Proton Meet Privacy Claims Under Scrutiny: Built on US-Based LiveKit Infrastructure
An investigation has revealed that Proton Meet, marketed as a privacy-first alternative to Zoom and Google Meet, is built entirely on LiveKit Cloud — a US-based company incorporated in California and subject to the CLOUD Act.
The Core Contradiction
Proton's launch blog explicitly cites the US CLOUD Act as the reason to switch from competitors: "laws like the US CLOUD Act can compel US-owned video conferencing platforms to hand over any data." Yet Proton Meet runs on LiveKit Cloud, which is:
- Incorporated in California, governed by California law
- Subject to FTC jurisdiction
- Explicitly cooperates with law enforcement on subpoenas
- Runs on Oracle Cloud (Phoenix, AZ) and Amazon EC2 (Oregon)
Supply Chain Analysis
Every sub-processor in the chain is American:
| Provider | Jurisdiction |
|---|---|
| LiveKit | US (California) |
| DigitalOcean | US |
| US | |
| Oracle | US |
| Cockroach Labs | US |
| Datadog | US |
Privacy Concerns
- LiveKit independently owns call records as a data Controller
- LiveKit can hand records to US law enforcement without notifying Proton
- Telemetry always goes to US regardless of selected "pinned region"
- LiveKit was omitted from Proton's main privacy policy (buried in sub-policy)
- 90-day tracking cookie set before any login
Marketing vs. Reality
Proton claims nobody can access calls, "not government agencies. Not even us." LiveKit's privacy policy states they cooperate with government agencies on law enforcement requests.
Broader Implications
This case raises important questions about privacy washing in the tech industry — when companies market products as privacy-preserving while their infrastructure tells a different story.