Blocking ProtonMail: Why Banning Encrypted Email Is a Dangerous, Counterproductive Move

TL;DR:

The Karnataka High Court building in Bangalore. In April 2025, the Karnataka High Court delivered a startling order: it directed the Indian central government to block ProtonMail – a Swiss-based secure email service – across India​. This ruling came in response to a petition by a Bengaluru design firm after some of its women employees were targeted with obscene emails and AI-generated “deepfake” images sent via ProtonMail​. The single-judge bench of Justice M. Nagaprasanna issued a mandamus under Section 69A of the Information Technology Act, 2000, instructing authorities to initiate the process to block ProtonMail in India​. The court even ordered interim steps to block specific offending ProtonMail URLs until the full ban could take effect​.

This drastic measure did not emerge out of nowhere. It was the culmination of growing pressure on encrypted services following several high-profile misuse cases. The ProtonMail platform – known for its end-to-end encryption and used by millions worldwide – had earlier been blamed for facilitating hoax bomb threats and other unlawful communications in India. But is banning an entire secure email service justified? For privacy advocates like us, blocking ProtonMail is a dangerous and counterproductive overreach. It punishes law-abiding citizens and fails to stop determined criminals, who can easily migrate to other tools. In this post, we’ll explore the background of the ProtonMail ban ruling, revisit prior legal cases (from hoax bomb threats in Tamil Nadu to a Delhi High Court investigation), and explain why banning encrypted technology like ProtonMail sets a perilous precedent. We’ll also highlight ProtonMail’s own responses and emphasize that privacy is a right, not a privilege – and dismantling encryption harms everyone in society, not just the criminals authorities aim to catch.

From Bomb Threats to Deepfakes: The Road to ProtonMail’s Blocking

The Karnataka High Court’s order came on the heels of mounting incidents where ProtonMail was misused by bad actors, leading frustrated authorities to seek extreme solutions. One significant episode occurred in February 2024, when 13 schools in Chennai, Tamil Nadu received hoax bomb threat emails. Investigators discovered these terrifying (but ultimately fake) threats were sent through ProtonMail​​. Local police in Tamil Nadu tried everything to trace the perpetrator – from technical tracing to asking Interpol for help – but hit a dead end due to ProtonMail’s strong encryption and privacy protections​. As D. Ashok Kumar, a cybercrime officer in Tamil Nadu, lamented at the time: ProtonMail “will never share user information… We are unable to get IP addresses, mobile numbers… because the platform is end-to-end encrypted.”​ By contrast, he noted, mainstream providers like Gmail could readily furnish sender data to police when asked.

Stymied by the lack of immediate cooperation and anxious to prevent more fake threats, Tamil Nadu’s police “lost patience”. Mere days after the Chennai hoax, the state’s nodal cybercrime officer formally requested India’s IT Ministry (MeitY) to block ProtonMail nationwide​. In mid-February 2024, a meeting of the central government’s Section 69A blocking committee was convened, and it decided to issue an order to block ProtonMail in India​. Under Section 69A of the IT Act, MeitY can direct internet service providers to block access to online content or services on grounds including national security or public order​. The hoax bomb emails – though a criminal prank – had rattled officials enough that they sought to ban an entire email platform.

However, digital rights experts immediately warned that blocking ProtonMail would be an overreaction. It’s estimated that ProtonMail has over 100 million accounts globally, with users ranging from tech entrepreneurs and businesses to journalists and activists – people who rely on its security for legitimate reasons​. Blanket blocking of such a service would be “massively disproportionate”, argued Prateek Waghre of the Internet Freedom Foundation, noting that well-meaning users would “bear the brunt” while malicious actors simply move to another secure service. Indeed, knocking ProtonMail offline in India would likely only inconvenience ordinary users and professionals, while the next hoax email could just as easily come from a different encrypted platform (the Tamil Nadu officer himself admitted that other providers like “Alpha Mail” are also used on the dark web). It’s the classic whack-a-mole problem: you can ban one tool, but a clever criminal will quickly pop up elsewhere.

