Privacy-focused email provider Proton Mail supplied payment-related subscriber data to Swiss authorities that was later shared with the FBI.
According to newly surfaced court records reviewed by 404 Media, this helped investigators identify the alleged operator of an anonymous email account linked to the “Stop Cop City” protest movement in Atlanta.
The Stop Cop City movement emerged in response to plans by Atlanta officials to build a large police and firefighter training complex in a forested area outside the city. Activists organized protests, legal challenges, and encampments in the forest to oppose the project. Law enforcement agencies have investigated the movement for alleged acts including arson, vandalism, and doxing.
An FBI affidavit supporting a search warrant showed that investigators obtained subscriber information for the Proton Mail address defendtheatlantaforest@protonmail.com through a Mutual Legal Assistance Treaty (MLAT) request sent to Swiss authorities.
The document states that on January 25, 2024, Swiss authorities provided information indicating that a specific individual was the payment source for the Proton Mail account, which investigators believed was associated with the Defend the Atlanta Forest (DTAF) group and the broader Stop Cop City protest movement.
The email address was allegedly listed as the primary contact on the Defend the Atlanta Forest Facebook page and appeared on a blog used to publicize protests and actions opposing the construction of a police training center near Intrenchment Creek Park in Atlanta.
According to the affidavit, authorities believed the person controlling the Proton Mail account likely had administrative access to the group’s blog, which published updates about protests and actions targeting contractors and infrastructure linked to the project.
The FBI affidavit cited in the report was authored by a Domestic Terrorism squad special agent and indicates investigators planned to execute a search warrant at Atlanta’s airport, after obtaining information about the suspected account holder’s travel plans.
Proton says data was provided under Swiss law
In a statement to 404 Media, Edward Shone, head of communications at Proton AG, said the company did not directly provide information to the FBI but instead complied with a legally binding order from Swiss authorities, which then shared the material through the MLAT process.
Shone emphasized that Proton operates under Swiss jurisdiction and only discloses limited data after Swiss courts approve a request.
He added that Proton accepts payments through credit cards, cryptocurrency, or cash, and that credit card transactions include payment identifiers that can allow investigators to identify the cardholder through the issuing bank.
According to the company, the request was reviewed under Swiss legal standards related to serious criminal allegations before the data was released.
Metadata risks
The case illustrates the long-standing distinction between encrypted content and account metadata. While Proton Mail cannot access users’ encrypted emails, it can possess limited information such as account creation data, payment identifiers, and optional recovery details.
Similar concerns surfaced in past cases involving Proton Mail, like a 2024 case where the service came under scrutiny for sharing IP logs, recovery email addresses, and external service data with the Spanish authorities, leading to the identification of a member of the Catalan independence organization, Democratic Tsunami.
That being said, the importance of operational security (OPSEC) when using encrypted services cannot be overstated. We recommend avoiding identifiable payment methods, limiting recovery information, and using network anonymity tools.
CyberInsider contacted Proton for additional comment regarding the latest court filings but had not received a response at the time of publication.
Leave a Reply