The Proton Blog

How an activist infiltrated two US militias and covered his digital tracks

Kate Menzies — Wed, 22 Apr 2026 18:56:00 GMT

For two years, a lone activist went undercover inside two domestic terrorist organizations in the United States, rising through the ranks to try to gain intel and leak it to the media. His goal was ultimately to weaken them and bring them down.

This mission was life or death: To undertake it and come out alive, he had to take extreme digital privacy measures. In the first episode of our new series, Witness Protection, the activist gave us an exclusive inside account of how he infiltrated the organizations and the complex techniques he used to stay safe.

Since the attack on the United States Capitol on January 6, militias have increasingly attracted Americans radicalized by what they saw as an attempt from the Democratic party to steal power. Groups all over the country mobilized, planning to use coordinated intimidation and violence to bring about their political aims.

Two of the most notorious of these far-right militias were American Patriots Three Percent (AP3) and the Oath Keepers, both classified as domestic terror organizations by several monitoring organizations including the Anti-Defamation League. His goal was to take senior positions within the militias, stealing and exfiltrating intelligence which could then be shared with media outlets.

Proton Mail played a crucial part in his strategy, allowing him to communicate safely with journalists using a covert technique known as foldering. Sharing the login credentials for a burner Proton Mail account, he would save messages as drafts, never actually sending them. The recipient could then log in to the account, read the draft, and delete it. No communications ever had to be sent.

After successfully infiltrating AP3 and the Oath Keepers, fracturing the groups and sending them partially underground, he’s still operating in the field today. We went to extraordinary lengths to conceal his identity, using a blackout helmet, jumpsuit and gloves, and voice changer to hide any identifying details.

Watch the video here:

The rise of age verification: What governments, platforms, and devices are changing

Edward Komenda — Wed, 22 Apr 2026 15:35:49 GMT

Age verification is becoming a standard part of how people access online services. What began as a policy tool aimed at restricting children’s access to certain content is now moving through platforms, devices, and national identity systems.

Given the profound implications for personal privacy, Proton has been covering this shift from multiple angles: how laws are written, how companies implement them, and what happens when identity checks become embedded in everyday digital infrastructure.

What age verification actually means

Age verification is often described as a simple safeguard to confirm whether someone is old enough to access a service. In practice, the term covers a wide range of systems, from self-declared birthdates to government ID checks and third-party identity services.

The gap between the language and the implementation matters. As these systems expand, verification often involves collecting more personal data than people may expect, including official identification documents or biometric signals.

How age verification laws are expanding

Governments in multiple regions have introduced or proposed laws requiring platforms to verify user ages before granting access to certain types of content or services. These policies are typically justified as child protection measures.

Our reporting has focused on what happens after these laws are implemented. Requirements tend to expand over time, and enforcement often pushes platforms toward more invasive forms of identity collection. In some cases, access to online services becomes tied to verification systems that were not originally part of the product design.

There are also broader effects. As verification becomes more common, it can affect how people access information online, including content that is not restricted but still routed through systems that require identity checks.

What happens after age-verification laws take effect

Age verification on platforms

Platforms have begun introducing age verification systems globally in response to regulatory pressure. Discord, for example, introduced a “teen-by-default” verification approach in parts of its service.

These systems require people to confirm their age before accessing certain features or content. The process often depends on external verification providers or identity submission.

The security implications became more visible after a breach involving age verification data exposed tens of thousands of government IDs submitted through a platform integration. The incident highlighted the risks associated with centralizing identity documents for access control.

70,000 government IDs leaked in Discord data breach

Age checks moving into operating systems

Age verification is no longer limited to individual apps or websites. It is increasingly being integrated into operating systems and device-level settings.

When verification moves to the OS layer, it changes how access control works. Instead of each app handling verification independently, the operating system can act as the gatekeeper for age-related permissions across services.

Apple has begun introducing age-related verification features in the UK, where regulatory pressure has increased. This shifts part of the responsibility for identity checks from apps to device manufacturers.

Apple’s UK age verification brings identity checks to the iPhone

Digital identity systems and national policy

Governments are moving toward broader digital identity frameworks that could be used across services, not just for age checks.

The UK’s proposed digital ID system is one example. It is framed as a way to streamline access to services and improve verification processes. Critics have raised concerns about scope expansion and the potential for identity systems to become embedded in everyday online activity.

Australia has also introduced policies affecting how people access social media, with implications for identity verification and platform compliance. While these measures are focused on specific harms, they contribute to a broader trend toward identity-linked access control.

Australia’s world-first social media ban: Why the ban might be even worse for privacy

Security risks in real-world systems

Age verification systems rely on sensitive personal data. In many cases, that includes government-issued identification or biometric information.

