Imagine that you gave birth to a true masterpiece, a meme so good you must share it with your epic, based, and redpilled friends. But, since the day you first read about online you have been wielding a vendetta against three-letter agencies, and you would rather give up your child to a gang of furries than make your dedicated FBI agent smile.
You’re on a watch list – no doubt; your meme is banging – no doubt. You know they’re watching, but the urge to share some laughter with your mates is too strong. So, how do you do it? You’re not stupid enough to use Zuck’s Facebook or WhatsApp, and your friends refuse to use the objectively better apps such as Signal or Telegram (maybe they are not as based as you initially thought). So, what do you do?
ProtonMail. Everyone has an email and almost everyone on our side of the internet uses ProtonMail as their email service provider. It says on the front page of their website that it’s private, open-source, and end-to-end (E2E) encrypted; it is also based (in Switzerland) – or so they say. So, it must be good, right?
Sadly, just like VPNs, it’s overrated when it comes to security and privacy. The most important point to take away from this article is that emails are an outdated communication technology and should not – must not – ever be used to organise a dissident movement or for any communication related to questionable activities.
Many do not realise that all inter-domain emails (e.g., from a Gmail account to a ProtonMail account) are NOT encrypted in any way or form. The US government, your government (and a few other ones as well), your ISP, and advanced hackers are listening and most likely saving all emails to databases. If you think a little about it, it’s not that surprising: just remind yourself of all the email leaks that happened in the last decade or two such as ClimateGate and Emailgate. For this reason, HIPA/GDPR prohibits sending medical records by email, although it seems like this is slowly changing – more on that later.
Nevertheless, ProtonMail claims that they encrypt emails for a reason – they encrypt intra-domain emails, i.e., those sent from one ProtonMail account to another. It sounds great, but again there are serious privacy flaws present.
All emails have something called meta-data, which includes the machine name of the source computer, IP address of the sender, IP address of the email server it connected to, timestamps, email addresses of sender and receiver, size and subject line of an email. This is a lot of information, and what’s worse, it cannot be encrypted in order to comply with current email protocols. Moreover, ProtonMail saves all that data on their servers, which means that not only they know who you are talking with, but also any alphabet org. with a cooperation agreement with the Swiss government can issue a subpoena to read all of this information themselves.
So, email communication, in general, is not safe; however, there are a couple of ways to maximise your privacy when you are forced to use email communication. The first is to host your own email server, which requires cybersecurity expertise and some funds to pay for the server – clearly, it’s not for everyone. The second method is easier; however, it might be a bit tricky to implement for some and that is to encrypt your emails ‘by hand’ (note that still, the meta-data will not be encrypted). Interestingly, Edward Snowden encrypted all his emails himself and used Lavabit as his service provider, which was shut down in 2013 as they would rather go out of business than let the US feds get their dirty hands on Snowden’s emails.
Coming back to ProtonMail, is it better than other services like Gmail? Well, it’s hard to say.
Firstly, I would like to mention that there are a few other email services like Tutanota that advertise themselves as privacy-respecting with E2E encryption; Tutanota especially is worthy of consideration, not necessarily for their security as they don’t differ much from ProtonMail, but simply because they have an option to sign up for free and without a phone number.
Now, ProtonMail may be better than Gmail as Google is openly partnered with NSA and is well known for having more interest in every detail of your personal life than even the most enthusiastic members of your family. Google will try to eavesdrop on all your online activity, but they have billions of accounts and pay no particular interest to you specifically (unless you made your way onto some kind of watch list); all they care about is making money, which they do by selling the data and using it for targeted advertising. Overall, if you do not plan to include any incriminating data in the email it may be a good idea to stay with Gmail and ‘hide in plain sight’ among the other 1.8 billion users.
ProtonMail, on the other hand, is known for their ‘security’, which makes them a prime target for hackers (it’s a badge of honour to compromise such a service and any data they manage to steal from it could be worth extra). Also, the alphabet boys know that the kind of person who uses ProtonMail most likely does it for no good, so they will be hasty to connect a glowing box to their servers that allows them to eavesdrop on all data while legally forcing the company to keep their mouth shut. The company claims to have passed an ‘independent security audit’ – great, but how do we know that the feds didn’t hijack their servers after the audit. And no matter how many audits you pass, how safe your code is, if you store user data on servers that three-letter agencies can simply subpoena. According to ProtonMail’s transparency report, they received 13 orders from Swiss authorities back in 2017 – but that had quickly increased to well over three thousand (3,572 to be exact) by 2020.
