The Privacy Illusion: How Proton Mail Helped the FBI Unmask a Stop Cop City Activist

The pitch is simple and seductive: move to Switzerland, operate under strict Swiss privacy law, encrypt everything, and tell your users that even governments cannot touch their data. Proton AG has sold this story since 2014, growing from a CERN physics project into a multi-million user privacy empire that includes Proton Mail, Proton VPN, Proton Drive, and Proton Pass.

The story just got more complicated. Court records reviewed by 404 Media on March 5, 2026 show that Proton Mail handed over payment data tied to an email account associated with the "Stop Cop City" protest movement in Atlanta, Georgia. Swiss authorities received that data. They passed it to the FBI. The FBI used it to identify an activist who had gone to significant lengths to stay anonymous.

The encryption worked exactly as advertised. The email content remained private. What failed was the payment layer - the credit card or other billing information the user provided to pay for Proton's premium tier. That data was never encrypted. It never could be. And it was enough.

What Stop Cop City Was - and Why the FBI Cared

The "Stop Cop City" movement emerged in Atlanta around 2021 and 2022, opposing a $90 million law enforcement training facility planned for a forest southeast of the city. The movement drew national attention after the January 2023 killing of activist Manuel "Tortuguita" Teran by police during a forest clearing operation - the first recorded killing of an environmental activist by law enforcement in recent US history, according to reporting by The Guardian and multiple civil rights organizations.

Federal prosecutors treated the movement as a criminal enterprise. In 2023, the Department of Justice charged 61 people under Georgia's RICO statute, typically used against organized crime. The legal theory: that coordinated protest activity constituted a racketeer-influenced corrupt organization. Legal scholars at the ACLU and the National Lawyers Guild called the charges an unprecedented use of RICO against political dissidents.

Against that backdrop, activists sought out the most private digital tools available. Proton Mail appeared on every recommended list. Signal for messaging. Proton for email. The logic was sound: end-to-end encryption means the provider cannot read your messages, cannot hand them over, because the keys exist only on your devices.

What no security checklist adequately emphasized: you still have to pay someone. And payment creates a trail that encryption cannot touch.

The Legal Mechanism: How the FBI Reaches Swiss Companies

Proton AG operates under Swiss law. Switzerland is not a member of the European Union and has its own distinct legal framework on privacy. It also has Mutual Legal Assistance Treaties - MLATs - with most Western nations, including the United States. These treaties create a formal channel through which US law enforcement can request that Swiss authorities compel a Swiss company to produce records.

The process is slow by design. It typically takes months. The requesting country must demonstrate that the requested information would be evidence of a crime under both Swiss law and the requesting country's law - a dual criminality requirement. Switzerland's reputation for not helping authoritarian governments comes partly from this filter.

But protest activity that US prosecutors frame as domestic terrorism, or that falls under RICO charges, generally passes the dual criminality test. Switzerland has its own laws against criminal conspiracy. Once a Swiss court signs off, Proton is legally required to comply. Under Article 271 of the Swiss Criminal Code, Proton cannot directly hand data to foreign authorities - it must go through Swiss channels - but the end result is the same.

"From time to time, Proton may be legally compelled to disclose certain user information to Swiss authorities, as detailed in our Privacy Policy. This can happen if Swiss law is broken."

- Proton AG Transparency Report, January 2026

What makes this case notable is what the data was. Email content was protected - encrypted, unreachable. But Proton's transparency report states explicitly that "all emails, files and invites are encrypted and we have no means to decrypt them." The workaround: payment information is not a file or an email. It is account metadata. And account metadata - subscriber records, in legal terminology - is precisely the category most vulnerable to compelled disclosure.

The Numbers Proton Publishes - and What They Reveal

Proton publishes a transparency report that is more detailed than most tech companies bother to produce. The numbers are available on their website and updated regularly. The 2025 data tells a striking story.

For context: in 2018, Proton received 340 legal orders total. By 2025, that had grown to 9,301. Compliance has grown even faster than orders. In 2021, Proton complied with 4,920 orders. By 2024, that number reached 10,368. These are not fringe edge cases - they are a core feature of how the system operates.

The contested orders - the ones Proton pushes back on - represent a real commitment. 988 contested in 2025, 655 in 2024. Proton is not simply rolling over. Their legal team does fight requests that appear overbroad or legally deficient. But fighting and winning are different things: the 89.4% compliance rate means that when Swiss courts issue valid orders, Proton hands over what it has.

