The Proton Blog

How to know if you have a virus on your phone

Jessica Bernard — Fri, 12 Jun 2026 11:55:30 GMT

If your phone is behaving in unusual ways, like unexpected data usage spikes or rapid battery drain, there’s a chance it might have a virus. Here are some of the telltale signs that your phone is infected, what you can do to clean it, and how to ensure your phone is protected in the future.

What is a phone virus?
Signs your phone has a virus
How to check if your phone has a virus
Should you use additional antivirus software?
How to protect your phone from viruses

What is a phone virus?

A phone virus is a type of software that is designed to spread throughout the files, apps, and data on your phone. Once a user opens an infected file the virus can infect the host and set out to replicate itself, infecting other files and devices in the same way a biological virus infects other people who come into contact with the host.

Many people use the terms “virus” and “malware” interchangeably, but a virus is a type of malware. Malware is an umbrella term for software that steals, disrupts, or deletes data, and also includes things like ransomware and spyware.

Signs your phone has a virus

There are a number of symptoms that might indicate your phone has a virus.

Unusual performance issues

Rapid battery drain: Your battery life has suddenly dropped without a change in your usage habits.
Overheating: Your phone feels hot to the touch, even when you aren’t using energy-intensive apps like games or video streaming.
Sluggish performance: Apps take a long time to open, the home screen freezes, or your phone lags significantly when scrolling or typing.

Malware often runs hidden background processes, draining your battery and slowing down your device. If your phone feels sluggish or hot when you’re not performing processor-intensive tasks, it’s a major red flag.

Strange data or billing activity

Spike in data usage: You experience an unexplained jump in cellular or Wi-Fi data consumption.
Mysterious charges: Your phone bill shows premium SMS messages you didn’t send, unexpected subscriptions, or calls to unknown international numbers.

Malware often sends data to remote servers or joins your device to a botnet; a group of internet-connected devices that have been breached and are being controlled by a third party, often to perform DDoS attacks.

Toll fraud is a type of malware that is predominantly used to target Android systems. Users are secretly subscribed to premium-rate SMS or telephone services, racking up charges without their knowledge or consent.

Pop-ups and ads

Unexpected advertising: You have ads popping up on your home screen, inside apps where they shouldn’t be, or even when your browser is closed.

These ads are likely what’s known as adware, and can slow down your device. Adware often gets downloaded automatically with “free” software.

Fake security alerts: You’re seeing pop-ups and alerts claiming your phone is infected and urging you to download a “cleaner” app.

These alerts are almost always scams designed to install more malware.

App behavior anomalies

Unknown apps: You notice apps installed on your device that you don’t remember downloading.
Apps crashing frequently: Legitimate apps start crashing or freezing unexpectedly.
Unusual permissions: Apps are requesting permissions they don’t need, such as access to contacts, camera, or microphone.

These irregularities could indicate that malicious software is masquerading as legitimate apps, hijacking system resources, or seeking access to your private data.

Network and connectivity issues

Slow internet speeds: Your connection seems slower than usual, even on strong WiFi.
Random reboots: Your phone restarts itself without your input.

Hidden malware processes frequently consume your bandwidth to transmit stolen data or join botnets, causing slowdowns and system instability that triggers unexpected restarts.

It should be noted that many of these issues can also be caused by aging hardware, software bugs, or simply by too many apps running in the background, rather than a virus. Regardless of the cause, there are steps you can take to resolve the underlying issue.

How to check if your phone has a virus

Android phone virus checks

Google Play Protect is your first line of defense against viruses and malware on Android devices. Play Protect runs continuously in the background and performs several types of automatic scans:

App installation scan: Every time you install an app from Google Play Store.
Periodic device scan: Automatically checks all installed apps regularly (usually daily or weekly).
Web protection: Scans websites you visit through Chrome for known threats.
Harmful app removal: Can automatically uninstall detected malware.

Automatic scans happen as long as Play Protect is enabled, which it is by default on most devices.

Manual Play Protect scan

You can trigger a manual scan any time you want by following these steps:

1. Open the Google Play Store app.

2. Tap your profile icon.

3. Select Play Protect.

4. Tap Scan to run an immediate check.

This is useful if you’ve recently installed an app from outside the Play Store (known as sideloading) or if you’re experiencing suspicious behavior.

While Play Protect is helpful, it’s not foolproof. Because it’s not a full antivirus tool, it may struggle to recognize new malware variants. It may also give false negatives in some cases.

Review app permissions

Review which apps have access to your information by using Permission Manager.

1. Go to Settings → Security and Privacy → More privacy settings → Permission Manager.

2. Revoke access for any apps that don’t need it.

Use a third-party anti-virus app

You can download antivirus and anti-malware apps from the Play Store. Just be sure to only download apps from reputable vendors. See Should you use additional antivirus software? below for more details.

iPhone virus check

Because of how iOS is designed, traditional antivirus apps that scan your entire file system for malware don’t exist on the App Store (and Apple wouldn’t allow them to function that way anyway). Instead, iOS’s architecture protects you from phone viruses by ensuring that:

Apps are sandboxed: Every app on an iPhone runs in its own isolated sandbox. An app can’t access the files, data, or code of another app.
Apps are reviewed: Apple manually reviews every app before it reaches the App Store. While bad actors sometimes slip through, it’s extremely rare.
Apps can’t be sideloaded: Outside the EU, you can only install apps from the App Store, which drastically reduces infection risk (unless you’ve jailbroken your phone).

To do a manual diagnosis and cleanup, try these steps:

Do a safety check (iPhone with iOS 16 or later)

Review which people and apps have access to your information and devices by using Safety Check.

1. Go to Settings → Privacy & Security → Safety Check → Manage Sharing & Access.

2. Follow the steps to reset or manage access to your information.

Clear Safari data

What seems like malware is often “just” adware or browser redirects trapped in your Safari cache.

1. Go to Settings →Apps → Safari.

2. Scroll down and tap Clear History and Website Data.

This removes cookies and cached scripts that might be causing pop-ups.

Review configuration profiles

Malware sometimes installs a configuration profile to force settings changes or redirect traffic.

1. Go to Settings → General → VPN & Device Management.

2. From here:

If you don’t see any profiles, then no device management profiles are installed on your device.
If you do see unfamiliar profiles, select the profile, tap Delete Profile and follow the instructions, then restart your device.

Do a factory reset

If you still suspect a virus, you can restore your phone to factory settings. This will completely wipe your phone and enable you to set it up again as new.

Warning: Before resetting, follow Apple’s recommended steps to ensure you’ve backed up your phone correctly.

Should you use additional antivirus software?

Regardless of whether you have an Android or iOS device, good security habits are generally sufficient to prevent phone viruses. However, you could consider additional antivirus software if you:

Frequently sideload apps (Android devices)
Download files from untrusted sources
Handle sensitive financial or business data on your phone
Want extra peace of mind

Popular options include Bitdefender, Malwarebytes, Norton, and Kaspersky.

If you have an Android device, these apps can actively scan files, monitor app behavior, and block malicious downloads in real-time.

However, if you’re an iPhone user, these apps won’t scan for viruses in the traditional sense. Instead, they focus heavily on web protection (blocking phishing sites), Wi-Fi security, and identity theft monitoring, so iPhone users may prefer to opt for other protections.

How to protect your phone from viruses

Maximizing phone security requires a layered approach. Combining the built-in security measures of your phone with a password manager and a VPN creates a strong line of defense against phishing, credential theft, and network surveillance.

Set up automatic updates

Automatic software updates ensure that Apple and Google can swiftly patch critical vulnerabilities.

iPhone software updates

1. Select Settings → General → Software Update.

2. Toggle on Automatic Updates.

You can also turn on Background Security Improvements to provide additional protection in between software updates.

1. Select Settings → Privacy & Security → Background Security Improvements.

2. Toggle on Automatically Install.

Android software updates

1. Go to Settings → System → System Update and enable automatic updates.

2. Disable Install Unknown Apps (keep this setting off for all apps unless absolutely necessary).

Install a password manager

A password manager generates and stores unique, complex passwords for every account, eliminating the single biggest cause of breaches: password reuse. It also guards against credential stuffing and phishing by autofilling credentials only on legitimate sites.

