What metadata does ProtonMail's web client transmit to Proton servers and third parties?
Executive summary
Proton Mail encrypts message bodies and attachments client-side, but key pieces of email metadata—senders, recipients, subject lines and standard headers—are not end-to-end encrypted and therefore can be revealed to Proton or to third parties when transmitted across the Internet or produced under legal process (sources explain subject lines are not E2E encrypted and headers remain visible) [1] [2]. Reporting and reviews note Proton’s “zero‑access” approach limits access to content, but metadata exposure remains a fundamental limitation of current email standards and Proton’s implementation [3] [4].
1. Why some metadata is visible: Internet mail standards and routing
Email routing relies on unencrypted header and envelope fields so mail servers can deliver messages; trace headers (Received:), sender/recipient addresses and routing timestamps are added and remain visible outside any E2E payload. Multiple technical explainers say this is why providers—including Proton—cannot hide many headers when mail traverses the global SMTP system [2]. Reviews and how‑to guides reiterate that even encrypted services must leave certain metadata unencrypted for messages to reach their destinations [1] [5].
2. What Proton encrypts vs. what it doesn’t
Proton’s architecture encrypts message content and attachments on the client before storage on Proton servers, which creates the “zero‑access” property for bodies and attachments; content therefore is inaccessible to Proton in normal operation [3] [4]. Independent reviews and synopses explicitly state subject lines are not end‑to‑end encrypted and address‑related metadata remain part of message headers and thus unencrypted [1] [2].
3. Subjects, headers and search: functional tradeoffs
Proton and third‑party coverage highlight a tradeoff: keeping subjects, senders and certain header fields unencrypted preserves server‑side features like search, indexing and interoperability with other mail systems. Some reviews mention Proton offers optional indexing for search with user permission, which implies processing of searchable metadata or message parts [1]. Proton community discussion also shows the company has considered metadata encryption but cites technical immaturity and usability tradeoffs in earlier posts [6].
4. Legal access and metadata disclosure
Because subject lines and header fields are not E2E encrypted, Proton can produce those fields when legally compelled; reviews and vendor analyses note that while message bodies remain unreadable to Proton under their encryption model, non‑content metadata can be turned over in response to authorities [1] [3]. Wikipedia and reviews recount incidents and legal interactions that underscore the difference between content secrecy and metadata disclosure [4] [3].
5. Tracking, images and third‑party elements
Guides about email privacy point out that beyond header metadata, tracking techniques (remote images, read receipts, tracking pixels) are a separate channel for leaking behavioral metadata to third parties, and standard advice is to disable remote image loading and read receipts to reduce that risk [7] [8]. Available reporting does not detail ProtonMail web client’s exact handling of remote image defaults in every context; available sources do not mention the precise default settings in Proton’s web client.
6. Alternatives and mitigations
Journalists and reviewers recommend steps to limit metadata exposure: use aliases or masked addresses, avoid putting sensitive info in subjects, disable remote content that can fingerprint you, and consider other secure messaging tools for highly sensitive dialogues [7] [5]. Some competitor products (e.g., Tutanota) are cited as encrypting more address‑book/contact metadata by design, offering a different balance of convenience and metadata protection [6].
7. Limits of current reporting and what’s not stated
Sources consistently explain the high‑level division—bodies encrypted, headers largely not—but do not provide a comprehensive, field‑by‑field inventory of exactly which client‑side telemetry or ancillary metadata (e.g., IP addresses logged during web sessions, browser fingerprinting, analytics) Proton’s web client transmits to Proton or third parties; available sources do not mention a full telemetry list from the web client [4] [1]. Community threads show Proton has discussed metadata encryption research but say the feature was “under review” historically, without definitive rollout details [6].
Bottom line: Proton protects email contents through client‑side encryption, but standard email headers and subject lines remain exposed by design or necessity; reviewers and technical explainers warn that metadata, not content, is the practical privacy liability in email and that Proton’s model mitigates content exposure while leaving important metadata visible [1] [2] [3].