Originally reported by Sam Bent
TL;DR
Research shows Proton Meet relies on infrastructure providers that comply with government data requests under the CLOUD Act, contradicting the company's marketing claims that "not even government agencies" can access user calls.
While concerning for privacy-conscious users, this represents a policy/transparency issue rather than an active security threat or vulnerability requiring immediate action.
Security researcher Sam Bent has published analysis revealing a significant gap between Proton's marketing claims for Proton Meet and the service's actual infrastructure implementation. According to Bent's findings, Proton Meet relies on infrastructure providers that remain subject to CLOUD Act compliance requirements, despite the company's stated goal of building the service specifically to escape such legal frameworks.
Proton's website explicitly promises that "not even government agencies" can access user calls through Proton Meet. However, Bent's research indicates the service depends on third-party routing infrastructure operated by companies that routinely comply with government data requests when legally compelled to do so.
The analysis suggests Proton has not disclosed these infrastructure dependencies in their privacy policy documentation, creating a transparency gap between stated privacy protections and operational reality.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act enables US law enforcement to compel US-based companies to produce data stored anywhere globally, regardless of local privacy laws. Bent's findings suggest that despite Proton's stated intention to build infrastructure outside this legal framework, key components of Proton Meet's operation remain within its scope through third-party providers.
According to the analysis, Proton's privacy documentation does not adequately disclose the involvement of these infrastructure providers in call routing and potential data handling. This represents a material omission for users making privacy decisions based on the company's public commitments.
The findings highlight the complexity of achieving true jurisdictional independence in modern internet infrastructure, where services often rely on multiple layers of third-party providers that may operate under different legal frameworks.
Originally reported by Sam Bent