Proton Pass protects your logins with zero-knowledge, end-to-end encryption and goes further with built-in 2FA authenticator codes, unlimited hide-my-email aliases to shield your identity, and Dark Web Monitoring that alerts you if your credentials are leaked.

Get Proton Pass

Use a VPN

A VPN encrypts your internet traffic, shielding it from ISPs and other third parties. It also hides your IP address so websites and trackers can’t identify or profile you.

Proton VPN is open-source and independently audited, with a strict no-logs policy backed by Swiss privacy law. If you have a Plus plan, our NetShield Ad-blocker DNS filtering solution can block connections to adware and malware domains

Get Proton VPN Plus

Stay legit

If you’re on Android, stick to apps available in the Google Play Store or a reputable app store like F-droid. If you do need to sideload an app, only download APKs from the developer’s official website and verify where possible. If you’re on an iPhone, don’t jailbreak your phone. This opens you up to viruses and other malware, and negates many of the protections that Apple products otherwise offer.

The law that lets the US government spy without warrants is about to expire. Here’s what comes next

Edward Komenda — Thu, 11 Jun 2026 23:06:04 GMT

Section 702 of the Foreign Intelligence Surveillance Act lets US intelligence agencies collect communications from foreigners abroad without a warrant, and routinely sweeps in Americans’ emails, messages, and calls in the process.

It’s set to expire Saturday. And Congress has all but assured it will.

In a 218-to-198 vote, the House rejected a short-term extension, and Senate Democrats blocked a parallel effort hours later. For years, a growing bloc in both parties had demanded one thing before agreeing to renew: a warrant requirement. On Thursday, they finally had the votes to hold the line. Speaker Mike Johnson called the lapse “dangerous, and very, very shameful.”

Privacy advocates have argued for years that renewing Section 702 without reform is the real danger.

Surveillance doesn’t stop when the law does

The Foreign Intelligence Surveillance Court renewed its procedures for the Section 702 program in March. On Thursday, Representative Jamie Raskin said “government surveillance activities will continue unchanged” and that “current FISA authorizations will continue unaffected, at least through March 17, 2027,” according to CBS News. Even Representative Rick Crawford, the Republican chairman of the House Intelligence Committee and a supporter of renewal, confirmed the 702 database “would remain available to search.” The concern is that data grows stale over time, not that collection stops.

The more immediate problem is that some carriers have privately warned they will stop cooperating once the statute lapses, fearing legal liability without an active law behind the government’s requests. Intelligence agencies and telecoms face uncertainty about what collection can legally continue. Reform legislation would have resolved that. Congress chose not to pass it.

A warrant requirement needed three more votes

Axios reported that lawmakers in both parties were close to a longer-term extension. What they couldn’t agree on was whether to attach the reforms a substantial bloc of lawmakers has demanded for years.

Conservative Republicans who have long pushed back on FBI abuses of the Section 702 database refused to vote for a clean renewal. Democrats who previously supported the program did the same.

The warrant requirement is not a fringe position: when it came to a House vote in 2024, it failed 212-212. This week, a clean extension couldn’t reach a majority. The reform bloc, for the first time, had enough votes to block renewal outright.

Both parties expand surveillance when in power

We’ve documented this pattern for years. Section 702 has grown under every administration that has touched it. The party in power defends and extends these authorities. The party out of power raises objections, until it wins.

President Bush signed the Patriot Act into law on October 26, 2001, expanding domestic surveillance authority. Once in power, the Obama administration signed a four-year reauthorization of those same provisions, despite bipartisan resistance in Congress.

The 2024 renewal also made this plain. As a candidate, President Trump said “KILL FISA” days before Congress passed a renewal that President Biden signed into law, expanding Section 702 by broadening which companies can be compelled to assist with surveillance. The warrant amendment failed. Surveillance expanded. Both parties voted for it.

The case for reform doesn’t depend on who is in office. These powers have no meaningful checks on how they are used.

When searching Americans’ private communications requires no warrant, the only protection users have is whether the people in charge choose to exercise restraint.

That is not a protection.

The warrant requirement is the specific reform that matters

The Government Surveillance Reform Act, backed by a bipartisan coalition including senators Ron Wyden and Mike Lee, would require a warrant before agencies can search Americans’ data collected under Section 702.

It would close the loophole that lets the government buy personal data from brokers instead of going to court, so location data and browsing history can’t be purchased to avoid judicial oversight. It would also roll back the expanded definition of who can be forced to assist with surveillance, with direct implications for how VPN traffic is classified under the law.

Reauthorization will come back. This time, reformers have leverage.

Your business’s practical multi-factor authentication implementation guide

Kate Menzies — Wed, 10 Jun 2026 12:05:11 GMT

Multi-factor authentication (MFA) is no longer just a security recommendation for large enterprises. It’s one of the most practical ways for businesses to reduce the risk of account takeover and make stolen passwords less useful. As access to business systems spreads across cloud apps, remote teams, shared devices, and third-party platforms, MFA is becoming a more useful tool.

But during implementation, IT managers face the challenge of being able to assess whether MFA is useful or effective. Making MFA work across an organization requires making a lot of decisions: Which accounts need it first? Which MFA methods should be allowed? How do you avoid employee pushback? How do you make sure MFA is actually enforced, not just encouraged?

This guide is written to help your business MFA implementation work. It explains what MFA is, why passwords alone are no longer enough, how common MFA methods compare for business use, and how to roll out MFA in a way your team can adopt. It also shows how a business password manager with built-in 2FA support can make stronger authentication practices easier to manage at scale.

What is multi-factor authentication?

Why passwords alone are no longer sufficient

Types of MFA and business trade-offs

Where MFA implementation fails

The employee resistance problem

How to roll out MFA across your business

How Proton Pass for Business makes MFA manageable

What is multi-factor authentication?

MFA is a security process that requires more than one type of identity verification to access an account. Instead of relying only on a traditional password, MFA asks for an additional factor that makes unauthorized access harder.

The three common authentication factors are:

Something you know, such as a password or PIN.
Something you have, such as a phone, authenticator app, hardware security key, or trusted device.
Something you are, such as a fingerprint or facial recognition.

In practice, MFA usually means an employee enters a password and then verifies the login through another method, such as a time-based code (or TOTP), push approval, passkey, or hardware key. The goal is simple: if a password is stolen, guessed, phished, or reused, the attacker still needs another factor to get in.

Multi-factor authentication in business environments

For businesses, implementing MFA is a way to strengthen account security with an additional access control, not just to replace passwords. In business environments, the challenge is deciding where those methods are most needed and how to deploy them consistently across different systems, roles, and levels of risk.

Nevertheless, not all MFAs are equally strong. A code sent by SMS is better than a password alone, but it does not offer the same protection as a hardware security key or a well-implemented passkey. The right choice depends on risk, usability, device access, compliance needs, and how much administrative control your business can maintain.

Why passwords alone are no longer sufficient

Strong passwords still matter, but they are no longer enough on their own. Employees manage more accounts than ever, and attackers know that business access often begins with one compromised credential.

A password can be exposed through phishing, malware, data breaches, credential stuffing, password reuse, or unsafe sharing. Once attackers have a valid username and password, their activity may look like a normal login attempt unless another layer of verification is required.

This is why data breach protection for businesses needs to include credential controls, endpoint security, and employee training. A strong password policy helps, but it can’t stop every stolen password from being tested against email, cloud storage, finance tools, admin portals, or customer systems.

The financial stakes are high. IBM’s 2025 Cost of a Data Breach Report places the global average cost of a data breach at $4.4 million. MFA can’t eliminate breach risk, but it does reduce one of the most common paths into business systems: unauthorized access through compromised credentials.

MFA is especially important for accounts that control other accounts. Email, identity providers, password managers, admin consoles, developer platforms, payroll tools, and finance systems should be treated as high priority because gaining access to them can unlock further access elsewhere.

