production systems and active engagement with impacted organisations or national CERTs.
How the Proton model and Swiss law affect decisions
End-to-end encryption for Proton means that the company cannot read emails; it can still work based on metadata, usage habits and trusted reports of abuse. It is under Swiss jurisdiction, and the company often points out that this means it cannot be compelled by a foreign legal authority — absent cooperation from the Swiss government. This situation is not unlike when Proton, the only known case provided as an example of resistance to authority and the subject of a blog post on Above the Law last year, was forced by a Swiss court order to record a user’s IP address in connection with an investigation into French climate activism, showing that few providers are immune from legal process.
Proton claims to have tens of millions of accounts across mail, VPN and storage, as well as transparency reports which reveal a constant increase in such requests over the past few years. The service has also been blocked in countries such as Russia and Turkey, highlighting its prominence in censorship and privacy battlegrounds. Numerous newsrooms and tip lines operate on Proton precisely because its infrastructure restricts the amount of content exposed over source communications.
Why the reinstatement matters for journalists and researchers
Restoring the accounts should dampen concerns in the short term, but the incident opens a broader governance challenge for secure platforms: how to respond nimbly to credible signals of abuse without accidentally punishing public-interest reporting. Press-freedom groups cite a tangible chill. Studies by groups like Reporters Without Borders and UNESCO have found that the risks of being put under surveillance drive sources into the shadows and prompt journalists to close or abandon sensitive investigations.
The stakes are equally high for security researchers. When done well, coordinated vulnerability disclosure—the kind typically mediated by CERT teams—can mitigate real-world harm. When signals that indicate a breach also signal research and journalism, the entire defensive ecosystem can suffer from too few warnings, slower patches, noisier incident response.
What could change next for Proton and its abuse reviews
Proton said it would reassess its anti-abuse workflows and appeals mechanism. Experts recommend a number of concrete changes:
- Optional verification paths for newsrooms and established researchers
- Clearer carve-outs for responsible disclosure inboxes
- Independent ombuds reviews on disputed suspensions
- More granular transparency reporting around account restrictions and reversals
On the user side, journalists and researchers can mitigate these risks by coordinating through a national CERT like KrCERT/CC in South Korea or US-CERT, documenting their contacts and keeping their operational tooling separate from other communications accounts. Those measures are no guarantee against getting caught up in an automated takedown, but they do establish an audit trail that can hasten reinstatements if a dispute arises.
The bottom line: Proton’s reinstatement accepts that there is a gray zone between hacking and reporting. In an environment of increasing APT activity and state pressure on encryption around the world, secure communication platforms will now be assessed not just by how well they block abuse but also how closely they protect public interest work that holds governments and powerful actors to account.