The critical question is: what does Proton actually have? The answer depends entirely on how you use the service. Free account, no payment data. Paid account using a credit card: your billing name, card data (or at minimum the last four digits), and potentially your IP address from when you signed up. Paid account via cryptocurrency: significantly less. Paid account via cash money order: almost nothing. Most people pay with credit cards.

The Metadata Architecture of Surveillance

This is not a Proton-specific problem. It is a structural problem with how surveillance interacts with commercial privacy services. The legal doctrine that makes it possible is older than the internet.

The Third Party Doctrine, established by the US Supreme Court in cases including Smith v. Maryland (1979) and United States v. Miller (1976), holds that information you voluntarily share with a third party - a bank, a phone company, a service provider - carries no Fourth Amendment protection. You gave it to them willingly, the argument goes. You assumed the risk they might share it.

Digital privacy advocates have fought this doctrine for decades. The Supreme Court partially carved it back in Carpenter v. United States (2018), ruling that cell-site location data requires a warrant. But the core principle survives: your financial records, your subscriber information, the metadata attached to your account - all of it sits outside the strongest constitutional protections.

Encryption companies cannot fix this with better algorithms. The problem is not technical. It is legal. When you pay for a service, you hand over data that no encryption scheme touches, because it has to travel in plaintext through a payment processor or billing system to work at all.

The Stop Cop City activist who used Proton Mail presumably understood that their emails were safe. What they may not have fully grasped is that their email account was linked to a credit card that had a name attached to it, and that name is what the FBI was actually after. The encryption held. The envelope did not.

CBP's Advertising Data Gambit - A Parallel Story

The Proton case surfaced in the same week that 404 Media published another investigation: US Customs and Border Protection has been purchasing location data derived from the online advertising ecosystem to track people's movements. An internal DHS document obtained by 404 Media shows CBP using ad-tech data - the location signals that apps sell to advertisers - as a surveillance tool. ICE has bought access to similar products.

This is a different vector but the same underlying principle: the gap between what privacy tools protect and what they do not. Tor browser protects your web browsing. Signal protects your messages. Proton Mail protects your email content. None of them protect the location your phone broadcasts to every app with background location access, which then gets sold to a data broker, which sells it to a government contractor, which sells it to CBP.

The ad-tech surveillance pipeline has been documented by the EFF, the ACLU, and journalists at Vice/Motherboard (now 404 Media) for years. Congress has failed to pass comprehensive data broker regulation. The American Data Privacy and Protection Act passed the House in 2022 but died in the Senate. The result: a legal commercial market for surveillance data that law enforcement agencies can shop without needing a warrant, because they are purchasing from a private company rather than compelling disclosure.

Put these two stories together - Proton's payment data and CBP's ad-data purchases - and a picture emerges. Modern surveillance does not require cracking encryption. It goes around it. It finds the seams: the payment processor, the app that tracks your location, the IP address logged when you create an account. Each data point alone might be harmless. Combined, they identify a person with precision that a wiretap could never match.

The FBI's New Tool: AI-Assisted Hacking

There is a third thread running through this week's surveillance news that deserves attention. At a conference on March 3, 2026, an FBI official stated in response to a question from 404 Media that artificial intelligence represents a "game changer" for what the bureau calls "remote access operations" - its internal term for hacking into target devices and networks.

The FBI already has legal authority under Rule 41 of the Federal Rules of Criminal Procedure to conduct remote access operations - essentially court-authorized government hacking. The bureau has used this authority in major cases, including the 2015 Playpen child exploitation sting and multiple dark web market takedowns. What AI changes, according to the official, is the speed and scale of operations.

Traditional offensive cyber operations require skilled human operators working through targets manually - identifying vulnerabilities, crafting exploits, moving carefully to avoid detection. AI systems can automate reconnaissance, identify vulnerabilities faster than human analysts, and potentially personalize attacks at scale. A bureau that previously might hack dozens of targets in an investigation could theoretically hack thousands.

This capability, combined with the legal frameworks that already allow surveillance through MLATs and third-party data purchases, creates a layered system. The first layer is legal compulsion - get Proton to hand over what it has. The second layer is commercial data purchase - buy location data, financial data, behavioral profiles. The third layer is technical access - if the first two fail, hack the device directly. Encryption addresses none of these layers definitively.

