\n<\/p>\n
The company behind<\/span> the Proton Mail email service, Proton, describes itself<\/a> as a \u201cneutral and safe haven for your personal data, committed to defending your freedom.\u201d<\/p>\n But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. After a public outcry, and multiple weeks, the journalists\u2019 accounts were eventually reinstated \u2014 but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.<\/p>\n Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton\u2019s services as alternatives to something like Gmail \u201cspecifically to avoid situations like this,\u201d pointing out that \u201cWhile it\u2019s good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most.\u201d Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions<\/a>.<\/p>\n Shelton noted that perhaps Proton should \u201cprioritize responding to journalists about account suspensions privately, rather than when they go viral.\u201d<\/p>\n On Reddit, Proton\u2019s official account stated<\/a> that \u201cProton did not knowingly block journalists\u2019 email accounts\u201d and that the \u201csituation has unfortunately been blown out of proportion.\u201d Proton did not respond to The Intercept\u2019s request for comment.<\/p>\n <\/p>\n <\/p>\n The two journalists<\/span> whose accounts were disabled were working on an article<\/a> published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation \u2014 what\u2019s known in cybersecurity parlance as an APT, or advanced persistent threat \u2014 had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC.<\/p>\n The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky, a notorious North Korean state-backed APT sanctioned<\/a> by the U.S. Treasury Department in 2023.<\/p>\n As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what\u2019s known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident.<\/p>\n Saber and cyb0rg created a dedicated Proton Mail account to coordinate the responsible disclosures, then proceeded to notify the impacted parties, including the Ministry of Foreign Affairs and the DCC, and also notified South Korean cybersecurity organizations like the Korea Internet and Security Agency, and KrCERT\/CC<\/a>, the state-sponsored Computer Emergency Response Team. According to emails viewed by The Intercept, KrCERT wrote back to the authors, thanking them for their disclosure.<\/p>\n A note on cybersecurity jargon: CERTs are agencies consisting of cybersecurity experts specializing in dealing with and responding to security incidents. CERTs exist in over 70 countries \u2014 with some countries having multiple CERTs each specializing in a particular field such as the financial sector \u2014 and may be government-sponsored or private organizations. They adhere to a set of formal technical standards<\/a>, such as being expected to react to reported cybersecurity threats and security incidents. A high-profile example of a CERT agency in the U.S. is the Cybersecurity and Infrastructure Agency, which has recently been gutted<\/a> by the Trump administration.<\/p>\n <\/p>\n