Anyway, there is one thing that is decent about ProtonMail, even if they are spooky, they only spook around your emails, and with the option of using TOR to sign up to their service it might be easier to hide your IP/location overall making it a little bit more anonymous than Gmail.
But…
There is a lot of questionable activity on the part of the ProtonMail company. For a while, their Onion site would redirect to a clear site (identifying the user) when setting up an account and would later require a phone number or another email for verification (a serious flaw for a company priding itself in anonymity; fortunately, it can be worked around). If these mistakes were not repaired, it would have been very clear that it’s another honeypot; luckily for us, they fixed the problem. That’s a small issue though compared to the other stuff.
There is a lot of speculation about their origin story and their connection to government organisations. There are good reasons to believe the company was created under CIA/NSA oversight and, in fact, it is currently partially owned by the Swiss government, which as opposed to popular belief, is not very friendly to the idea of privacy as can be seen by the 2021 story where the baguette government, through the Swiss government, got ProtonMail IP logins of a French activist. The story is especially important as ProtonMail collaborated with EUROPOL on this case and set up IP logging for a specific user. Of course, it should have been expected – they are forced to obey the law and these days the law allows the feds to get whatever you have in stock provided they get a warrant – but it is still sad to see such company give in so easily to the government demands. ProtonMail officially stated that they turn metadata over to Law Enforcement and as Edward Snowden revealed, the US government cares little about the content of emails and looks mostly at the meta-data. This really cannot be held against just ProtonMail, it is an inherent problem of email services and some other supposedly E2E encrypted communication services.
The serious problems undermining ProtonMail come from its close relation to CIA/NSA (and possibly Mossad – if there is a connection, it’s either well-hidden or weak). The company has backtracked on their promise to remain independent and has sold equity ownership to a US corporation with ties to President Obama and John Podesta, it is now also partially owned by the Swiss government and has/had software developers in key positions who are deep in bed with CIA/NSA. More detail can be found here
If it wasn’t bad enough, the company engages in petty censorship on various forums mentioning their flaws and doesn’t provide a crypto payment method (the only anonymous method outside of cash-in-mail) to pay for the premium plans.
Interestingly, the official GDPR website mentions the following:
“When it comes to email, encryption is the most feasible option. As little as five years ago, that would not have been true. But email encryption technology has developed rapidly, and several companies now offer end-to-end encrypted email service.”
In the last sentence quoted, they provide a hyperlink to ProtonMail’s support page and include the following disclaimer:
“GDPR.eu is run by ProtonMail, the world’s largest encrypted email service, and funded in part by the European Union’s Horizon 2020 Framework Programme.” [emphasis added]
This suggest that EU too has close ties with ProtonMail, which further undermines the veracity of any independence claims by the company.
Now, I know that not all that comes from the feds needs to be feared (a good example is TOR), but there are too many coincidences focused around a rather small company whose main job is sending emails and not spying on its users resulting in ProtonMail glowing brighter than a laser tag match between CIA and ATF in a dark forest.
To conclude, emails are outdated and offer no privacy or security. When sharing potentially sensitive information it is much better to use, for example, Signal or one of its forks. However, as long as you do not plan to put self-incriminating information in your emails or do not converse with known criminals, is it really relevant which email service you are using? If it happens that some kind of ABC is building a case against you, emails shouldn’t give you the greatest headache – your mobile phone should. Your smartphone has much more valuable (to the Gardaí) information than your emails, and most likely it will be the first thing they will look into.
Nowadays, cyberspace is a central part in our society and our daily lives, if you truly care about your own privacy, you must become a cybersecurity expert. Hopefully, this short article has disillusioned you when it comes to emails, but it is just a tip of the iceberg – a small step on a long path to being proficient at anonymous meme-sharing with your epic friends.
Lastly, I will quote the great visionary and entrepreneur with an exotic taste in women and an even more exotic taste in drugs who certainly did not kill himself, John McAfee,
“ProtonMail is CIA and these platforms offer no privacy or security”.
What adviced Edward Snowden?
You don’t use email!
Just use an application which’s name Signal.