Proton Mail, the Swiss encrypted email company, briefly shut down two journalists’ accounts linked to their reporting on a high-profile cybersecurity breach in South Korea before restoring access after an outcry and an internal investigation.
The case illustrates the complex trade-offs cold war encrypted services have to navigate between fighting abuse and safeguarding press freedom.
Reporting from The Intercept, citing statements from the parties involved, showed that the journalists had established a dedicated Proton Mail address to handle responsible disclosures involving an investigation of an advanced persistent threat targeting South Korean government networks, including diplomatic and defense organizations. That disclosure inbox was suspended soon after the story ran, and a reporter who posted to it saw his personal Proton account get suspended as well.
Phrack, a longtime hacker publication that covered the investigation, publicly confronted Proton with the challenge: Why had the company “canceled” journalists? Proton replied that it had been notified by a national Computer Emergency Response Team (CERT) of some accounts being misused by hackers in contravention of its terms of service. Proton’s chief executive later confirmed that the accounts were restored, stressing the company’s commitment to journalism and noting that end-to-end encryption can make it difficult for Proton to distinguish between nefarious activity and legitimate activism or reporting when anti-abuse systems are triggered.
How an Encrypted Email Service Gets Abused
End-to-end encryption makes Proton unable to access message content either. But that privacy promise doesn’t prevent the service from seeing — and therefore detecting — behavioral signals that something is wrong; a sudden flurry in mail traffic, bot-like login habits or reports from verified security teams indicating an account might be working to advance phishing, malware or coordination efforts. A CERT notification commands respect: In South Korea, KrCERT/CC, which is operated by the Korea Internet & Security Agency, is analogous to the Cybersecurity and Infrastructure Security Agency (CISA) in the US.
When a platform receives credible evidence of abuse, it may want to follow ready-fire-aim, temporarily suspend and investigate to minimize potential harm. That model shields victims, but could trap journalists, researchers and even activists whose work puts them in the blast zone of threat traffic — think unsolicited files, weaponized links or mass tip-offs that look like spam or command-and-control chatter. Proton’s public policy is to disable accounts associated with manifest violations of policy — or legal orders issued under Swiss law — and to report those actions through transparency reports.
The South Korea APT Context
Advanced persistent threats tend to penetrate numerous agencies and loiter quietly, using spear-phishing and stolen credentials. Reporters in covering such operations typically establish special disclosure inboxes where researchers can forward indicators of compromise, sample payloads as well as victim notifications. Ironically, that avalanche of suspect artifacts can throw automated defenses or lead to warnings from third parties to platforms — particularly when hackers try to poison the channel by posing as researchers or overwhelming it with hostile traffic.
In that sense, the chain of events here—the investigation, a published story, CERT alert and account suspensions and reinstatement—all look like a classic case of operational security versus editorial effort coming into direct contact with each other. It also serves as a reminder why newsroom security playbooks increasingly treat communications infrastructure as a beat: when reporting gets sensitive, your inbox can start to resemble crime scene.
Press Freedom vs. Platform Risk Mitigation
Encrypted services cater to tens of millions of people, including whistleblowers and investigative reporters. They are also frequent recipients of state-sponsored blocks and pressure campaigns by states that view robust privacy as an impediment; in the past, Proton has been limited in countries with strict internet controls. Advocacy groups like Reporters Without Borders and the Committee to Protect Journalists have long warned that heavy-handed moderation or legal compulsion can suppress newsgathering by putting source protection at risk.
The Proton case comes amid a broader policy battle over encrypted communications. The call for exceptional access to data continues from law enforcement bodies, arguing that this raises the security for everyone. Ongoing debates in the U.K., European Union and elsewhere about scanning or “safety” mandates for encrypted services, as well as high-profile flip-flops on client-side scanning proposals, demonstrate just how open to interpretation this terrain is.
What This Means for Newsrooms and Researchers
Events like this should serve as motivation to diversify sources of secure communications. There are many who couple end-to-end encrypted email with something like SecureDrop, or PGP keys or vetted messaging apps and clear public instructions for sources. Whilst segmenting disclosure inboxes, issuing paid organization tiers for vetted contacts and having direct escalation lines to providers’ trust and safety teams could mitigate downtime in instances that automated defenses fail.
For Proton, a quick reinstatement helped to minimize the damage. But the episode underscores a harsh reality: even privacy-first platforms are forced to take action on credible signals of abuse, sometimes no matter what the fallout is for legitimate journalism. The gauge of trust will be in how consistently providers communicate; how swiftly they make corrections; and how transparently they report interventions that impact reporters and sources.