Security incidents have already shown the risks involved. An age verification application used in the EU was compromised shortly after release, raising questions about how quickly these systems can be attacked once deployed. Other breaches involving platforms using identity checks have exposed large volumes of personal data.

These events point to a structural issue: Systems designed to verify identity also create high-value targets for attackers.

Alternatives to identity-based verification

There are approaches that attempt to confirm age without requiring full identity disclosure, such as on-device estimation techniques and systems designed to minimize data sharing with third parties.

These models are still developing and are not widely adopted in regulation. Most current laws and implementations rely on identity verification or equivalent methods that require personal data submission.

Where this shift leads

Age verification is increasingly embedded across multiple layers of the internet, from legislation to platforms to operating systems. Each layer introduces its own implementation, but the overall direction is consistent: more online access is being tied to identity checks.

The practical result is a shift in how privacy, anonymity, and access coexist online. Systems designed for targeted protections are expanding into general infrastructure.

This collection of reporting tracks that progression as it continues to unfold.

The EU’s age verification app was hacked in two minutes

Edward Komenda — Mon, 20 Apr 2026 17:58:03 GMT

On Wednesday, the European Commission unveiled a mobile app designed to let people prove their age online without sharing personal data with platforms. EU officials said the app was ready, met the highest privacy standards, and pointed to its open-source code as proof of transparency.

Within hours, however, security researchers began picking apart the open-source code. By Thursday, security consultant Paul Moore had bypassed the app’s protections in under two minutes.

Others confirmed his findings. The app’s rate-limiting controls were stored in an editable file, biometric authentication could be turned off with a simple configuration change, and sensitive credentials were accessible without secure hardware protection.

The Commission played down the findings, calling the release a demo version. Both Moore and French cryptographer Olivier Blazy pushed back, telling Politico they were testing the latest version of the code when they found the flaws.

Later, the Commission said the issue was fixed, but the incident still shows how vulnerable these age verification systems are.

What EU’s age verification app does and what went wrong

EU’s age verification app lets people verify their age using a passport, a national ID, or a trusted provider like a bank. Platforms can then ask the app to check if someone is over a certain age without accessing the underlying personal data, also known as zero-knowledge proof.

The implementation undermined that design. EU’s age verification app stored an encrypted PIN in an editable configuration file on the device, separate from the identity vault that keeps sensitive data. By deleting a few values and restarting the app, an attacker can set a new PIN while reusing credentials from a previous profile.

The rate-limiting controls that prevent repeated guessing were stored as a simple counter in the same file, one that can be reset to zero, erasing any record of failed attempts. Biometric authentication was controlled by a single boolean flag; switching it from true to false skipped the check entirely.

Built to check ages, but not safely

After researchers used the code to expose its flaws, officials recast the app as a demo version.

Several developers noted that sensitive data should have been stored in a secure enclave, hardware-level protection available on modern smartphones that makes these attacks much harder.

But the vulnerabilities expose a problem that goes beyond this particular app. Age verification is not safe by design, because it requires linking a real identity to an online action. That link has to be stored somewhere, even briefly, and wherever it lives, it becomes a target for hackers, governments, and anyone who gains unauthorized access to the underlying data. The more centralized and reusable that link becomes, the larger the target grows.

The EU’s age verification law is meant to be a single, privacy-preserving standard that replaces the legal patchwork taking shape across Member States, but the Commission’s confidence that the app is ready turned out to be premature. More than 400 privacy and security researchers wrote to the Commission in March asking for a moratorium on deployment until the science on age-verification technology settles.

What Microsoft 365 Copilot flex routing means for EU businesses

Alanna Alexander — Fri, 17 Apr 2026 16:31:20 GMT

Microsoft’s ‘data sovereignty’ promise for Europe comes with an asterisk. Starting April 17, 2026, the company will start sending Copilot data to foreign servers for processing.

With the introduction of flex routing for Microsoft 365 Copilot, Large Language Model (LLM) inferencing — the step where your data is actually processed — may take place in the US, Canada, or Australia when European data center capacity runs short.

These changes are being applied by default. For new customer accounts created after March 25, 2026, flex routing is already on. For everyone else, it will be enabled automatically unless you opt out. (Instructions on how to do that below.)

If your business is based in the European Union or the European Free Trade Association (EFTA), this isn’t a small technical update. Flex routing changes whether your AI workflows stay within the EU or leave it without your knowledge. And it highlights what Big Tech’s version of digital sovereignty really means for Europe: They’re still in control.

What is flex routing?