Types of MFA and business trade-offs

A good MFA implementation starts with choosing the right methods. The best option is not always the same for every business, team, or system. IT managers, for example, need to balance security strength, employee usability, device availability, administrative overhead, and support needs.

SMS one-time passwords

SMS one-time passwords (OTPs) send a code to a phone number during login. This is one of the easiest MFA methods for employees to understand, and it can be useful where better options are not available.

The downside is security. SMS can be vulnerable to SIM swapping, interception, social engineering, and phone number recovery attacks. It also creates operational problems when employees change numbers, travel internationally, have poor reception, or use personal phones for work.

For businesses, SMS OTPs are best treated as a fallback option rather than the preferred MFA method. It is still better than passwords alone, but it should not be the default for high-risk accounts.

Authenticator apps and TOTP codes

Employees open an authenticator app, such as Proton Authenticator, copy the code generated for the service they’re logging into, and then enter it during login.

This is usually stronger than SMS because the code is generated on the device and doesn’t depend on the mobile network. It is also widely supported across business tools, making it a practical baseline for many MFA rollouts.

The trade-off is usability and recovery. Employees need to set up the app correctly, keep access to their device, and understand how recovery works if a phone is lost or replaced. IT teams also need to create clear policies for backup codes, device changes, and offboarding.

TOTPs works well as a general business MFA method, especially when paired with strong password management and clear admin processes.

Hardware security keys

Hardware security keys, such as YubiKeys, provide strong authentication because the employee must physically possess the key to gain access to business accounts. Many security keys also protect against phishing because they verify that the website itself is legitimate before completing authentication.

For high-risk roles, hardware keys can be one of the strongest MFA options. They are especially useful for administrators, executives, finance teams, developers, and anyone with access to sensitive systems.

The trade-off is rollout complexity. Businesses need to purchase keys, distribute them, train employees, manage backups, and handle lost or damaged devices. A hardware key strategy also needs a recovery process that doesn’t weaken the security benefit.

Passkeys

Passkeys use cryptographic authentication instead of a traditional password. In many cases, employees unlock the passkey with a fingerprint, face recognition, PIN, or device approval. The private key stays on the device, which makes passkeys more resistant to phishing than many older authentication methods.

For businesses, passkeys can improve both security and usability. They reduce reliance on shared secrets and can make login faster for employees. The main challenge is ecosystem readiness. Not every business tool supports passkeys yet, and IT teams need policies for device enrollment, recovery, shared workstations, and employee offboarding.

For many organizations, the practical solution is a hybrid model: use passkeys where supported, keep strong passwords and MFA where they are still required, and manage both through clear access policies.

MFA method	Security strength	Business suitability	Best-use scenario
SMS OTP	Basic	Easy to adopt, but weaker than other MFA methods	Fallback option when stronger MFA is not available
Authenticator apps	Moderate to strong	Practical default for many teams	Everyday business accounts and SaaS tools
Hardware security keys	Very strong	Best for high-risk roles, but requires device management	Admins, executives, finance teams, and sensitive systems
Passkeys	Very strong	Secure and user-friendly where supported	Modern apps, passwordless workflows, and phishing-resistant access

Where MFA implementation fails

MFA can still fail even when a business has implemented it. Implementation quality actually matters as much as the MFA method itself. Some of the reasons for failure can include:

Weak recovery. If employees can bypass MFA through easy account recovery, help desk shortcuts, or poorly protected backup codes, attackers may target the reset process instead of the login screen.
Inconsistent enforcement. MFA may be enabled for some tools but left optional for email, admin accounts, finance systems, shared operational accounts, or certain employees. In that situation, MFA becomes an aspiration rather than a control, and attackers can still look for the weakest available path.
Poor usability. If employees are constantly interrupted, locked out, or unclear about what to approve, they may become frustrated and more likely to make mistakes. Push fatigue is one example: repeated approval prompts can train people to accept requests without thinking.

A strong MFA rollout needs enforcement, monitoring, and support. It should be easy for employees to do the right thing and difficult to leave important accounts unprotected.

The employee resistance problem

Employee resistance is one of the biggest barriers to MFA rollout. Employees may see it as an extra step, a productivity blocker, or another security rule added without context.

This reaction is understandable, especially when MFA is introduced abruptly or with unclear instructions. Resistance often comes from poor implementation, not from opposition to security itself.

The solution to this problem is to make MFA predictable and easy to follow. Explain to employees that it protects business accounts even if a password is stolen, start with familiar tools such as email and shared business platforms, provide clear setup steps, and support employees through device changes.

Avoid framing MFA as a punishment or a sign of distrust. It should feel like a practical safeguard for the company, its clients, and employees’ own work accounts.

A bring your own device (BYOD) policy also helps. If employees use personal devices for work, clear rules for authentication apps, device security, lost-device reporting, and access revocation make MFA rollout smoother.

How to roll out MFA across your business

A successful MFA rollout is a change-management project. IT managers need to decide what gets protected first, how enforcement will work, how exceptions will be handled, and how adoption will be measured.

Step 1: Map your accounts and risk levels

Start with an access inventory. Identify the systems your business depends on and the accounts that create the most risk if compromised.

Prioritize:

Email and identity provider accounts.
Admin accounts and privileged roles.
Password manager accounts.
Finance, payroll, and billing tools.
Cloud storage and file sharing.
Developer, infrastructure, and production systems.
Customer data platforms and CRMs.

This creates a rollout sequence for your business that’s based on risk rather than convenience.

Step 2: Choose approved MFA methods

Decide which MFA methods your business will allow. For many teams, authenticator apps or passkeys may become the default, while hardware security keys are reserved for high-risk roles. SMS can remain a fallback where necessary, but should not be the preferred method for sensitive systems.

Document the decision clearly. Employees should know which methods are approved, which are discouraged, and what to do if they lose a device.

Step 3: Pilot before enforcing everywhere

Run a pilot with IT, operations, finance, leadership, or another group that can provide useful feedback. The goal is to test the setup process, support documentation, recovery flows, and policy settings before the rollout reaches the whole organization.

A pilot also helps identify where MFA prompts are too frequent, where employees need clearer instructions, and which systems require special handling.

Step 4: Enforce MFA for high-risk accounts first

Encouragement is not enough for critical systems. Once the pilot is complete, enforce MFA for the accounts that create the highest risk.

This includes admin accounts, email, identity systems, password managers, and financial tools. If these accounts remain optional, attackers may still find a path into the business.

The key is to enforce with support. Give employees advance notice, setup guides, office hours, and recovery instructions. Enforcement works best when people aren’t surprised by it.

Step 5: Expand to the rest of the organization

After high-risk accounts are protected, expand MFA to remaining business tools. This can happen by department, tool category, or risk level.

Track adoption as you go:

Which accounts have MFA enabled?
Which employees haven’t enrolled?
Which systems still allow password-only access?
Which exceptions are open, and who owns them?

A business password manager can support this process by giving teams visibility into which accounts already have MFA enabled and which still need stronger authentication.

This is where many rollouts stagger or fail. MFA needs ongoing governance after the rollout date.

Step 6: Review exceptions and recovery paths

Every exception should have an owner, reason, and expiration date. If MFA cannot be enabled for a tool, document why and decide whether a compensating control is needed.

Recovery also deserves regular review. Backup codes, account recovery flows, admin overrides, and device resets can become weak points if they are not controlled. MFA implementation should make recovery safe, not simply convenient.

How Proton Pass for Business makes MFA manageable

MFA rollout becomes easier when credential management is already controlled. If passwords are reused, shared informally, stored in browsers, or scattered across spreadsheets, MFA becomes harder to enforce consistently.

A business password manager like Proton Pass for Business helps by doing more than strengthening the password layer. It can also support the second factor directly. The built-in 2FA support means teams can store TOTP codes securely and use the password manager itself as the MFA device, which makes stronger authentication easier to adopt and easier to share securely where appropriate. Employees can generate strong, unique passwords, store them in encrypted vaults, autofill logins, use built-in 2FA support for TOTP codes, and manage passkeys where supported.