The ProtonMail ban attempt of 2024 ultimately did not go as authorities planned. ProtonMail’s parent company, Proton AG, pushed back hard against the proposed block. The Swiss-based firm publicly condemned the potential ban as a “misguided measure that only serves to harm ordinary people.” It argued that “blocking access to Proton… will not prevent cybercriminals from sending threats with another email service and will not be effective if the perpetrators are located outside of India.” In other words, the block would be a blunt tool that misses its target. ProtonMail also pointed out a critical legal fact: as a company headquartered in Switzerland, it is bound by Swiss privacy laws. Under Swiss law, Proton cannot hand user data directly to foreign authorities – Indian police cannot simply demand information from ProtonMail on their own​. Instead, any legitimate request for data must go through Swiss authorities via established international legal assistance procedures and be approved under Swiss law​. ProtonMail emphasized that it does not tolerate illegal use of its service – in fact, it routinely bans users engaged in unlawful activities and is willing to cooperate with investigations through proper channels​. But it was firm that it would not violate its users’ privacy or break encryption unilaterally just because a foreign government asked.

Crucially, the Swiss government itself stepped in to defuse the 2024 standoff. ProtonMail raised the issue with Swiss federal authorities, who then contacted their Indian counterparts to discuss the situation​. As a result of this intervention, the Indian government paused the immediate blocking of ProtonMail, and the service remained accessible through 2024. ProtonMail even published a March 2024 blog post reassuring users that it was “still available in India, despite [media] reports” of a ban. In that post, Proton reiterated a key point: blocking ProtonMail “simply prevents law-abiding citizens from communicating securely and does not prevent cybercriminals from… using another email service.”​ This outcome was a relief for privacy advocates. But it left something of a legal gray zone – the Indian government had considered ProtonMail “banned” on paper, yet in practice the ban was never executed, pending diplomatic talks and, presumably, a more measured approach.

Confusion and Alarm: ProtonMail in the Courts

This unresolved status of ProtonMail led to some peculiar moments in Indian courts. In October 2024, the Delhi High Court was hearing a habeas corpus case (a matter concerning a missing person) when an interesting detail emerged: the missing woman had been corresponding with her father using ProtonMail​. The Delhi Police, however, claimed in court that ProtonMail “is banned in India.” This prompted the bench to raise an eyebrow – if it was truly banned, how was she able to use it? The judges ordered the police and the Ministry of Home Affairs to “look into” how ProtonMail was still accessible to Indian users if it was supposedly prohibited​. The Delhi High Court essentially called out the discrepancy: on record, officials had stated ProtonMail was blocked “due to various unlawful activities,” yet clearly no effective ban was in place. This incident highlighted the ongoing confusion. It put pressure on the Union government to clarify ProtonMail’s status – and, if it intended to block the service, to actually enforce it. In response to the Delhi court’s queries, MeitY eventually acknowledged in early 2025 that ProtonMail had not been blocked yet under Section 69A, despite prior attempts, and remained operational in India​. Essentially, ProtonMail got a temporary reprieve thanks to Swiss intervention and the absence of a finalized blocking order.

Yet, the reprieve would not last. The Bengaluru firm’s petition in Karnataka High Court – spurred by a grievous harassment incident – brought ProtonMail back into the legal crosshairs. In that case, unknown harassers sent the firm’s female employees pornographic content and deepfaked images through ProtonMail, and the company found itself unable to identify the culprits due to ProtonMail’s anonymity​. Understandably outraged, the firm (M. Moser Design Associates) wanted to protect its employees and hold the senders accountable. Their petition demanded that authorities work with Switzerland to obtain the sender’s information and preserve evidence, but it also went further – urging that ProtonMail be banned outright to prevent future abuse​. This case tied together the threads from Tamil Nadu and Delhi: the petition explicitly cited the Chennai school bomb threats and ProtonMail’s prior “non-compliance” as justification, and noted that the platform had been under scrutiny before. In effect, the argument was: ProtonMail has been used for serious misdeeds and hasn’t cooperated; we need to shut it down.