Inferencing is the moment an AI model processes your prompt to generate a response, whether that’s summarizing a document, answering a question, or drafting content. By the time this happens, your data has already been assembled. Even if your data is stored in Europe, it may now be processed elsewhere — automatically, under a non-EU jurisdiction.

EU-hosted does not mean EU-processed

Microsoft makes it clear that data will remain encrypted in transit and at rest. That might reassure some customers. But if you’re operating under frameworks like the General Data Protection Regulation (GDPR), the Network and Information Security Directive (NIS2), or the Digital Operational Resilience Act (DORA), protecting data in storage and transmission isn’t enough.

Processing (or inference) is where exposure can occur. And under flex routing, that point can now move.

For an AI model to perform inference, data must be made accessible for computation. Your prompts, emails, files, and metadata are gathered and sent to the model. With flex routing, that package can be processed outside the EU.

Where your data is processed matters — even if it’s encrypted on the way in and out.

The burden of compliance is yours

Microsoft’s decision to make flex routing a default feature is a red flag. Research shows that most people don’t bother to check their defaults or update them. If data sovereignty was something the company cared about for its European customers, it would not have implemented flex routing automatically.

It also puts your compliance department on notice that vendors may suddenly decide to change an important policy. You are now responsible for monitoring vendor updates, interpreting their implications, and adjusting settings to remain compliant. This may seem unfair if you selected a US-based vendor under the impression your data sovereignty was important to them.

What EU businesses can do now

Disable flex routing. If your policies require EU-only processing, don’t rely on defaults.
- Sign in to the Microsoft 365 admin center as an administrator assigned the AI Administrator role.
- Go to Copilot -> Settings -> Flexible inferencing during peak load periods.
- Select Do not allow flex routing
Understand cross-border implications. Your current setup may not meet your business requirements. Consider:
- Data transfer obligations under GDPR and sector-specific rules
- Internal data residency policies and contractual commitments
- Legal access and oversight in non-EU jurisdictions
Audit AI-specific data flows closely. Most businesses know where data is stored. Fewer know where it’s processed. Start questioning:
- Where your data is processed
- Whether there are laws that can compel third-party data disclosure
- Who can access data during processing and if that can change
Choose vendors that are transparent about how they process your data. Proton’s AI assistant processes data exclusively on European servers and publishes detailed description of its security model.

Flex routing reveals something deeper about data governance

If your vendors are based in the US, you’re relying on systems built for a different regulatory reality — one you don’t control, but still have to answer to.

Software updates, support, legal policies, and pricing decisions are made in Silicon Valley or Seattle. The rules your vendor follows are set in Washington. But your business is held to European standards.

That’s why more companies are starting to look at European alternatives to Big Tech. When your infrastructure, policies, and legal framework are aligned with the region you operate in, data sovereignty becomes enforceable, not conditional.

Your tech stack is an investment not a cost

Ben Wolford — Fri, 17 Apr 2026 11:10:32 GMT

Europe has found itself in a difficult and dangerous situation.

Last August, Proton’s Europe tech sovereignty report revealed that over 74% of publicly listed European companies depend on US infrastructure for their basic tech services. Whether sending emails or running critical infrastructure in the cloud, Europe places its digital destiny in the hands of a few American service providers and the government they answer to.

That report now seems prescient. Over the last few months, rifts in the North Atlantic alliance emerged over tariffs and territory, culminating in a recent threat from Washington to break apart NATO itself.

As Proton CEO Andy Yen said at a recent tech conference in France, “If Trump wants to take Greenland, he doesn’t have to use force. All he has to say is, ‘Tomorrow Google, Apple, Microsoft, and Amazon will stop working in your country if you don’t sign a contract and give me Greenland.’ And if that happens, they will sign within the hour.”

Europe’s digital sovereignty seemed irrelevant as long as the post-war order held. Now that those foundations are shaking, governments are switching over to technology and cloud services they can control. The French government is reducing its use of Microsoft Windows, and other European countries are taking similar steps. Our recent survey found that European consumers support these moves. Nearly three-fourths of them told us in a survey that their society was far too dependent on the United States for technology.

But what does this mean for business leaders?

The problem of dependency isn’t just political. When your core systems rely on foreign providers, your critical systems — email, files, infrastructure — can be disrupted by economic and political decisions far away.

That’s why we urge business leaders to treat their tech stack not as a cost, but as an investment in control, resilience, and long-term independence. Retooling your company is as much a practical challenge as it is a mindset shift.

Here are three questions to ask yourself:

Should I be investing?

Corporate managers face a strategic decision about their internal tools.

Big Tech platforms offer convenience: They’re familiar, widely adopted, and easy to justify as the safest choice. “Nobody gets fired for buying IBM,” as the saying goes. But technology isn’t a commodity. Your tech stack shapes how your business operates, who controls your data, and how resilient you are when circumstances change.