The Timeline: Proton's Journey from Radical Privacy to 8,000 Annual Compliances

What Proton Actually Protects - and What It Does Not

None of this means Proton is lying. Their encryption claims are technically accurate. Their transparency reporting is more comprehensive than Google's, Apple's, or Microsoft's. Their lawyers do fight bad orders. They have designed a system that meaningfully protects email content from the most common forms of surveillance.

What they cannot do, and have never truthfully claimed they can do, is make you invisible. The gap between "we cannot read your emails" and "we cannot identify you" is vast. Law enforcement rarely needs your email content to build a case. What they need is your name, your location, your associations. That information lives in the payment layer, the IP logs, the account recovery settings, the recovery phone number you added three years ago and forgot about.

The 2021 French activist case prompted Proton to make IP logging opt-out by default. That was a genuine privacy improvement. But the payment data problem is harder. To offer a paid service that operates in the real economy, you need to process payments through real payment infrastructure. Anonymous payment options exist - cryptocurrency, cash, gift cards - but they create friction that most users don't bother with.

Proton has introduced privacy-preserving payment options over the years, including Bitcoin acceptance and plans that accept Monero. Their website documents how to sign up anonymously. But the default path - the one most of their estimated 100 million registered users follow - involves a credit card tied to a real identity. When law enforcement comes with a valid Swiss court order, that identity is what they find.

The Broader Lesson: Operational Security Cannot Be Outsourced

The Stop Cop City case illustrates a lesson that security researchers have been delivering for decades, with limited success: privacy technology protects specific attack vectors. It does not provide general anonymity. Using Proton Mail protects you from email interception. It does not protect you from financial metadata. Using Signal protects your messages. It does not protect you from a compromised device that logs your keystrokes before Signal encrypts them. Tor protects your IP address. It does not protect you from a de-anonymization attack via traffic correlation, browser fingerprinting, or - again - financial metadata.

Operational security, in the security community's terminology, is the discipline of managing what information leaks through each channel. It requires mapping every potential exposure surface and treating each one deliberately. "I use Proton Mail" is a technology decision. "I use Proton Mail, pay with Monero, sign up over Tor, and use an address with no connection to my real identity" is an operational security posture. The difference between the two is the difference between a protest organizer who gets identified and one who does not.

That burden is enormous. Most people cannot maintain that level of vigilance all the time. Human error is constant. The Tor browser might be closed before signing up for the account. The Monero wallet might be bought at an exchange that requires KYC verification. The "anonymous" email address might be recovered using a phone number that was registered to a real identity. Each failure creates a link that survives everything else.

Law enforcement understands this. The FBI does not need to break Proton's encryption. It needs one mistake. The MLAT request, the Swiss court order, the payment records - that chain of events works because it only requires the user to have made one conventional choice: using a credit card to pay for email.

What Happens Next: A Surveillance Arms Race Without Clear Rules

The pattern visible this week - Proton payment data via MLAT, CBP buying ad-tech location data, FBI deploying AI for remote access operations - represents a surveillance infrastructure that has grown faster than the legal frameworks designed to constrain it.

Congress has not passed meaningful data privacy legislation. The American Data Privacy and Protection Act, which would have established baseline rules on data collection and brokerage, failed in the Senate in 2022 and has not been revived with enough momentum to pass. State laws like California's CCPA provide some protections for California residents, but they address commercial use of data, not law enforcement access.

The MLAT system was designed for major criminal investigations - organized crime, terrorism, financial fraud. It was not designed to process more than 28 orders per day for a single email provider, or to be used against domestic protest movements. The expansion of RICO charges to political protest has created a legal category that unlocks MLAT requests at scale.

The LeakBase forum takedown this week - the hacking forum with 142,000 members and hundreds of millions of stolen credentials, shut down by FBI and Europol - shows that the same legal infrastructure works for operations that most people support. The same treaty frameworks, the same MLAT processes, the same international cooperation. The question is not whether this infrastructure should exist. The question is whether it should be accessible for protest monitoring at the same threshold as organized crime investigations.

For activists, journalists, and anyone else whose work depends on digital privacy, the lesson is blunt: no single product solves your threat model. Proton Mail is not a shield. It is one layer in a system that requires multiple layers, consistent practice, and clear-eyed accounting of what each tool actually does and does not protect. The encrypted message arrived safely. The envelope had a return address. That is the state of digital privacy in 2026.