Proton CEO: privacy in the age of AI is possible, but autonomous agents pose a new risk

Proton CEO Andy Yen believes that privacy in the age of AI can still be preserved — but for this the market will have to move away from the familiar model where all data flows into Big Tech clouds. The most troubling point he identifies is not the chatbots themselves, but autonomous AI agents, to which users voluntarily grant access to their mail, files, and other services.

Why anxiety is growing

At the Semafor World Economy conference in Washington, Yen reminded that the growth of AI goes hand-in-hand with the growth of risks. Such systems already help cybercriminals find vulnerabilities faster and steal data, and help governments and corporations scale surveillance. Meanwhile, the market still operates by the logic of compromise: the more data a model receives, the more convenient and accurate the service becomes. This is precisely why the question of privacy can no longer be considered niche — it is embedded in the very economics of AI products.

According to Yen, society has begun to better understand how Big Tech makes money from user data, but this understanding is distributed unevenly. Older generations more often value privacy, but don't always know how to protect themselves technically. Middle-aged people quickly adopt new tools for work and at the same time tend to overestimate their own control over them. Young users, conversely, understand the mechanics of advertising, algorithms, and tracking well, but often remain indifferent to it. Therefore, Yen calls not bans, but education the main defense.

Betting on local AI

Against this backdrop, Proton is building an understandable position: people need AI capabilities, but they don't want to give their conversations and documents to external platforms forever. Yen says that Lumo, the company's encrypted chatbot, is now growing faster than other Proton products. For him, this is a signal that demand for privacy-first AI has already moved beyond a narrow audience. Users are willing to try alternatives to Big Tech if they get not just a convenient interface, but a clear promise: their data will not become raw material for someone else's model or advertising system.

• Lumo — Proton's chatbot with a focus on confidentiality
• Proton Scribe — an AI assistant for emails that can be run locally on a device
• Proton Workspace — an encrypted alternative to Google Workspace and Microsoft 365
• Born Private — the ability to reserve a child's first email in advance, outside Big Tech ecosystems

Yen considers local AI the most realistic answer to the privacy problem. By his logic, the computing power of smartphones and laptops is growing rapidly, and models over time become not only larger, but also more efficient in compact versions. This makes on-device scenarios increasingly practical. Yes, products with encryption and local processing are more complex and expensive to develop than cloud counterparts. But Yen doesn't see a technical ceiling here: in his view, the question is not about a principal impossibility, but about time, engineering discipline, and implementation cost.

Where protection ends

The most dangerous scenario for Proton is not encryption being hacked as such, but AI agents to which the user himself grants access rights. If such an agent gains access to Proton Mail on the device, and then makes an error, leaks, or publishes data externally, the service's protection no longer helps. At this point, the problem shifts from the level of cryptography to the level of permissions and agent behavior. The more tasks a user delegates to autonomous systems, the higher the cost of one wrong action.

"You can have the strongest encryption in the world, but if a user themselves gave the agent access to their mail, and it goes off the rails,

Proton can't save you."

Yen acknowledges that theoretically Proton could make its own agent with stricter limitations, but that's not the company's main focus now. And his position here looks sober: even an ideal private service cannot compensate for careless automation on the user's side. If in the past the main fear was that the platform itself reads your correspondence, now a new risk emerges — you yourself connect an executor to it, one that acts quickly, at scale, and not always predictably. For the market, this is no longer a discussion about settings, but a new threat model.

What it means

Yen's interview shows a simple shift: the debate around AI is moving away from the question "do they collect data" to "who and on whose behalf acts with this data." For companies like Proton, this is a chance to make privacy a competitive advantage. For users — a reminder that encryption and local models are important, but in the era of AI agents, control over who you gave access to and what actions you permitted to be performed automatically is just as important.