Take for instance: In the late 2000s, the Chinese government realized it was too dependent on foreign oil. So it began to invest in the creation of a new domestic electric vehicle industry. Nearly two decades later, Chinese carmakers produce about two out of every three electric vehicles sold globally.

If Chinese decision makers had viewed automobiles as a cost, they would have purchased reliable gas-fueled cars from Japan or Detroit. Instead, they decided automotive tech was an investment. It paid off in the form of a powerful homegrown industry for China and affordable high-quality cars for everyone.

Your tech procurement decisions deserve deeper reflection and long-term thinking. When weighing your options, it’s worth asking:

Do my service providers share my values and vision?
Is my business data properly secured and confidential at all times?
If geopolitical circumstances change, do I own my data?
Will my tech stack be an asset or a liability when seeking new business?

Businesses that take these questions seriously are already turning security into a competitive advantage. Our 2026 SMB Cybersecurity Report found that using secure tech was a competitive advantage for 66% of businesses. And the price you pay for those services may not be so different; indeed, it might even be cheaper to buy local.

Is it digital sovereignty washing?

First there was greenwashing. Then there was privacy washing. Now there’s digital sovereignty washing.

US tech companies know digital sovereignty is important to European businesses. That’s why Google and Microsoft both promote a “Sovereign Cloud” and a European “data boundary” that evokes the idea of local control. “Discover a sovereign cloud without compromise,” Microsoft says.

It’s dangerous marketing because it’s not quite true. And the only thing worse than bad security is a false sense of security.

You don’t gain digital sovereignty just by choosing tech that processes and stores your data locally. You earn it through control — over access, usage, and the laws that ultimately apply to your data. The reality is very different from the marketing spin.

Sovereignty vs. sovereignty washing

Here are five clues to tell the difference:

If security updates and product development decisions happen overseas, then it’s sovereignty washing.
- If those decisions are made within your region, under your legal and operational control, then it’s actually sovereign.
If the software is closed source so you can’t independently verify security claims, then it could be sovereignty washing.
- If the code is open to inspection and backed by independent audits, then it’s actually sovereign.
If suppliers are subject to foreign laws such as the CLOUD Act, which allows US government surveillance even on servers physically in Europe, then it’s sovereignty washing.
- If your data is governed solely by local laws with strong protections, then it’s actually sovereign.
If geopolitical pressures could result in downtime or changes to pricing and policies, then it’s sovereignty washing.
- If your operations aren’t exposed to external political pressure, then it’s actually sovereign.
If European capital flows into the US, where it funds further innovation and job creation for Americans, then it’s sovereignty washing.
- If it strengthens your local economy and creates a cycle of reinvestment in your market, then it’s actually sovereign.

In the worst case, US tech companies could abandon the idea of data boundaries altogether. In April 2026, Microsoft moved precisely in that direction when it announced “flex routing” would be turned on by default for European customers, enabling offshore data processing.

If your data boundary can be punctured so easily, it’s sovereignty washing.

Are there European alternatives?

Europe has just woken up to the problem of US tech dependence. But that’s not because it’s a new problem. American tech companies have dominated the global business market since the beginning of cloud computing. Until now that has left European industry at a disadvantage.

But over the past 10 years, this has started to change, especially when it comes to enterprise software. From cloud computing to network security, identity management to AI chat assistants, European providers are reaching feature parity with global competitors.

In some cases, these providers depend on US infrastructure, but not always. For example, Proton’s Lumo AI runs open source models on European servers under European legal jurisdiction. That means your data stays under European control, not just physically, but legally and economically. Ironically, thanks to the GDPR and a privacy-first encryption architecture, Americans can gain more control and data privacy by outsourcing the tech stack to Europe.

By choosing European alternatives and promoting homegrown tech, you’re investing in how much control your business has over its future. The next wave of entrepreneurs and developers might not flock to Silicon Valley and instead choose Paris, Munich, or Geneva. It becomes a virtuous cycle that stimulates European demand for its own products.

That’s how this shift happens: not through a top-down policy, but through a multitude of individual choices by businesses like yours.

Proton Drive’s strong start to 2026

Anant Vijay Singh — Tue, 14 Apr 2026 09:51:29 GMT

With the launch of Proton Sheets in late 2025 and, more recently, Proton Workspace, Proton Drive took an important step toward becoming a more complete privacy-first workspace for the files, photos, documents, and spreadsheets people use every day.