This also improves visibility. Administrators need to know not only whether employees have strong passwords, but also which accounts already have 2FA enabled and which still rely on password-only access. Proton Pass can help IT admins surface that information, making MFA adoption easier to track across the organization.

Passkeys are also a key consideration. As businesses move toward stronger, phishing-resistant authentication, a password manager that supports passkeys like Proton Pass helps teams manage both traditional MFA flows and newer passwordless methods in one place. That makes rollout more practical in mixed environments where some systems still use passwords and TOTP, while others are ready for passkeys.

For IT teams, Proton Pass for Business supports centralized management, policies, secure sharing, and visibility through reporting and logs. That makes MFA more operationally realistic because teams can reduce password sprawl while also making stronger authentication easier to deploy and govern across the organization.

A business password manager doesn’t replace MFA. It makes MFA much easier to implement because it strengthens the first factor, supports the second, and gives the business a more manageable path toward stronger authentication overall.

A journalist’s safety guide to the 2026 FIFA World Cup

Proton Team — Tue, 09 Jun 2026 18:05:07 GMT

Three countries and 16 cities are slated to host the 23rd FIFA World Cup this June. The event, which will be held in the United States, Mexico, and Canada, is expected to bring in more than 5 million fans from around the world, including an estimated 50,000 journalists.

Large crowds and global security threats like cyber, drone, or mass-casualty attacks pose risks to reporters and fans at all locations. In the US, travel bans and increased ICE activity should also be considered. If you are a journalist or media professional covering the 2026 FIFA World Cup, there are ways to ensure your safety as you travel through the event’s host cities.

Proton has assembled a guide to assist journalists navigate the World Cup safely. The tips below can help protect journalists and media against security threats while reporting from the ground at the World Cup.

Reporting from the United States

11 cities in the United States are hosting FIFA World Cup games in 2026, including Atlanta, Boston, Dallas, Houston, Kansas City, Los Angeles, Miami, New York, Philadelphia, San Francisco, and Seattle.

According to The Athletic, the Federal Emergency Management Agency granted $625 million in security funding toward those 11 US cities for operational exercises, staff background checks, and cybersecurity defense.

Travel restrictions and border crossings

Given the location, size, and scope of the World Cup, journalists traveling from outside the US should consider the risks when entering the country. In 2025, the Trump Administration announced a travel ban for citizens of Afghanistan, Myanmar, Chad, Republic of Congo, Guinea, Eritrea, Haiti, Iran, Libya, Somalia, Sudan, and Yemen. There are partial restrictions for residents of Burundi, Cuba, Laos, Sierra Leone, Togo, Turkmenistan, and Venezuela.

According to the Committee to Protect Journalists, border agents in the US “maintain broad discretionary authority to implement travel restrictions.” Additionally, “increased vetting, inconsistent enforcement, and sudden policy changes suggest an unpredictable environment,” in which traveling journalists should prepare.

Media personnel can anticipate being questioned at the border by Customs and Border Protection (CBP), especially if journalists represent a country on the travel ban list or have a history of covering politically sensitive issues. Journalists with dual citizenship from a country on the travel ban list should use the passport of their nation that does not appear on the banned list.

Protecting your devices and data

Precautions should be taken to encrypt or back up sensitive or personal information on electronic devices, as CBP does not need a warrant or probable cause to search your person or electronics. To protect your personal data and ensure it isn’t copied or stored by CBP, journalists should:

Use strong passwords and store them in a password manager like Proton Pass.
Use an end-to-end encrypted email service like Proton Mail so messages can’t be surveilled.
Employ email aliases so your personal or work email isn’t exposed.
Enable two-factor authentication so CBP can’t access your accounts.
Back up sensitive information on a cloud storage service like Proton Drive, so privileged documents don’t live on your phone or electronic devices.
Make social media accounts private and/or delete any apps that may be subject to search.

Legal resources for journalists

If a legal concern should arise during your coverage of the FIFA World Cup, journalists can call the Reporters Committee for Freedom of the Press legal hotline at 1-800-336-4243.

Media members can also text CPJ’s chatbot for assistance using the number 1-206-590-6191 or email the committee at emergencies@cpj.org.

If you are denied entry into the country or into the World Cup, are facing detention or arrest, have been assaulted, or had equipment damaged, you can file a report using the U.S. Press Freedom Tracker.

General safety tips for all host cities

Whether reporting from the United States, Mexico, or Canada, you should familiarize yourself with the country’s local laws. Before heading to your destination, research the location and have an exit strategy should an emergency arise.

Have an emergency contact on standby, work in pairs whenever possible, and designate meet-up locations ahead of time should cell service or Wi-Fi go down. Identify exits, medical tents, rideshare drop off and pickup locations and media areas before arrival.

Proton for journalists and newsrooms

To counter unprecedented threats toward journalists, Proton offers discounts on Proton for Business to news media. Protect your emails, contacts, documents, sources, and other sensitive data with end-to-end encryption, so your team can work safely no matter where they are.

Proton has been committed to press freedom for more than 10 years. Learn more about how Proton protects journalists and get Proton for your newsroom today.

Cybersecurity compliance 101: What small businesses need to know

Alanna Alexander — Tue, 09 Jun 2026 17:34:04 GMT

You’ve likely experienced this scenario: You’re in the final stages of a deal with a promising enterprise client. The contract is ready, the price is agreed upon, and then the conversation stalls.

The reason? They asked for your cybersecurity compliance documentation, and you couldn’t provide it.

It’s a frustrating moment. It’s understandable to feel that cybersecurity compliance is a game for large corporations with dedicated security teams and massive budgets. For a growing startup or a small business, it can feel like an overwhelming administrative burden.

The good news is that there are simple ways to prove you take data protection seriously.

This guide breaks down what compliance actually means for your business, the key frameworks you’ll encounter, and how to get started without needing a team of IT experts.

What is cybersecurity compliance?

Cybersecurity compliance is how you prove you are protecting sensitive data according to recognized standards. It’s not just about having the right tools; it’s about having the right processes and the documentation to back them up.

Think of it as your business’s “report card” for security. It shows prospects and partners that you have rules in place, you follow them, and you can prove it.

It’s not optional. Regulations like GDPR and HIPAA carry real legal weight. Fines, lawsuits, and operational restrictions are all on the table. And cybersecurity threats aren’t theoretical. Four in five small businesses have suffered a recent data breach.

The risks of data non-compliance

Skipping compliance might seem like a way to save time and money, but it’s a short-sighted gamble. The fallout hits in three critical areas:

Financial penalties: A single GDPR violation can cost millions. For a small business, even a mid-range fine can mean layoffs, frozen growth, or closure.
Operational disruption: A breach takes systems offline for weeks. Your staff gets pulled from revenue-generating work to manage the crisis. Recovery costs can easily exceed $1 million when you factor in downtime, legal fees, and lost contracts.
Reputation damage: Customers who trusted you with their data may not give you a second chance. In tight-knit industries, word travels fast. A compliance failure doesn’t just hurt your brand; it can shrink your sales pipeline for years.

Key cybersecurity frameworks every business should know

These are the standards your customers, regulators, and enterprise partners will likely ask about.

GDPR (General Data Protection Regulation)

If you have even one customer in the European Union, or if you collect email addresses from EU visitors on your website, GDPR applies to you—regardless of where your company is based. Non-compliance can result in fines of up to €20 million or 4% of your annual global revenue, whichever is higher.

What it means: You must be transparent about how you collect and use data. You must give people the right to access, correct, or delete their information.

HIPAA (Health Insurance Portability and Accountability Act)

Are you a SaaS company serving a US healthcare provider? Or perhaps a clinic managing appointments? The moment patient data touches your systems, HIPAA applies.Penalties range from thousands to millions of dollars, depending on the severity and whether negligence was involved

What it means: You need strict safeguards like data encryption, controlled access, and clear procedures for reporting breaches.

NIS2 (Network and Information Security Directive)

This is an EU directive strengthening cybersecurity in essential sectors like energy, transport, and digital infrastructure.Even if you aren’t directly regulated, your enterprise customers may require you to meet NIS2 standards as part of their vendor checks.