Thus, by April 2025, the stage was set for the Karnataka High Court’s decisive ruling directing a ProtonMail ban. During the hearings, even the Government’s lawyer (the Additional Solicitor General) acknowledged the government’s limited power in extracting data from a Swiss service and suggested that the proper route was to have Indian courts request info from Swiss authorities via legal channels​. This aligns with what ProtonMail had maintained all along – use mutual legal assistance treaties, involve Swiss law enforcement, follow due process. Despite this, the High Court judge decided that a ban was warranted in the interim. The order to block ProtonMail under Section 69A was, in essence, the court saying: if ProtonMail cannot be regulated or forced to comply easily, it should be blocked entirely. The detailed reasoning behind the judgement was expected in a written order to follow​, but the immediate message was clear and alarming to privacy advocates: an Indian court had effectively endorsed outright censorship of an encryption-based service as a solution to cybercrime.

Why Banning Encryption is a Dangerous Mistake

The ProtonMail ban directive has sparked serious concern among internet freedom and privacy circles, because it exemplifies a broader impulse to “ban encryption” whenever it frustrates law enforcement. Encryption, however, is not the enemy – it’s a tool, like any other, and one that is essential for our security in the digital age. Blaming encryption for crime is like blaming locks on doors for burglary, or safe deposit boxes for money laundering. Yes, criminals might use these tools to conceal wrongdoing – they wear masks and gloves, they use locked rooms or safes to hide evidence – but we as a society would never respond by banning locks, outlawing safes, or forcing everyone to leave their front doors open. We intuitively understand that locks are crucial for honest people to protect themselves. The same is true of encryption: it protects our emails, messages, financial transactions, and personal data from falling into the wrong hands.

ProtonMail’s end-to-end encryption means that only the sender and intended recipient of an email can read its contents, much like only a keyholder can open a locked mailbox. This is a feature, not a bug. It ensures that sensitive communications – whether it’s a journalist talking to a source, an activist organizing a protest, or a business exchanging trade secrets – remain confidential and secure. Those are entirely legitimate, lawful uses that strengthen democracy and commerce. When authorities move to ban or break such encryption, they are effectively dismantling the locks and safes that everyday people use to keep their information safe. The result? Ordinary citizens are left more vulnerable – to hackers, to snooping, to identity theft, and to authoritarian overreach – while truly bad actors will simply find other ways to hide their tracks (or might even exploit the newly created vulnerabilities). As one observer bluntly noted during the 2024 debate, “malicious actors will simply use another service the next time” if ProtonMail is blocked​. The hoax bomb threat senders and the harassers won’t stop their crimes; they’ll just hop to another encrypted email provider, or use VPNs, or any number of evasive tactics. Meanwhile, millions of innocent ProtonMail users in India – including entrepreneurs, students, and professionals – would lose access to a trusted secure email service overnight.

There is also a slippery slope in normalizing such bans. Today it’s ProtonMail; tomorrow will it be Signal (which also use encryption)? In India, this isn’t a hypothetical fear – the government has already attempted to mandate “traceability” in messaging apps, effectively undermining encryption, through the IT Rules 2021 (a move being challenged in the Supreme Court)​. The ProtonMail episode thus fits into a larger pattern of pressures on encrypted services. Treating encryption itself as the problem sets a precedent that could erode privacy across the board. It’s a path toward constant surveillance and weakened security for all. The cost to civil liberties is high: journalists worry about protecting their sources, activists about the confidentiality of their strategies, lawyers and doctors about client and patient privacy. Even businesses fear that lack of secure communication will expose them to corporate espionage or harm their compliance with global data protection norms.

To be clear, no one is arguing that the crimes in question – fake bomb threats, harassment with explicit images – are not serious. They absolutely are, and law enforcement is right to investigate them vigorously. The frustration of Indian police is understandable: ProtonMail’s encryption made their job harder in these instances. But the solution is not to swing a sledgehammer at the technology itself. We don’t ban highways because getaway cars use them, and we shouldn’t ban secure email because a minority of users abuse it. The goal should be to catch and punish the perpetrators of those bomb threats and harassment emails, through smart policing and cooperation, without undermining the security infrastructure that protects everyone else.