So far in 2026, we’ve focused on making that experience faster, smoother, and more practical across file storage, sharing, and collaboration. Here’s a look at the changes:

A faster Drive through a stronger foundation

Some of the most meaningful improvements to Drive this year are about speed and reliability. Uploads and downloads are now noticeably faster, whether you’re saving a file, browsing photos, downloading from a shared folder, or collaborating with others. Early this year, Proton Drive delivered up to 60% faster uploads on iOS, as well as up to 30% faster uploads and 70% faster downloads on web. Shared workflows have improved too: Downloading shared files is now 70% faster, and uploading to a shared folder is 30% faster, even for people without a Proton account.

Behind these improvements is a stronger foundation: We’ve been rebuilding some of Drive’s most performance-intensive code into a shared SDK that powers core file operations across our apps. That means improvements can roll out more consistently across platforms, helping make Drive feel faster, smoother, and more dependable overall.

More done, more easily on mobile

Some of the most meaningful user experience improvements are the ones that remove friction from everyday tasks, especially on mobile, wherever you are. We made a number of updates across the Drive mobile apps to help people get things done faster and with fewer steps:

The photo gallery has improved on iOS and Android, with quicker loading and smoother scrolling through your memories.
Saving files directly to Proton Drive is now possible on both Android and iOS, making it easier to save something for later without first downloading it and uploading it again.

Document scanning is now supported on both Android and iOS, so you can easily save important scans like passports directly in Proton Drive for safekeeping.
On Android, you can upload entire folders to Proton Drive, making it much faster to move lots of files in one go. That’s something even Google Drive doesn’t offer.

More powerful spreadsheets, still privacy-first

Spreadsheets often end up holding far more of our lives than we expect. In our survey, we found that over 70% of people use spreadsheets for budgeting and personal finance. But these files often outlive their original purpose: 67% of US respondents said they still have access to spreadsheets or shared documents they no longer need. Many are also unsure what happens to their data behind the scenes, from ad targeting and content scanning to AI training and data sharing.

That is exactly why Proton Sheets matters, and why we have kept improving our end-to-end encrypted spreadsheet editor.

Image of people collaborating in a Proton Sheets encrypted spreadsheet

Among the changes, we’ve added and improved support for workflows people expect from modern spreadsheets, including:

Import, edit, and export spreadsheets as ODS (compatible with OpenOffice, LibreOffice, and others). Currently in beta
Hidden sheets
New paste special options: formula only and link only
Custom formulas in conditional formatting and data validation
Support for the =SWITCH formula

These updates help make Sheets more practical for everyday use while preserving what matters most: Your spreadsheet data remains protected by Proton’s privacy-first design.

Strong momentum for the rest of 2026

So far in 2026, our focus has been clear: making Proton Drive faster and more reliable across all platforms for the moments that matter every day. Many of these improvements came directly from listening to our community. We’re grateful for that feedback, and for the people who keep pushing us to make Proton Drive better.

At the same time, we haven’t lost sight of our broader priorities for 2026, including the long-awaited Linux client. We’ll keep building on this foundation throughout the rest of the year.

Thank you for supporting our mission to give people everywhere a secure, private way to store and share files without their data being exploited for profit. Tell us what you would like to see next on UserVoice.

In rush for age checks, we’re putting kids’ security at risk

Edward Komenda — Fri, 10 Apr 2026 19:30:52 GMT

As governments across the world charge ahead with age-verification laws, a well-intentioned rush to protect children is actually putting them at risk.

The goal is to shield children from harmful materials, but these laws lack sufficient safeguards to protect privacy. All it takes is a single data breach, and a law intended to protect children could end up exposing their sensitive personal information to the world.

To be sure, children deserve an internet that they can navigate safely. But explicit content and predatory social media are not the only dangers online. Privacy violations, especially for the young, can also do serious harm. Especially since, as the old warning goes, “The internet is forever.”

We should not accept simply trading one risk for another.

How the risks could affect kids

To verify their ages online, users are often asked to submit government IDs, credit card numbers, selfies, or unique biometric information. When breaches happen — and they do, with depressing regularity — that sensitive data is exposed.

What’s more, many companies outsource their age-verification services to a handful of third-party vendors. Those suppliers, as storehouses of the data, become all-too-tempting targets for hackers and criminals. Without sufficient policies on data minimization, usage, storage, and privacy, user data remains deeply vulnerable.

In September, a cyberattack compromised a third-party vendor for Discord, a video game chat platform, granting the attacker access to at least 70,000 images of government-issued IDs, including passports and licenses.

Discord had been collecting photos of IDs in compliance with the UK’s age-verification law, which took effect in July.

Since the implementation of the law, the UK’s Office of Communications reported that “many records were not consistent” with record-keeping and review guidance. Many companies also failed to show how they were taking responsibility for online safety risks.