What it means: It requires risk management practices and strict incident reporting.

ISO 27001 & SOC 2

These are international standards that evaluate how you manage and protect data. The stakes: For enterprise clients, having ISO 27001 certification or a SOC 2 report is a massive trust signal. It tells them, “We have been audited by independent experts, and our security is solid.”

What it means: You need to implement documented security controls, submit to independent audits, and maintain that certification on an ongoing basis.

How to get started with compliance in cybersecurity

Compliance can feel like a long list of boxes to check, but the basics come down to five practical steps.

Map out what data you have, where it lives, and who has access. You might be surprised to find a customer list saved on a contractor’s personal Dropbox or a shared spreadsheet with sensitive info that anyone can edit.
Write down your policies. Who can access what? How do you report a breach? How do you dispose of old data? If it isn’t written down, it doesn’t exist. Keep these documents clear, current, and ensure your team actually follows them.
Give your team a business password manager. It generates strong credentials, stores them securely, and makes good habits the default. It removes the friction of remembering complex passwords.
Use a business VPN. It encrypts all your team’s internet traffic, ensuring data stays protected no matter where they log in. This is a straightforward way to meet network security requirements for almost every major framework.
Assign a specific person (even if it’s part of their role) to be accountable for your compliance posture. They should track regulatory changes, keep documentation updated, and ensure leadership stays informed.

How to stay compliant with cybersecurity regulations

Regulations change, your team grows, and the tools you use evolve. That’s why requires ongoing attention.

Review policies regularly: Conduct quarterly reviews to ensure your documentation reflects how you actually work.
Monitor for exposure: Don’t wait for a breach to find out your credentials leaked. Use tools that monitor the dark web and alert you if your company data appears in a breach.
Conduct internal audits: Test your controls before an auditor does. Find the gaps yourself — it’s always cheaper than having them exposed externally.
Train your team: Policies only work if people follow them. Short, practical training on phishing and data handling keeps security habits sharp.
Use tools that enable good security: Compliance is easier when security is the default. Choose tools that encrypt your business data, give you granular control over access, and flag risks like weak passwords automatically.

Make cybersecurity compliance a part of BAU

Compliance doesn’t have to be a scramble. With the right tools, it becomes part of how your business operates, giving you concrete answers to security questionnaires and audits.

Proton Pass and Proton VPN are built for this. Setup takes minutes, and you don’t need an IT team to manage them.

Proton VPN encrypts all company network traffic and restricts access to approved devices, meeting strict network security requirements.
Proton Pass lets you enforce two-factor authentication, manage credentials securely, and pull activity logs directly from the admin panel for audits. When a new hire joins, you can provision access in clicks; when someone leaves, you revoke it instantly.

You also get to leverage our compliance for yours. When enterprise clients ask about the security of the software you use, you can point to our credentials.

Proton is ISO 27001-certified and SOC 2 Type II-verified, based in Switzerland, and fully open-source. This gives you verifiable, third-party proof that your data is protected by the highest global standards.

Proton for Business gives you the tools you need not just to start your compliance journey, but to maintain it long term.

How to use Google Photos Locked Folder (and a safer alternative)

Elena Constantinescu — Tue, 09 Jun 2026 14:10:53 GMT

Most people have images meant for their eyes only, like snapshots of personal documents or intimate photos they’d rather keep out of the main gallery. These are the kinds of images people would not want to accidentally share with someone else or have exposed to anyone who gains physical access to their phone.

Traditional photo libraries like Google Photos aren’t safe for private photos because they are not built for privacy. They can help protect your pictures from unauthorized access, but that doesn’t necessarily mean your sensitive photos are hidden from the service provider. Because Google Photos is not end-to-end encrypted, Google can technically access and process your photos in accordance with its policies.

The Locked Folder feature in Google Photos can be useful, but it doesn’t change the underlying privacy model of the app. So before relying on it for sensitive images, it’s worth understanding what Locked Folder does, how to use it, and what its privacy limits are.

What is the Google Photos Locked Folder feature?
How to hide photos in the Google Photos Locked Folder
- Managing photos and videos
Limitations
- The privacy cost of backing up Locked Folder photos
A more private way to store sensitive photos

What is the Google Photos Locked Folder feature?

Locked Folder is a Google Photos feature that lets you store selected photos and videos in a separate, protected space on your device. When you add items to this hidden folder, they:

Don’t appear in your photo grid, albums, search results, Memories, or partner sharing
Are hidden from other apps on your device that have access to your regular photo library
Require your device screen lock to view and manage, such as your PIN, password, fingerprint, or face unlock

How to hide photos in the Google Photos Locked Folder

Setting up the Google Photos Locked Folder to hide your photos takes only a few moments:

Open Google Photos.
Tap Collections.

Scroll down, and tap Locked. You will be prompted to open the Locked Folder using your device screen lock option.
Tap Move items.
Select the photos or videos you want to add, and tap Move.

Confirm using your device screen lock option.
- If Locked Folder backup is off, you can turn it on by tapping Manage backup or skip by tapping Continue.
Tap Move to confirm.

To add new items, tap the new photo icon 🖼 on the bottom left. It’s not possible to create subfolders in the Locked Folder feature for organization.

Managing photos and videos in Locked Folder

To return a photo or video to your main Google Photos library, select it in Locked Folder, tap Move, and tap Move again to confirm. The item will leave Locked Folder and reappear in its original position in your photo timeline.

You can also permanently delete items by pressing Delete, and again Delete to confirm.

Limitations of the Locked Folder feature in Google Photos

The Locked Folder feature is useful for keeping private photos out of your main gallery, such as when you hand your phone to someone else and don’t want them scrolling into something sensitive. But it does not create a separate, end-to-end encrypted vault.

End-to-end encryption means your data is encrypted on your device before it reaches a company’s servers, and only you hold the keys to decrypt it. Not even the service provider can read your files. Google Photos does not offer end-to-end encryption for your photo library — so Google retains access to your images — and the Locked Folder tool is governed by the underlying policy of the Google Photos privacy policy.

That matters because Google does not simply store photos passively. Its automated systems can scan content for policy violations, and mistakes can have serious consequences.

In one widely reported case, a father in California took medical photos of his toddler at a doctor’s request and sent them to the healthcare provider. Because the photos were also backed up to his Google account, Google’s systems flagged them as potential CSAM, reported him to law enforcement, and terminated his account. Police cleared him of wrongdoing, but Google still refused to restore the account, leaving him without access to years of emails, photos, purchase history, and other data.

The privacy cost of backing up Locked Folder photos

By default, items you move to the Google Locked Folder only exist on your local device. If you don’t turn on backup, you could lose your photos if your device is damaged or lost.

On the other hand, backing up your Locked Folder photos means keeping them stored on Google’s servers and giving the company broad access to your sensitive content that you don’t feel comfortable sharing with anyone else.

That leaves you stuck between two bad options:

Keep photos on your local device only and risk losing them, or
Back them up to Google Photos and accept they may be scanned by Google’s automated systems and reviewed by humans if an algorithm flags something, even by mistake.

If neither option sits right with you, there’s a better, safer way to store sensitive photos without risking that your cloud storage provider can take a sneak peek.

A more private way to store sensitive photos

If you want to safely store sensitive photos long-term, use Proton Drive. While Proton Drive does not have a direct equivalent to Google Photos’ Locked Folder, it approaches photo privacy differently by protecting your photos with end-to-end encryption so no one can see them except you and the people you choose to share them with — not even us.

You can enable automatic photo backup on your phone to keep them synced across your devices, browse photos in a timeline, organize them into albums, mark favorites, filter by media type, and securely share individual photos or full albums with passwords and expiration dates. Shared links can be easily revoked anytime.

Unlike Google Photos and Google Drive, Proton Drive is transparent when it comes to your data: All Drive apps are open source and independently audited, which means anyone can verify our security. We never scan your files or photo library, show ads, use your photos for AI or product improvement, or share your information with anyone.

