Privacy-focused companies still have to follow the law

07 March 2026
#privacy

On March 5th, 404Media published Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester, which generated a lot of discussion both online and in the comments of the article itself. This is a complex case, but I want to state some things before diving in. First, the headline appears to be quite misleading. Proton provided information about payment processing to the Swiss government after being legally compelled to do so. The Swiss government then provided the information to the United States FBI. At no point did Proton interact with the FBI directly, and saying that Proton helped them implies both intent and direct interaction. Second, Proton lays out methods to avoid this scenario, specifically the option to pay in cash, much in the way that they describe options for prevent IP addresses from being logged. The facts presented in the article are also not that novel, Proton (specifically Proton Mail) had 9301 legal orders in 2025. They contested 988 and complied with 8,313.

Proton is a company, it makes good decisions and bad decisions, and by no means am I trying to say they are perfect. There are other options in the space, such as Tuta, that I also have the same feelings towards (they make both good and bad decisions). What I believe is most important from this event, and from the article, is to the understand what choices all companies face.

Privacy and Anonymity are not the same

There is a great video by Privacy Guides that goes into why privacy and anonymity are the not the same. The video defines the terms as follows:

Privacy: The assurance that your data is only seen by the parties you intend to view it.

Anonymity: The ability to act without a persistent identifier.

Anonymity is a lot harder to achieve than privacy, you have to keep two worlds (a digital identity and your actual identity) completely separate, never allowing the two to meet. For most, that is an incredibly hard thing to do.

Most privacy-focused companies have mechanisms in place to limit the amount of data they can provide, usually through end-to-end encryption, thereby providing privacy. The company can ensure that this is functioning without any action from the user. Anonymity, on the other hand, is harder for the company to guarantee. As soon as you connect to any of their servers, you will have sent your IP address (whether that is your actual IP address, or the IP of a proxy, depends on how you chose to connect). There are specifics in Switzerland around how the law treats VPNs compared to other services, but broadly speaking, if you connect to a service you should assume the IP address you are coming from can be obtained.

Jurisdictions matter

Which jurisdiction a company operates in defines which laws and regulations it must follow. As such, there is a lot of debate around said jurisdictions in privacy circles. Tuta has explained why they believe Germany to be one of the best legal systems to operate in, Proton makes the case for Switzerland. When thinking about jurisdictions, there are two things to keep in mind. First, the analysis is dynamic; laws, governments, and regulations change all the time, and what might have been a stellar choice five years ago is no longer a good pick. Second, there is no way to operate outside of the bounds of any law (and remain a lawful company), so lawful companies look to pick the least bad option^[1].

As is evident in this case, the partnerships and relationships that a jurisdiction has also matter. If I setup a company in New Zealand, it is reasonable to assume that members of the Five Eyes will have easier mechanisms to request data than, say, Madagascar. In contrast to when a company is served by a valid legal order, and may have limited or exhausted options for appeal, these agreements usually operate on a case by case basis. If one jurisdiction truly feels that a request is more than they are comfortable with, they could attempt to push back.

Choices when faced with a valid legal order

When faced with a valid legal order to do something, both companies and individuals are presented with a choice—follow the order, or don’t. While that seems obvious, the consequences of deciding to take the second option are often overlooked. If the law is refused, that’s the last stand, the company is choosing to cease operating in that jurisdiction and employees and leaders face the possibility of civil or even criminal punishment. Note that this is distinct from contesting an order, in which a company may try to push back either informally by writing a response to the agency submitting the order, or asking courts to block an order. Contesting is still done within the legal system. The ability to contest will be dependent on the mechanism that was used to serve the request, and may vary by jurisdiction.

There are moments, especially as we look throughout history, in which we have an expectation for a company to make that stand. Recently, companies like Signal have stated they would cease operating in the United Kingdom if particular laws were enacted. I simply want to emphasize the gravity of that choice, it really is a choice you can only make once, not on a case by case basis. If a company exits before the law is enacted, they can always return if it is changed in the future. If a company defies a current law, punishments are likely more severe and immediate.

Why is all of this important

It is imperative to accurately convey what levels of privacy and protections are offered by a service, and what levels are not. Most individuals are looking for a simple answer when picking a privacy-focused service, mainly: “will I be safe when using it”. The next key question to ask is “safe from what?”. If using a service is illegal in my country (or I am conducting illegal activity through the service in an identifiable way), then I would want anonymity when using it. If I only care about the information stored with the service being protected, then I want privacy. When there are instances in which information about a user has been revealed, we need to consider the mechanism. Was the company breached at a technical level? Did someone inside the company leak the information? Did a legal order force the company to act? Each of these will have different consequences on the answer on what to do next.

Illegal doesn’t always mean what someone is doing is morally bad, nor does something being legal guarantee that it is good, especially as we consider all the governments and legal systems around the world. This is part of the reason why laws change over time, as we evaluate what we want society to look like. However, expecting companies to defy the laws in the jurisdiction in which they operate is unrealistic, and on the whole would be a net negative.

The same thing could be said about taxes, companies have to pay taxes somewhere, so they look to the country through which they feel they can get the lowest taxes. ↩︎