This breach highlights the real-life consequences of online attacks. As age-verification laws gain traction on a larger scale, an emphasis should be placed on privacy. Protecting sensitive personal information makes the internet a safer place for everyone, including children.

The need for balance

The rush to prioritize age checks for minors without prioritizing secure methods of verification create additional cybersecurity risks that can put children in harm’s way. As governments make premature decisions about these technologies, they are opening a Pandora’s box for hackers and cybercriminals to mine at their leisure.

Moving forward, governments and legislatures must be thoughtful about the technologies they employ and the risks they come with. Policymakers should prioritize decentralized solutions that protect minors against the real threat of cyberattacks, without compromising users’ anonymity and right to privacy.

What are the alternatives to age verification?

Edward Komenda — Fri, 10 Apr 2026 19:19:39 GMT

With age-check systems, there isn’t a one-size-fits-all solution.

Research suggests that no single method effectively protects children while also balancing concerns about privacy and access to information, but there is a way forward. Applying a broad array of common-sense measures, including parental controls and digital literacy education, can go a long way in helping guard children against potentially harmful content while remaining mindful of privacy rights and the nuanced ways young people use the internet.

Attribute-based verification

It’s not exactly an alternative to age verification, but proponents of attribute-based verification argue that it provides a more secure and private method of verifying a user’s age. That’s because it verifies only what’s necessary, such as requiring a self-declared age range rather than a government ID. But it has its limitations. Notably, any method that relies on self-declaration can be easily circumvented. It also fails to address the issue of personal data privacy, as it does not prevent websites from collecting additional information, such as users’ IP addresses.

Attribute-based age checks, however, store data on the user’s device. This limits the number of people with access to a user’s private data and reduces the cyberattack risks posed by other age-check methods.

Zero Knowledge Proofs

Like attribute-based verification, a zero knowledge proof (ZKP) provides a way for websites and apps to verify a user’s age without the user having to explicitly share personal data about their identity. But ZKP isn’t an alternative to age verification, rather, it’s a cryptographic tool that allows websites and apps to verify information about the user in question without gaining any additional information about the user.

In 2025, Google announced ZKP integration within Google Wallet to provide age verification across multiple apps. The tech company said it would continue to use ZKP with existing partners, like Bumble, to verify users’ ages without revealing their identities.

Age-Appropriate Design Code

The Electronic Privacy Information Center’s model bill for Age-Appropriate Design Code (AACD) was designed as an alternative to the rise in age verification legislation. The AACD gives children agency over their online experiences while requiring tech companies to evaluate their programs for features that put children at risk for compulsive use.

Additionally, the AACD would prohibit these companies from implementing programs with high-risk features, and would provide transparency into addictive design practices.

Unlike age verification legislation, the AACD places responsibility on the manufacturers of these technological platforms, rather than the users they exploit, circumventing issues around privacy and personal security.

Device- and OS-level parental controls

Parents and children can work together on a solution that best meets their needs. Device- and OS-level parental controls offer a more personalized approach to gatekeeping what kids see online.

Parents can set up their children’s devices to restrict or limit certain content. OS-level controls can be set up to limit daily screen time, require approval to install apps, and use web content filters, but the internet’s ever-changing nature means web filters can’t always keep up.

Used in conjunction with other protective measures, however, these restrictions can act as guardrails that reduce children’s exposure to harmful content without universal age verification.

Research suggests children who report less screen time are also the most likely to have parental controls on their devices. Yet parental controls are underutilized, according to the nonprofit Family Online Safety Institute.

Use of parental controls varies widely across device types, and they are hardly a perfect solution. Children may have access to more than one device, making time limits and content filters harder to enforce.

Education and digital literacy

Talking with kids about online safety can make parental controls more effective.

In households that reported six or more conversations about online safety annually, both parents and children were more likely to say that parental controls effectively keep children safe online, research found.

And those offline lessons can be valuable tools in protecting children when they are online.

Research from the World Health Organization suggests educational programs and cyberbullying prevention can work to reduce violence against children online. Programs that discuss online dangers and offline violence prevention, as well as healthy relationship skills, can help address children’s vulnerabilities to sexual abuse, harassment, and bullying, a WHO study found.

Parental guidance, support, and the ability to engage critically with online content all affect how a child might feel about what they see on the internet, research suggests.

The way forward

Protecting children doesn’t require turning the entire internet into an ID checkpoint. The widespread deployment of online age checks struggles to balance legitimate child protection concerns against users’ data privacy rights. Until that balance is struck, existing measures can help kids navigate the internet confidently without surrendering sensitive personal information at every turn.

