Proton Meet isn't what they told you it was

Original Article ↗ Hacker News Discussion ↗

Scope of Proton Meet Privacy Concerns

  • Core claim: Proton markets Meet as avoiding US CLOUD Act exposure, but analysis shows it uses LiveKit’s hosted SFU infrastructure on US-based cloud (Oracle), with LiveKit subject to US law and FTC jurisdiction.
  • Several commenters argue this makes Proton’s marketing misleading, especially when framed as a “sovereign” or government-resisting solution.

LiveKit, Metadata, and Legal Exposure

  • LiveKit is said to act as an independent controller for call detail records under its own DPA, meaning it can respond directly to US law enforcement without involving Proton.
  • Unclear in the discussion: exactly what metadata LiveKit collects (IP addresses, participants, call timing, etc.) and whether any content is ever accessible.
  • Some note Proton claims end-to-end encryption (e.g., via MLS) should protect content but concede metadata (IP, who-called-whom, when) remains exposed and can be highly sensitive.

Broader Debate on Proton’s Trustworthiness

  • Critics cite prior incidents where Proton provided user data (IP, device, payment, recovery email, contact metadata) under Swiss court orders, including for activists, as evidence that its “safe haven for protestors” messaging overpromises.
  • Defenders respond that:
    • Any legal company must comply with valid warrants.
    • Proton encrypts content and minimizes stored data, so it still hands over less than mainstream providers.
    • Swiss law offers stronger baseline privacy; Proton often pushes back on overbroad requests.

Web Apps, Updates, and “Security Nihilism”

  • One line of argument: any web-based “E2EE” service requires trusting the provider not to serve a targeted, backdoored client; this weakens strong anonymity claims.
  • Others push back against “everything is compromised” fatalism, stressing threat models and incremental improvements (e.g., limiting mass surveillance even if targeted surveillance remains possible).

Alternatives and Self-Hosting

  • Some recommend self-hosted Jitsi or LiveKit for truly controlled infrastructure, while noting LiveKit self-hosting is operationally painful.
  • Other privacy-oriented ecosystems mentioned: posteo, tutanota, disroot, infomaniak; for high-risk users, self-hosting plus EU-based providers is suggested.

Site Presentation and Perceived Motives

  • Many complain the article’s animated, “LLM-like” page design is hostile to readers and undermines credibility.
  • A few speculate about coordinated negativity or “psyop”-like over-criticism of Proton; others insist the core issue is simply deceptive or overstated privacy marketing.