When you’re ready to move on from Google Photos, you can easily migrate your memories to Proton Drive. And when you’re ready to deGoogle more broadly, you can take the next steps toward a privacy-first ecosystem built to protect your data rather than exploit it.

Top 7 internal communication tools for companies

Alanna Alexander — Tue, 09 Jun 2026 13:19:20 GMT

Every internal communication tool was built simply to host workplace conversations. They do far more than that today.

Platforms like Slack, Microsoft Teams, and Zoom have become the vaults for a company’s most valuable intellectual property, retaining critical decisions, sensitive documents, and proprietary data.

The problem is that all this valuable data is often protected only by basic encryption — a security measure that leaves the door wide open for providers, third parties, and even AI models to access it.

This guide explores the top seven internal communication tools available in 2026, weighing their functionality against their privacy practices.

What are internal communication tools?

Internal communication tools are software platforms designed to facilitate real-time interaction and information sharing within an organization.

They were designed to solve a specific friction point: the latency of poorly designed email platforms. A quick answer from a colleague would require hours of waiting and valuable ideas would get lost in a thread of replies.

Businesses adopted internal communication tools with the hope that it would break down silos, enabling real-time collaboration across departments and time zones. It did. It’s now become the digital water cooler and the virtual conference room.

Teams now use internal communication tools to make hiring decisions, finalize product roadmaps, store legal contracts, and conduct sensitive client negotiations — high stakes for a tool designed to facilitate the exchange of information, not secure it.

Why modern communication stacks are actually failing businesses

Fast and convenient internal communication often comes at a cost. Because many modern communication tools are built to prioritize speed and scale over security, they rely on basic encryption that doesn’t adequately protect your data.

This means providers can access your messages, calls, and files which can be shared, leaked, or sold to advertisers. In some cases, they’re even used to train AI models.

This creates real business risks. These range from compliance violations to data exposure in a breach. Together, these risks make it even more important to choose the right internal communication tool. In addition to affordability and convenience, you should prioritize security.

What to look for in an internal communication tool

Internal communication software is essential to keeping teams aligned. When choosing a secure internal communication tool, look for:

End-to-end encryption

Most tools encrypt data in transit, but that’s not enough. End-to-end encryption ensures that only participants can access the content of your communications — not the provider, third parties, or AI models.

Data minimization

Every tool collects some data to function. The question is how much, and what happens to it. Look for tools that collect only what’s necessary and don’t share or monetize your data.

Open source transparency

If a provider publishes its code as open source, anyone can verify its security claims. Look for independent audits and clear privacy policies that explain exactly how your data is handled.

The 7 best internal communication tools

There’s no one-size-fits-all internal communication tool. The right one depends on your business needs, your existing software, and how you handle sensitive information.

Here are seven of the best options you can find today.

Proton Meet

Best for: Private and secure business meetings

Proton Meet combines the familiarity of video conferencing software with a privacy-first, web-based design. End-to-end encryption is enabled by default, so meetings remain confidential and only accessible to participants, not even Proton can access them.

If your business is concerned about compliance and data exposure, Proton Meet offers additional protection through Swiss privacy laws. There’s no ad-based business model, which means there’s no incentive to collect or monetize user data.

Proton Meet includes all the video conferencing features you’ve come to expect — chat messaging, screen sharing, blurred backgrounds, noise reduction filters, and more. All in a single secure video conferencing tool, a part of a suite that helps you stay GDPR- and HIPAA-compliant.

Strengths:

End-to-end encrypted by default
Zero-knowledge architecture (your data is encrypted so only you can access it, not Proton)
Guests can join calls without a Proton account
Part of Proton’s privacy-first suite

Keep in mind:

Fewer integrations available
Free plan limited to one-hour calls and 50 participants

Proton Mail

Best for: Secure email communication

Proton Mail is how emails should be — private by default. Email remains the backbone of business communication and should be appropriately protected. Unlike other email providers, Proton Mail is end-to-end encrypted by default. Your emails are fully secured whether in transit or at rest; only you and your intended recipient can read them.

End-to-end encryption also ensures your emails can never be scanned, shared with third parties, or used to train AI. This ad-free business model means Proton does not benefit from your data.

Strengths:

End-to-end encrypted by default
Zero-knowledge architecture (your data is encrypted so only you can access it)
Data is protected by Swiss privacy laws
Part of the Proton ecosystem

Keep in mind:

Emails to non-Proton recipients aren’t end-to-end encrypted unless password-protected
Fewer native integrations than Gmail or Outlook

Slack

Best for: Instant messaging and app integration

Slack is the iMessage of the enterprise world. Slack simplifies workplace discussions; instead of drawn-out email threads, conversations happen in organized channels sorted by team, project, or however you choose.

Slack features an extensive integration library that lets you connect to popular enterprise software, such as Jira and Google Calendar. These integrations turn Slack from a chat tool into a central hub for notifications and workflows. Additionally, Slack allows you to hold video and voice calls, making it a versatile communication tool.

Slack has come under scrutiny for privacy concerns — from allowing admins to read employee messages to the sharing of identifiable information with advertisers. Depending on your location, you may not be able to opt out of this data sharing.

Strengths:

Extensive app integration library
Organized channels for teams and projects
Supports chat, voice, and video functionality

Keep in mind:

Admins can read employee messages
Your data is shared with advertisers
Opt-out options vary by jurisdiction

Microsoft Teams

Best for: Microsoft-reliant organizations

Microsoft Teams is the obvious choice for businesses that rely on Microsoft services. Its deep integration with the Microsoft ecosystem enables many quality-of-life conveniences, such as real-time document collaboration within the app and an automatic Outlook sync. It scales well too, Teams can handle everything from small-group chats to company-wide town halls.

However, Microsoft’s privacy practices have long faced criticism. Concerns range from auto-enabling features that collect user data to bossware features such as location tracking and the volume of data they collect.

Strengths:

Part of Microsoft 365
Scales from small teams to large organizations
Seamless integration with Microsoft software

Keep in mind:

Auto-enabled features may collect user data
Includes location tracking capabilities
Significant data collection across Microsoft products

Connecteam

Best for: Deskless teams

Connecteam is designed for teams that don’t work in corporate environments, such as retail and healthcare. The app-based design combines chat, announcements, and employee directory in one place, making it seamless for cross-team communication. It includes operation-centric features such as scheduling, time tracking, and task management to make it easy to manage a distributed, deskless team.

Some features of Connecteam can raise privacy concerns for your team. The app collects extensive data, including location data, that is shared with employers and may also be used for targeted ads. However, Connecteam assures that it handles data in compliance with regulations such as GDPR and HIPAA. It is also ISO 27001 and SOC 2 certified.

Strengths:

Mobile-first design for field teams
Includes scheduling and time tracking
Bridges communication between corporate and frontline workers

Keep in mind:

Collects extensive data, including location data
Data shared with employers and potentially advertisers
May raise privacy concerns for your team

Haiilo

Best for: Employee engagement

Haiilo is an internal communication tool focused on employee engagement. It functions like a private social network for your organization. It is built to foster company culture and streamline communication, and allows your employees to share content on their personal social networks. As an internal communications tool, it is more specialized than the other options on the list.

Haiilo is geared towards large enterprises with large workforces. It may be more than you need for smaller organizations. The platform collects data on behalf of employers, who control how it is used. This means you are responsible for how employee data is handled, and employees may not have opt-out rights.

Strengths:

Designed specifically for employee engagement
Centralized hub for company updates
Encourages employee advocacy

Keep in mind:

Better suited for large enterprises
You control employee data
Employees may have limited opt-out rights depending on your setup

Proton Workspace

Proton Workspace Best for: Organizations that need a secure, compliant alternative to Google Workspace or Microsoft 365

Proton Workspace is a fully encrypted productivity suite that replaces the tools your team already uses — email, calendar, file storage, documents, spreadsheets, and video meetings — without the data exposure that comes with mainstream platforms. End-to-end encryption is built into every product, meaning your data is protected in transit, at rest, and from the platform itself.