What small businesses still get wrong about password managers

Risa Tang — Fri, 10 Apr 2026 10:57:18 GMT

The way small and medium businesses work has changed for good — but so has the way they get attacked. Teams are distributed, SaaS tools handle everything from payroll to project management, and contractors and vendors rotate in and out of systems regularly. With each new tool or employee with access, the number of potential entry points increases.

That expanding attack surface matters because credential-based attacks, including phishing, account takeovers, and password theft, have become one of the most common ways businesses get breached. They work precisely because access has sprawled, which makes it difficult to track. All an attacker has to do now is find one valid set of credentials to bypass your business’s defenses.

In this context, it should be encouraging that over half of small businesses now use a business password manager. But Proton’s SMB Cybersecurity Report 2026 — a global study of 3,000 SMB decision makers — found that one in four still experienced a breach last year.

All this points to a gap between how tools are adopted and how they’re actually used.

How SMBs use password managers today

Most password managers are designed to do one thing well: help you remember your password. In practice, that means creating complex and unique passwords and managing them in an encrypted vault. That’s meaningfully better than the norm of reusing the same credentials across accounts and platforms.

But with passwords being an attacker’s easiest point of entry, SMBs need password managers to do much more than just solve memory and convenience problems. They need it to secure access.

Access is a far broader question. Do the right people have the right credentials — and would you know what they unlock or if they fell into the wrong hands? And as teams grow, subscriptions stack up, and contractors cycle in and out, your organization’s considerations need to shift from merely strengthening passwords to accounting for real-world security threats.

That’s the change most businesses don’t make until something goes wrong.

Where password manager implementations go wrong

The key insight of our report was that businesses adopting password managers don’t consistently use them.

Unsafe credential sharing still persists at surprisingly high rates:

33% share them in shared documents or spreadsheets
30% share credentials via email
27% share them via messaging apps
25% write them down
24% share them verbally

That’s a picture of busy people taking the fastest route available at that moment. Instead of toggling over to the password manager app and sharing a new credential in its proper vault, they might paste it into Slack or an email.

Workarounds feel harmless in isolation. But over time, credentials end up scattered across inboxes, chat histories, and shared documents in ways that are hard to untangle. When an employee leaves, you can’t later revoke access. And updating passwords on a moment’s notice after a data breach becomes impossible unless it’s stored in a centralized secure location.

Training to enforce security policies can help, but our research revealed even that isn’t quite enough…

Why security awareness training isn’t enough

Our report found that 39% of SMBs have experienced a security incident caused by human error. That statistic is easy to misread; the natural response is to assume that more careful employees means fewer incidents.

But this framing misses something important: Security systems that depend on perfect behavior under everyday pressure will always be let down by reality. Mistakes happen not because people don’t care — they happen because the secure option often demands more effort and time than the typical SMB can afford. Even well-intentioned teams will find workarounds when they’re resource-stretched.

The lasting fix isn’t more training. It’s designing systems where the secure option is also the easy one.

When sharing access safely takes no more effort than dropping a password into a chat message, people will use it.

When the access problem gets out of control

The credential problem compounds as teams grow.

Eighty-six percent of SMBs now rely on cloud-based services for day-to-day operations. That typically means credentials sprawl across project management tools, finance platforms, marketing software, file storage, and customer systems, each with its own permissions and access history.

Access doesn’t just scatter across systems; it spreads across the organization, flowing between teams, external partners, contractors, and former employees who may still retain a way in.

This means that in reality, credentials accumulate, old access continues to linger, and the number of people who have — or have had — the keys to your most sensitive systems scales beyond easy tracking.

Having tools isn’t the same as being protected

The SMBs that experienced breaches last year weren’t cutting corners: 92% were actively investing in security tools. They had password managers, encrypted email, training programs, and written policies in place. In other words, their setups looked solid on paper.

What many lacked was consistent enforcement. Multi-factor authentication (MFA) was switched on but not required, password managers were deployed but not embedded into daily habits, and onboarding and offboarding processes were handled informally rather than systematically. We suspect, given the popularity of browser password managers, that many were not even using a centralized team platform at all — instead relying on a patchwork of less-safe options on an individual basis.

Each of these is a small gap that stays invisible right up until it isn’t.

The real measure of a security setup isn’t what tools are on the list, but whether those tools hold up under the everyday pressure of how people actually work.

