Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency

The company behind the Proton Mail email function Proton describes itself as a neutral and safe haven for your personal information committed to defending your freedom But last month Proton disabled email accounts belonging to journalists reporting on measure breaches of various South Korean leadership computer systems following a complaint by an unspecified cybersecurity agency After a inhabitants outcry and multiple weeks the journalists accounts were eventually reinstated but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place Martin Shelton deputy director of digital protection at the Freedom of the Press Foundation highlighted that numerous newsrooms use Proton s services as alternatives to something like Gmail specifically to avoid situations like this pointing out that While it s good to see that Proton is reconsidering account suspensions journalists are among the users who need these and similar tools the majority Newsrooms like The Intercept the Boston Globe and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions Shelton noted that perhaps Proton should prioritize responding to journalists about account suspensions privately rather than when they go viral On Reddit Proton s official account stated that Proton did not knowingly block journalists email accounts and that the situation has unfortunately been blown out of proportion Proton did not respond to The Intercept s request for comment The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack The story described how a sophisticated hacking operation what s known in cybersecurity parlance as an APT or advanced persistent threat had wormed its way into a number of South Korean computer networks including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command or DCC The journalists who published their story under the names Saber and cyb rg describe the hack as being consistent with the work of Kimsuky a notorious North Korean state-backed APT sanctioned by the U S Treasury Department in As they pieced the story together emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what s known as responsible disclosure notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the development Saber and cyb rg created a dedicated Proton Mail account to coordinate the responsible disclosures then proceeded to notify the impacted parties including the Ministry of Foreign Affairs and the DCC and also notified South Korean cybersecurity organizations like the Korea Internet and Precaution Agency and KrCERT CC the state-sponsored Computer Urgency Response Squad According to emails viewed by The Intercept KrCERT wrote back to the authors thanking them for their disclosure A note on cybersecurity jargon CERTs are agencies consisting of cybersecurity experts specializing in dealing with and responding to safety incidents CERTs exist in over countries with specific countries having multiple CERTs each specializing in a particular field such as the financial sector and may be government-sponsored or private organizations They adhere to a set of formal technical standards such as being expected to react to stated cybersecurity threats and protection incidents A high-profile example of a CERT agency in the U S is the Cybersecurity and Infrastructure Agency which has lately been gutted by the Trump administration A week after the print issue of Phrack came out and a sparse days before the digital version was issued Saber and cyb rg located that the Proton account they had set up for the responsible disclosure notifications had been suspended A day later Saber discovered that his personal Proton Mail account had also been suspended Phrack posted a timeline of the account suspensions at the top of the published article and later highlighted the timeline in a viral social media post Both accounts were suspended owing to an unspecified foreseen strategy violation according to screenshots of account login attempts reviewed by The Intercept The suspension notice instructed the authors to fill out Proton s abuse appeals form if they assumed the suspension was in error Saber did so and received a reply from a member of Proton Mail s Abuse Squad who went by the name Dante In an email viewed by The Intercept Dante advised Saber that their account has been disabled as a end of a direct connection to an account that was taken down due to violations of our terms and conditions while being used in a malicious manner Dante also provided a link to Proton s terms of organization going on to state We have clearly indicated that any account used for unauthorized pursuits will be sanctioned accordingly The response concluded by stating We consider that allowing access to your account will cause further damage to our facility therefore we will keep the account suspended On August a Phrack editors reached out to Proton writing that no hacked statistics was passed through the suspended email accounts and sought if the account suspension episode could be deescalated After receiving no response from Proton the editor sent a follow-up email on September Proton once again did not reply to the email On September the official Phrack X account made a post asking Proton s official account asking why Proton was cancelling journalists and ghosting us adding need help calibrating your moral compass The post promptly went viral garnering over views Proton s official account replied the following day stating that Proton had been alerted by a CERT that certain accounts were being misused by hackers in violation of Proton s Terms of Utility This led to a cluster of accounts being disabled Our group is now reviewing these cases individually to determine if any can be restored Proton then stated that they stand with journalists but cannot see the content of accounts and therefore cannot reliably know when anti-abuse measures may inadvertently affect legitimate activism Proton did not publicly specify which CERT had alerted them and didn t answer The Intercept s request for the name of the specific CERT which had sent the alert KrCERT also did not reply to The Intercept s question about whether they were the CERT that had sent the alert to Proton Related Proton Mail Says It s Politically Neutral While Praising Republican Party Later in the day Proton s founder and CEO Andy Yen posted on X that the two accounts had been reinstated Neither Yen nor Proton explained why the accounts had been reinstated whether they had been unveiled to not violate the terms of system after all why had they been suspended in the first place or why a member of the Proton Abuse Crew reiterated that the accounts had violated the terms of facility during Saber s appeals process Phrack noted that the account suspensions created a real impact to the author The author was unable to answer media requests about the article The co-authors Phrack pointed out were also in the midst of the responsible disclosure process and working together with the various affected South Korean organizations to help fix their systems All this was denied and ruined by Proton Phrack stated Phrack editors declared that the situation leaves them concerned what this means to other whistleblowers or journalists The public requirements assurance that Proton does not disable accounts unless Proton has a court order or the crime or ToS violation is apparent The post Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency appeared first on The Intercept