Privacy Is a Right, Not a Privilege

At the heart of this debate lies a fundamental principle: privacy is a right, not a privilege granted by the state. In 2017, India’s own Supreme Court affirmed privacy as a fundamental right protected by the Constitution (Article 21 – right to life and liberty). This means that Indians have a right to private, secure communications – a sphere where they can speak, write, and think without undue intrusion. Services like ProtonMail, which provide encrypted email, are tools that help citizens exercise this right in the digital realm. Treating such tools as suspect or banning them outright runs contrary to the spirit of that Supreme Court judgment. It suggests that privacy is only for those who don’t “upset” law enforcement – which flips the idea of rights on its head. Rights are most important when they protect minorities or dissidents or inconvenient voices, not only when they align with government interests.

For many vulnerable groups, encryption is a lifeline. Think of investigative journalists communicating with whistleblowers about corruption; human rights defenders documenting abuses; political activists or minority community organizers coordinating peaceful demonstrations; even domestic violence survivors seeking help or advice online. These people are not hiding crimes – they are protecting themselves from harm or retaliation. They rely on secure email and messaging to do their jobs and to stay safe. Businesses and professionals too require privacy – a lawyer emailing a client, a doctor receiving lab reports, an entrepreneur discussing an R&D idea with a partner – all benefit from encryption to keep sensitive information confidential. The blanket banning of an encrypted service takes away this protective option from everyone, as if everyone’s privacy must be sacrificed because a few miscreants exploited the tool. It’s a classic case of curing the disease by killing the patient.

Indeed, the fallout of dismantling encryption would harm the entire ecosystem of trust on the internet. If users know their secure email isn’t so secure (because the government might be reading, or because it’s been weakened or could be shut off abruptly), they lose confidence in digital services. They may self-censor or avoid using online services for fear of surveillance or data breaches. Ironically, that can hurt economic growth in a digital economy and undermine cybersecurity. It’s worth remembering that encryption doesn’t only guard against government overreach – it also shields us from cybercriminals. Weakening encryption creates openings for hackers, scammers, and hostile foreign actors to exploit. So any policy that broadly attacks encryption can backfire spectacularly in terms of public safety.

A Better Path: Fighting Crime Without Breaking Privacy

What, then, is the alternative? How can governments address legitimate security concerns posed by criminals using encrypted platforms, without harming everyone else’s rights? The ProtonMail case offers a clear answer: through due process and international cooperation. ProtonMail has repeatedly stated (and demonstrated) that it will respond to valid legal requests via Swiss authorities​. Switzerland, like India, does not want its services abused for criminal ends. In cases of serious crime, Indian law enforcement can invoke Mutual Legal Assistance Treaties (MLATs) or other diplomatic channels to have the Swiss legal system review requests for information. If a ProtonMail account was truly sending bomb threats or harassing people, Swiss authorities can compel ProtonMail to hand over metadata or logs if the request meets legal standards (e.g. there’s sufficient evidence of a crime). In fact, ProtonMail is legally obligated to cooperate with Swiss law enforcement on such matters, and Swiss law allows assistance to foreign investigations that adhere to due process​. This process might take more time and effort than firing off an email to a Silicon Valley company, but it is how cross-border justice is done in a way that respects sovereignty and the rule of law.

The Bengaluru firm’s petition itself acknowledged this route, by calling for agreements between India and Switzerland to obtain the needed information. That is the right approach: use diplomatic and legal means to target the offenders, not the platform as a whole. It’s notable that during the Karnataka High Court hearing, the government’s lawyer suggested that Indian criminal courts could seek the data from Switzerland since a police complaint had been filed​. Unfortunately, that sensible suggestion was overshadowed by the court’s blocking order. Moving forward, one hopes that cooler heads in the government will indeed pursue the MLAT process to get whatever evidence is available about the ProtonMail-based crimes, rather than enforcing a ban that could cut off millions from a secure communication tool. The importance of proportionality in tech regulation cannot be overstated – the punishment (or preventive action) should not be worse than the problem itself. As Prateek Waghre of IFF emphasized, authorities must not take “disproportionate and ham-fisted” responses that sacrifice digital privacy for illusory gains in security​.