For compliance-driven organizations, Proton Workspace offers a defensible answer to auditors: zero-knowledge architecture means no one — including Proton — can access your data. Swiss jurisdiction puts it beyond the reach of FISA court orders and the CLOUD Act. Workspace Premium includes Lumo, a privacy-first AI assistant that doesn’t use your data for model training.

Migration from Google Workspace, Outlook, or other providers is handled through Easy Switch, with no engineering resources required.

Strengths:

End-to-end encrypted across every product
Zero-knowledge architecture — your data is inaccessible even to Proton
Swiss jurisdiction, outside US legal reach
ISO 27001 and SOC 2 certified; GDPR and HIPAA compliant
Open-source code, independently audited
Lumo AI assistant included in Premium (data never used for training)

Keep in mind:

Fewer third-party integrations than Google Workspace or Microsoft 365
Lumo is available on Workspace Premium only
Teams migrating complex workflows may need adjustment time

Keep your business communications private

The right internal communication tool depends on how your team works, but privacy shouldn’t be a tradeoff. Look for team collaboration tools that offer end-to-end encryption by default.

Frequently asked questions

How do I choose the best internal communication tool for my business?

Consider your business’s needs, such as your team’s distribution and the type of communication they rely on most.

Next, evaluate how the choices integrate with your existing software, or if they’re part of a suite that is easy to migrate to.

Lastly, consider the platform’s security. Business communications are highly sensitive, and you should choose a tool with robust privacy protections.

Is internal communication software secure?

Not all of them are. Many platforms collect user data and use basic encryption that keeps the providers in control of your data.

Third-party integration (such as with AI assistants and note-takers) also creates additional security concerns as each app operates under its own privacy policy.

Security should be a priority when choosing business communication software. Choose tools like Proton Meet and Proton Mail that protect your data with end-to-end encryption by default, ensuring your communications and data are accessible only to intended recipients.

Can internal communication tools replace email?

Not entirely. Email itself is an internal communication tool. Other tools, such as instant messaging and video conferencing software, complement email communication, enabling quick collaboration and coordination among teams. However, email is still essential for external correspondence and formal communications.

Introducing Proton Drive CLI: Use Drive from your terminal

Michal Hořejšek — Tue, 09 Jun 2026 11:53:13 GMT

Last week, we finished launching the Proton Drive SDK, a shared engine designed to harmonize Proton Drive across all platforms and to bring you the features you need faster. Today, we’re taking the next step: Proton Drive CLI is here, available for Windows, macOS, and Linux.

The CLI brings the power of our cloud storage and end-to-end encryption to scripts, backups, and deployment pipelines without the hassle of writing code. It’s built on the same Proton Drive SDK that powers our official Proton Drive client applications, and is fully interoperable with them.

For our developer community: While we are developing our fully-featured Linux app, the CLI already allows you to script a lot of Proton Drive’s key features from your favorite scripting environments (or even schedule jobs with cron). The CLI is intended to complement the Proton Drive application. It’s not a full replacement — for example, only the applications include a full synchronization engine that runs in the background — but rather a way to achieve many goals from a lightweight scripting environment.

What is the CLI?

A command-line interface (CLI) is a program you run from a shell, such as Terminal, PowerShell, or SSH. You pass a command and arguments, it does the job, and exits. Like other Unix command-line tools, you can pipe and script the Proton Drive CLI together with other tools into larger workflows.

The Proton Drive CLI is a single binary you can drop into that world. It supports common Drive operations such as listing folders, uploading and downloading files, trash, sharing, or invitations. Results are displayed in plain, readable text by default — and if you’re building automation on top, you can switch to a machine-friendly format using the --json (or -j) parameter.

How does Proton Drive CLI help?

Until now, using Proton Drive as part of an automated workflow — alongside tools like deployment scripts, backup jobs, cron, or internal runbooks — meant either doing it manually (like opening the app or dragging files) or reverse-engineering Drive’s internals to write custom scripts that were brittle and hard to maintain. The CLI changes that by allowing you to run Proton Drive operations directly from the terminal. It can, for example, upload files after a build finishes, back up a folder on a schedule, invite a reviewer, or check what’s been shared.

This is especially useful when you need a specific action to happen at a specific time, rather than keeping folders continuously in sync, such as publishing files after a release, taking a snapshot of a shared folder before an audit, or revoking access when someone offboards. The CLI runs the operation, tells you if it worked, and exits.

It’s a natural fit for anyone who already works in the terminal and for teams who want their Drive workflows written down as repeatable commands rather than a series of clicks to remember.

Get started with Proton Drive CLI

At launch, the CLI covers the essentials: sign in and out, browse and manage files and folders (including trash), and handle sharing and invitations.

A few typical flows:

proton-drive auth login

# Upload files from local directory to folder in My files
proton-drive filesystem upload ./reports/* /my-files/Reports --conflict-strategy skip

# See who has access, then invite a colleague
proton-drive sharing status /my-files/Reports
proton-drive sharing invite --user example@pm.me --role editor --message "Please review reports" /my-files/Reports

# Download to a local backup directory
proton-drive filesystem download /my-files/Reports ./backups

For the full command set and flags, run proton-drive help or proton-drive <command> --help. For example, proton-drive filesystem upload --help.

Find out more about using the Proton Drive CLI.

What comes next

Upcoming additions to the Proton Drive CLI include support for:

Photos and albums
Files and folders shared using a secure, public link
Multi-account support for larger teams and managed service providers

Our long-term goal is to bring everything you can do in the Proton Drive app to the command line.

Download Proton Drive CLI

The fastest way to get started is to download the pre-built binaries for your platform:

Download Proton Drive CLI

On macOS and Linux, you’ll need to make the file executable after downloading (chmod +x proton-drive). Once that’s done, run proton-drive version to confirm the build.

Sign-in happens through your browser — no password on the command line. Your sessions are stored securely by your operating system (Windows Credential Manager, macOS Keychain, or libsecret on Linux).

Build from source

Prefer to build from source? The CLI is implemented in TypeScript, packaged with Bun, and available for download in the Drive SDK repository. After cloning it, you can install the dependencies and build the CLI from the main directory:

cd js/cli
bun install
bun run build
./release/proton-drive auth login
./release/proton-drive filesystem list /my-files

See the CLI README in the repository for more details.

Fair use and rate limits

Proton Drive CLI follows the same fair use policies as all Proton Drive clients. To stay within limits, only upload or download what has actually changed — don’t reupload the same files repeatedly or rewrite entire folders when only a few files are new. Accounts that generate unusually high traffic are temporarily throttled to protect the service for everyone.

Now in your terminal, with the same level of privacy

Proton Drive CLI is available today, and more features will soon follow. Everything you do through the terminal is protected by the same end-to-end encryption as the rest of Proton Drive. Download it, try it, and let us know what you build. And if you’re on Linux: a full-featured desktop client with sync is on its way.

What to look for in an AI assistant

Alanna Alexander — Mon, 08 Jun 2026 18:37:16 GMT

AI assistants have promised what most businesses lack: Efficiency without any additional cost.

They can summarize your emails, respond on your behalf, decide which messages need decisions, automate calendar events, extract information from your documents, and even organize them.

For a founder or executive at a small or medium-sized business, where needs outpace resources, it can feel like a wish granted just in time. All it asks of you is absolutely everything — access to your inbox, calendar, files, and even confidential business information.

As much as 69% of firms are already using AI assistants like ChatGPT, Claude, and Grammarly — but 30% are unsure or don’t trust AI companies to safeguard their proprietary business data.

The trade off isn’t obvious at first. But what SMBs get in efficiency, they pay for in security.

The price of efficiency

When you connect your Gmail, Google Drive, or calendar to a tool such as Perplexity’s Comet, you’re granting it OAuth permissions — often beyond ‘view’ access. Depending on the scopes requested, the tool may be able to download contacts, control your entire calendar, and even write emails on your behalf.

These permissions are technically disclosed during the authorization flow, but most users don’t fully evaluate what they mean in practice. Once granted, the tool can access and process sensitive company data at scale.

