How Swiss-based ProtonMail is making your email communications surveillance proofHarshith Mallya & Sindhu Kashyap
Set up by four CERN scientists in 2013, ProtonMail is an end-to-end encrypted email service. The startup's newest product, ProtonVPN, will further its long-term vision of making internet communications more secure
In 2013, the world woke up to a real-life Big Brother, a la George Orwell’s Nineteen Eighty-Four. The concept of mass surveillance—till then encountered in books and movies—grabbed the spotlight when Edward Snowden, a former CIA and NSA contractor, leaked documents revealing that the US government had conducted extensive internet and phone surveillance.
The thought that everyday emails, social media and chat conversations were being monitored was too much to handle for a group of engineers and scientists at CERN, or the European Organisation for Nuclear Research, in Switzerland.
Born in the CERN cafe
Dr Andy Yen, Dr Bart Butler, Jason Stockman and Wei Sun felt strongly about this needless scrutiny, and they started ProtonMail, an end-to-end encrypted email service, by the end of that very year.
In a conversation with YourStory, Andy, a PhD in Physics, says,
“The idea of ProtonMail was born in the CERN cafeteria. All of us were scientists working on the Large Hadron Collider, the world's largest proton collider. That was the origin of the name ProtonMail.”
On its website, ProtonMail claims that its infrastructure resides in Europe's most secure data centre in Switzerland, underneath 1,000 metres of solid rock. The team decided to start ProtonMail in Switzerland, a country specifically known for strict privacy laws. The idea was just one: To help people protect their online communications.
Unlike other email providers, ProtonMail requires two passwords, making it doubly secure. Andy says there is “no discrimination” on who needs privacy and security online.
ProtonMail’s users come from every corner of the world and include journalists, activists, governmental employees, dissidents, celebrities, cyber security experts, people in insecure environments and forward thinkers.
A team of 30 people today, Proton uses client-side encryption that protects email contents and user data before being sent to servers, unlike Gmail or Hotmail. This ensures privacy and security.
Andy says the minute a company gives a product or service for free, they use data as a base to make sales. And that data is the customer’s data.
“The internet has been designed as a tool for freedom, sharing information and knowledge. It has now become a tool of mass surveillance. There never has been a moment in history when the volume of data available online is so high. The internet has gone very far from the original founding principles. And in many countries, if you use the internet to truly express yourself, you end up in prison,” he says.
ProtonMail raised seed funding of $2 million in March 2015 and has over two million users. It follows in Dropbox’s footsteps, following the “freemium” business model and charging customers only when they need additional services.
The team recently announced an added virtual private network (VPN), a tool that secures the internet connection by masking the device’s IP address and encrypting traffic. If a system is connected to a VPN, all online activity passes through the VPN, shielding information from surveillance.
The ProtonVPN provides secure core architecture across countries, and also comes with built-in Tor support. Tor is also a free software that enables anonymous communication.
A free version of ProtonVPN, which provides access in three countries, doesn’t offer the core network or Tor services and is restricted to one device only, is available.
Those who want deeper levels of privacy and security can choose from plans priced at $4, $8 or $24 per month for access across 14 countries, higher speed servers, more device connectivity along with secure core and Tor support.
As CERN scientists, working in a place where the web was created, the team wondered what they could do to ensure that the internet could reach its full potential – representing freedom of speech, expression and democracy.
Andy says one of the core challenges when they released their minimum viable product (MVP) was that they got 10,000 users per day, when they had built it for a few 100.
“So we essentially had a piece of software that was designed for a few 100 people and we had to work around it to hold over 10,000 users and more,” he says.
After ProtonMail was launched, several others announced end-to-end encryption. Apple is one of them as is Gmail, which recently indirectly stated that it would stop scanning emails to show personalised ads.
But Andy has a point to make. He says Gmail will no longer “read your emails for ads, but Google will still read your emails”. And fundamentally, because they do not utilise end-to-end encryption like ProtonMail, they will always “retain the ability to read user emails”.
“At its core, Google is an advertising company, which means that Google's customers are not its users, but rather advertisers. Perhaps Eric Schmidt put it best when he said that Google's policy is to ‘Get right up to the creepy line and not cross it’. Unless this changes, users of Google's consumer services will always be the product, as there is no economic incentive for Google to put user privacy first,” he says.
The world of end-to-end encryption
ProtonMail is one of the recent e-mail service providers offering end-to-end encryption. Others include LavaBit, which was established in 2004 and favoured by Edward Snowden. But the company had to stop operations in 2013 after the US government demanded encryption keys to track Snowden. As of June this year, the company is believed to be resurrecting. Apart from Lavabit, Mailfence and Tutanuto are also in the picture.
Speaking about ProtonMail, Aditya Patri, 23, a techie and a software engineer in Bengaluru, says: “Their security measures are so advanced that even Proton creators can't read our emails. Now's that taking privacy to the next level.”
The company secures emails into an encrypted disk making them undecipherable without a password. Andy says: “Encryption is a field of active development, and there are stronger and stronger encryption algorithms constantly being developed.”
He adds that 2048-bit RSA (encryption technology of the public key) is considered very secure. However, security is only as good as the weakest link, and encryption is almost never the weakest link.
“This is why we also recommend that people take steps to protect their personal computing devices, installing latest patches and updates,” he explains.
With a push away from e-mails seeming likely, will ProtonMail look at different forms of communication?
Andy believes that there always will be a use for email, as it is the world's largest federated communications system and unlikely to change anytime soon.
“The demise of email has been predicted numerous times since the early 1990s, but it’s still around. Email's power comes from its interoperability, and the fact that it is open and available to anyone, and not dependent on any centralised system,” he explains.
If you’re worried about email safety and security, you now know where to go.