International precedent also shows that banning encrypted services is not effective. Russia tried blocking ProtonMail in 2020 after similar bomb hoaxes, only to find that threats continued via other means​. Other countries have attempted to ban messaging apps like Telegram or WhatsApp, usually with limited success (users find workarounds) and at the expense of citizens’ freedom. India, as the world’s largest democracy, should be setting an example of balancing security needs with civil liberties – not emulating the most heavy-handed tactics of authoritarian regimes. Working with tech companies, through legal channels, to address specific abuses is the balanced way. This could include developing faster MLAT processes for cybercrime, improving domestic investigative cyber capabilities (so fewer requests need to go abroad), and even engaging services like ProtonMail to explore if there are any creative solutions that don’t break encryption (for instance, sharing limited metadata under strict court orders). ProtonMail’s own policies show it does retain some metadata (like email timestamps and IP addresses of incoming messages) which could potentially aid investigations if obtained legally​. But none of this can happen if the service is simply kicked out of the country.

Conclusion: Don’t Kill Privacy – Protect It

The ProtonMail saga in India is a wake-up call about the value of privacy and the pitfalls of knee-jerk bans. It’s understandable that frightening incidents like bomb threats or malign uses of deepfakes spur authorities into action. Public safety is vital. Yet, we must remember that public safety includes the safety of our rights and data. Privacy and security are not mutually exclusive – they are complementary. You can have secure communications and effective law enforcement, but it requires patience, skill, and respect for due process, rather than broad censorship. ProtonMail being blocked would set a worrying precedent that any encrypted platform could be next on the chopping block whenever a criminal abuses it. This is why civil society groups, technologists, and even many in the business community are urging a rethink. They argue, persuasively, that **attacking encryption is a “cure” worse than the disease.

Ultimately, the fight against crime should not become a fight against technology that keeps us all safe. As users and citizens, we shouldn’t be forced to choose between personal privacy and national security – we can and must have both. The Indian High Court’s ProtonMail ban order is likely to be appealed or re-examined (a detailed order was still awaited, and ProtonMail’s fate may end up in higher courts or subject to government review). In the meantime, it’s crucial for the public to understand what’s at stake. This isn’t just about one email service; it’s about the principle that you have a right to secure, private communication. It’s about saying that we won’t throw out the lock because one person misused it – we’ll go after the one who picked the lock instead. Privacy is not the refuge of the guilty; it is the sanctuary of the individual. As the Indian Supreme Court eloquently put it, the right to privacy is intrinsic to life and liberty​ – and that must hold true in the digital world as much as in the physical one.

In the end, keeping ProtonMail accessible while pursuing criminals through lawful means isn’t about favoring one company or being “soft” on crime. It’s about upholding the values of a free and secure internet. A society that resorts to banning tools of privacy is a society that chips away at its own freedom. India’s challenge – and indeed the world’s – is to hold criminals accountable without treating every citizen as a suspect. Banning ProtonMail and other encrypted services won’t stop the criminals, but it will make the rest of us less free and less secure. That’s too high a price to pay. Encryption is our ally in the digital age, and we must defend it just as fiercely as we combat those who abuse it.

How to support Unshakled.org

If you’d like to support our work helping people access secure tools in the face of censorship,please support us:

Unshakled is a 501(c)(3) nonprofit dedicated to defending digital freedom through secure technologies, education, and advocacy.

References

• Indian Express – Karnataka HC orders blocking of ProtonMail (April 2025)
• Indian Express – Delhi HC questions ProtonMail availability (Oct 2024)
• Hindustan Times – Tamil Nadu police urge ProtonMail ban after hoax threats (Feb 2024)​
• Moneycontrol – Why India wants to block ProtonMail – expert views on disproportionate impact​
• Moneycontrol – Swiss authorities intervened to prevent ProtonMail block​
• TechCrunch – Indian court orders ProtonMail blocked; context of prior incidents​
• Electronic Frontier Foundation – Supreme Court of India: Privacy is a Fundamental Right (2017)​