The same pattern applies to other AI assistance workflows. Indexing internal knowledge bases, summarizing proprietary documents, or contextualizing company data, they all expand your exposure.

When you don’t know what access you’ve granted, you can’t accurately assess the risk you’ve introduced.

How much AI assistants and browsers can see

You know AI browsers like Perplexity’s Comet or ChatGPT’s Atlas can read the page you’re on, summarize it, and rewrite text. But did you know it can act on your behalf?

Because the efficiency depends on deep integration, the assistant needs visibility into your browsing activity and may request access to connected accounts. In some cases, it can trigger actions rather than simply generate text.

This is the architecture of AI agents more broadly. They’re designed to act across connected systems. A single compromised or manipulated agent can move through your email, calendar, files, and credentials in sequence.

That’s a consequence of how these tools are built. It creates a surface that researchers are already finding ways to exploit.

Security researchers have already demonstrated how hidden instructions embedded in web content can manipulate these systems in unintended ways.

One recent exploit, “CometJacking,” demonstrated how instructions embedded in URLs could manipulate the AI into accessing personal or company data or executing harmful actions without the user’s knowledge.

Vendors respond quickly with patches and safeguards. In this case, Perplexity responded with a four-layer safeguarding approach. But the pattern highlights something more fundamental: These tools are designed to interpret and act.

Even Perplexity states in their Privacy Policy: “No security measures are impenetrable, and we cannot guarantee ‘perfect security’”. The question isn’t whether a tool is secure now. It’s whether you’re comfortable with how much access it requires.

Where the burden of privacy lies

AI vendors emphasize privacy controls and opt-outs. Perplexity’s Comet Assistant, for instance, assures users that “Comet Assistant puts you in control”.

But those controls assume something incorrectly: that users understand how their data is processed, actively configure the relevant settings, and monitor how policies evolve over time.

In practice, most don’t. According to Proton’s 2026 SMB Cybersecurity Report, 43% of SMBs say they can’t independently verify provider privacy, and 35% don’t understand how providers handle their data at all.

Some information may be excluded from model training. Other data may be retained to improve personalization. Policies can differ across features and change as products develop. Turning off certain functions may limit the very capabilities that make the tool attractive in the first place.

In that environment, privacy is no longer a static product promise. It becomes an ongoing operational responsibility.

The burden shifts to you, the user. You must decide what data can be shared, to monitor policy updates, to configure settings appropriately, and to reassess risk as the product evolves.

This page collects practical guides and explainers on AI privacy and security, so you know exactly what you’re working with.

Features of a private AI assistant or AI-powered browser

Your team should be able to use an AI assistant without concern that every interaction is being stored, profiled, or used to train the next version of the model.

No data logging. By default. Your team should be able to use an AI assistant or agent without concern that every interaction is being stored, profiled, or monetized. If a tool builds “memories” or “preferences,” you should ask: Who controls this data? Is it truly off by default, or is it buried in settings? And if I turn it off, what product capabilities do I lose?
No model training on your business information. Business documents, partners’ information, reports, or plans should never be used for AI model training. This is not only a fairness concern but also a security matter, as the data can resurface in incidents you cannot control.
Real transparency. Transparency builds trust, but only if it’s real. This means that you should be able to understand, at every step, how your data is handled and what principles guide the product. If you need to spend two hours parsing Terms & Conditions that contradict your actual experience with the tool, that’s not transparency. It’s just a tagline.
Zero-access encryption. With zero-access encryption, your data is protected by keys that only you control—not even the provider can read it. This removes the need to trust policies or promises because the architecture makes misuse technically impossible.

Most AI tools extract value from the businesses that use them. Your conversations, documents, and files feed model training, audience profiling, and in some cases government data requests — typically without meaningful disclosure or consent. Not Lumo.

Lumo is the AI assistant built for businesses that refuse afford to hand over their data for convenience. Zero-access encryption, no data logging, no model training on your business information.

Try Lumo for free

Why business data security is a growth issue, not just a tech problem

Alanna Alexander — Mon, 08 Jun 2026 12:27:32 GMT

No business owner wants their company to become the cautionary tale LinkedIn influencers post about.

But anyone with entrepreneurship experience will know that every part of your business demands attention in the first 100 days. Everything from product development, marketing, fundraising, to hiring is a fire to put out.

That’s why business data security becomes an afterthought, only getting attention when something goes so wrong you can’t ignore it.

That could be a breach that exposes sensitive client data, a ransomware attack that stops every area of operations, or a compliance failure that only comes to light during a pre-investment security audit.

Those events aren’t tech problems. They’re growth problems that affect whether customers trust you, whether deals close, and whether you can scale without rebuilding everything from scratch. And it all comes down to business data security.

What is business data security?

Business data security is how your company controls what data it holds, where it lives, who can access it, and what happens if something goes wrong.

In practice, that means choosing the right tools to store and share your business data, deciding policies to govern who has access to what, and setting defaults for how every team handles sensitive data.

Keep reading to learn why building security into the foundations of your business helps it grow faster.

Should business data security be a part of your growth infrastructure? Key factors to consider

The way you handle data early determines your ability to grow later.

It affects three concrete things — whether customers trust you, whether you can win and close enterprise deals, and whether you can scale without stopping to untangle early mistakes.

Trust

Security is now a selling point. Whether you’re selling to enterprises or consumers, trust is what wins and keeps customers.

Businesses want clear answers about how you handle data before they sign anything. That transparency builds confidence and assures potential clients their data will remain safe in your hands.

Consumers want to know their personal data isn’t being mishandled. A public breach tells them otherwise.

Compliance

SOC 2, GDPR, and HIPAA are often prerequisites for enterprise and government contracts. Those certifications determine who you can sell to and how quickly deals close.

When your security posture is documented and auditable, you spend less time answering due diligence questionnaires and more time closing.

Momentum

Early security shortcuts are just points of friction that you’ve deferred. When enterprise or government contracts ask about data access levels during due diligence, those shortcuts surface as a tangled web of unclear permissions that slow everything down at exactly the wrong moment.

The risk of patchwork security

Four in five small businesses have suffered a recent data breach, and a single incident can cost over $1 million.

These cybersecurity threats are common and expensive. Yet, many startups rely on default security settings from a patchwork of solutions.

A default browser password vault in place of a dedicated password manager, a free-tier cloud storage account cobbled together with a second when the first runs out of space, and a consumer messaging app the team already has on their phones. Each tool is technically in place, but none are configured to meet your business’s actual security needs.

That fragmentation has real consequences. You might see it in the onboarding/offboarding process, when access has to be granted or revoked manually across every tool, leaving dozens of former employee with an active login to your cloud storage.

Patchwork security also means no one has a complete picture of who has access to what. Gaps don’t announce themselves. They hide in the spaces between tools until something goes wrong.

Establishing secure defaults reveal security gaps. When there’s a standard for how data is stored, shared, and accessed, anything outside that standard stands out, like unusual access requests or unexpected 2FA requests. Without defaults, nothing looks unusual, so security gaps hide in plain sight.

Where do you start with business data security?

It’s impossible to solve every security problem on day one. Instead, build a strong foundation that covers how data moves, where it lives, and who can access it.

Secure your business email

Businesses live on email, so make sure you choose an encrypted email solution. End-to-end encryption protects your emails from unauthorized access, rendering their content unreadable to snoops. This is important protection, as unsecured email leaves sensitive communication exposed.

Store data in encrypted cloud storage

Your intellectual property, customer data, and financial documents all need secure storage. Choose encrypted cloud storage with built-in granular access controls to ensure only the right people can access sensitive data.

Control identity and access

Ensure that every team member has individual credentials, not shared accounts, and that they use a password manager. This way, you can control access levels to match their roles, so you don’t have to default to admin permissions for everyone. Equally important, ensure access is completely revoked when an employee leaves.

Make business data security your growth advantage

Proton for Business is the simple way to build a strong security foundation for your business.

With encrypted email, cloud storage, VPN, and a password manager in one secure, compliance-ready suite. It’s how over 50,000 businesses have built their security baseline without adding complexity. Get started for free.