Here are some practices to help bring this reality closer for your business:

Use a password manager built for teams. Browser password managers are not only less secure, they don’t have the admin tools managers need to maintain full control of your accounts. Unless you have an enterprise password manager that’s easy to use, it’s not going to cut it.
Audit who currently has access to what. Check the user lists on your most sensitive tools and if any names on there come as a surprise.
Replace shared logins with individual accounts. While it’s easy to share logins in a password manager, it’s not a best practice: Shared logins reduce visibility at the account level, making it harder to identify and react to a breach.
Make multi-factor authentication a requirement. MFA is one of the most effective protections available — but only when it’s enforced by default, not left as an optional setting.
Make offboarding systematic. Every departure, whether it’s an employee, contractor, or vendor, should trigger an access review immediately rather than as an afterthought.

Want to know what else you could learn from our survey of 3,000 business leaders across six key markets? Read more in our SMB Cybersecurity Report 2026. You’ll learn what causes breaches and what they actually cost, where human error shows up most often, how cloud and AI adoption are creating new blind spots. It also includes practical steps for beefing up protection that hold up in real-world conditions.

Get the full report

Proton Calendar now includes secure appointment scheduling

Anant Vijay Singh — Thu, 09 Apr 2026 11:53:31 GMT

In the 12 years since Proton began, millions of people have joined our mission to make the internet safer and more private, including over 100,000 businesses and nonprofits. They rely on Proton’s encrypted suite to protect their customers and teams, and we’ve continued to add more services and plans to support them — most recently with the launch of Proton Workspace.

Today we’re excited to announce the next addition to Proton Workspace with our secure appointment scheduling tool in Proton Calendar.

Whether you work with teams, run a side hustle, or take appointments from customers, you can now easily create public booking pages that show when you’re available, and your clients and colleagues can book an appointment in seconds. It automatically creates a new event on your calendar and generates a private Proton Meet link where you can have a secure video call. New events are zero-access encrypted, so all the details stay between you and your contact. Not even we have access.

For people dependent on platforms like Calendly, this means you no longer have to pay an extra subscription or give away calendar data to third-party services where it can be leaked or spied on. It’s a perfect tool if your business is based on appointments or if you want to save time finding an available slot to meet with colleagues or friends.

And it’s available in our new Proton Workspace plan, which combines all our business productivity tools into a single plan for complete data protection.

Try scheduling for teams

Explore plans for individuals

Part of a seamless encrypted workspace

The new appointment scheduling tool is fully integrated with Proton Calendar and Proton Meet to protect your business data end to end.

That’s important because your team calendar contains a trove of information about you and your business activities: your location, your priorities, and your contacts. It’s critical to keep that information protected from Big Tech platforms that could monetize or leak it, and from hackers who could use it against you for fraud or phishing attacks. Using a third-party booking platform spreads your information across the internet and increases your risk of a data breach, especially when those tools don’t use strong encryption.

Appointment scheduling bridges two fundamental business tools: Proton Calendar and the all-new Proton Meet for encrypted video calls. It’s not enough for a business to be able to plan and host a secure video conference — they also need to be able to schedule it. Our appointment scheduling tool fills this gap.

How appointment scheduling works

Appointment scheduling is simple to set up, and it’s available on all paid Proton Mail plans, Proton bundles, Meet Professional, and Proton Workspace. Teams with Workspace can create up to 25 booking pages to support multiple meeting purposes and durations.

In your Proton Calendar, just add a new booking page, give it a name, and specify the times you’re available. Your booking page will have a link that you can share publicly, such as on your website, email signature, or social media profile.

Whenever someone books a meeting with you, the event will instantly sync directly to your calendar (so it’s not possible to double book). And your contact will receive a confirmation email. If you’ve selected Proton Meet as the location for the meeting, the confirmation will include a secure meeting link.

The time, description, and participants on every event are zero-access encrypted, meaning it’s locked with your private encryption key and can’t be accessed by Proton or anyone else.

Learn more about how to use appointment scheduling

Power your growth with Proton Calendar

With appointment scheduling, Proton Calendar becomes more than just a way to track your schedule — it’s a way to grow your business or side project. If you’re a professional service provider, letting clients book meetings is a core part of your business model. But even if your business doesn’t run on external meetings, the appointment scheduling tool can help you save time or be more available to your team.

Appointment scheduling is perfect for:

Privacy-first providers like therapists, health clinics, law firms, and financial advisers
Managers or executives looking to save time when setting up meetings
Tutors scheduling time with students or professors hosting office hours
People who work for themselves, like content creators, indie hackers, or marketplace sellers
Anyone with a side project
And many more business professionals…

Securing your meetings isn’t just about protecting your own business, it’s also about protecting the people you do business with. When it comes to fields like healthcare, data protection is even an ethical and legal obligation. Appointment scheduling in Proton Calendar helps you meet those obligations while signaling to your customers that your business takes security seriously.

Explore Proton Workspace