ProtonMail: A free email service for world of privacy

When it comes to preserving personal liberty and privacy in America, there are only so many routes a citizen can take.  Involvement in the political process to prevent legislators from passing intrusive, limiting laws is certainly one avenue.  Developing the courage to push back against laws already in place is most definitely another (if an uphill and daunting one).  But what happens if elected officials continue to pass such laws and you aren't in a position to effectively stop them?

Well, sometimes the only avenue left is protecting yourself.  Thankfully, a number of entities are willing - and able - to assist in that effort, providing services and software that increase the difficulty of those seeking to gather up your private communications.  Swiss-based ProtonMail is such a company, offering a free email service that provides end-to-end encryption for its users, and encryption options for communicating with non-ProtonMail clients.

Before going into any detail about ProtonMail's services, let's talk about some misconceptions regarding electronic privacy in general.  After all, just the phrase "email encryption" can conjure up head-spinning technical mumbo-jumbo, and even accusations of tin-foil paranoia or embarrassing James Bond fantasy indulgence.  

  • The fact is, the United States government is performing mass-collection of data.  Take a moment and let that sink in.  It is very likely that, despite your having done nothing wrong and the government currently having absolutely zero interest in you personally, some if not all of your email, text and cell phone communications have been intercepted, scanned, and very likely stored.  This isn't speculation, this is fact, as attested to (eventually) by the head of the NSA, James Clapper.  There's nothing "tin-foily" about it.  It's nothing personal, it's what they're doing to all of us.
  • Next, you don't need to have something to hide to want to keep your communications private.  Just because our government can and does mass-collect citizens communications doesn't mean we have to like it or make it easy for them to read.  You have a right to privacy.  If they believe you've done something so horrible, they should have no problem getting a judge to sign off on a warrant.  And if you think you only want privacy because you have something nefarious to hide, as the folks at ProtonMail so succinctly wrote, "does that mean that only criminals have curtains over their windows?"
  • Finally, encryption in its simplest form means scrambling things so they aren't easily read by someone who doesn't know the secret unlock key.  The methods used to do that scrambling can be extremely sophisticated, layered, and complex - but you don't need to know any of that stuff.  ProtonMail's design philosophy states "[S]ecurity is not useful if it is not easy enough for mass adoption. It is simply difficult to convince people to adopt a higher standard of security if it forces them to do more work. So from day one, the principle guiding our architecture was that the end product cannot be more complex than Gmail."  Your job, as the end user, consists of remembering your passwords and to click the "encrypt this" checkbox.

Now that we've established that 1. your privacy is at risk, even if you're "a nobody," 2. there's nothing wrong with having curtains on your windows, and 3. the sophisticated means to protect yourself can be virtually seamless for you, let's talk about ProtonMail specifically.

...[T]here are also critics who assert that by building ProtonMail, we are providing a powerful tool for criminals to evade the authorities. There is no denying that ProtonMail provides a high level of security and privacy for criminals, but one has to remember that the world does not consist of just criminals. These are also dissidents, and democracy activists living under authoritarian regimes where freedom of speech is not respected. Then, there are the rest of us, law abiding private citizens who simply want control over our online data.

”We can either chose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) has privacy. We feel that the right to privacy is a fundamental human right, and we are willing to fight and work towards protecting that right.

Developed by scientists and computer security staff from both MIT (Massachusetts Institute of Technology) and CERN (European Center for Nuclear Research), ProtonMail is a free, browser-based email service like Yahoo! Mail or Gmail, which means no software needs to be installed locally, and it can be supported on most mobile devices.  It offers a simple, familiar user interface, including support for file attachments, the ability to include signatures, and customizable display names.

However, ProtonMail isn't so much another email provider as it is a privacy provider.  Unlike those other free providers, ProtonMail doesn't log account users' IP addresses (the machine "signature" that allows your Internet Provider to keep track of who you are).  Further, they don't scan or archive your messages, or make use of targeted advertising based on your email's content.  This is, in part, due to ethical considerations by the creators but also because they can't access your encrypted message even if they want to

Two layers of encryption are used for ProtonMail, one being on their servers but the other being generated on your client system - the decryption key for your mailbox is never sent to ProtonMail.  Even if the system administrators wished to peruse user messages, each mailbox would need to be decrypted individually to access the mail contained within.  If an outside entity were to hack or seize ProtonMail servers, they would have to tackle the same issue after first contending with decrypting the servers themselves - no easy feat as the company described their servers as using "fully encrypted hard disks with multiple password layers so data security is preserved even if our hardware is seized."

As an additional safeguard, encrypted emails can be flagged with expiration dates, at which point the message is permanently deleted from the system (this feature isn't available if you deliberately send unencrypted messages to non-PM users).  Currently, the minimum amount of "lifespan" you can assign is one hour but there are plans to making that even more granular in future upgrades.

To set up an account, go to ProtonMail's main webpage and click on "Create Account."  You will be prompted to check availability for your desired user name and to enter a current email address for notification. ProtonMail is in beta and they are adding new users gradually over time.  You'll likely be waiting a number of weeks to proceed past this point.

Eventually, you will receive an email advising that your account is ready and inviting you to get started and create your encryption key. Clicking on their included link will take you to a very simple welcome page, advising you that you will need to come up with two passwords - one for your account and one for your mailbox. And that is the sum total of the effort required.  Three clicks and two passwords later, you will be configured and viewing your ProtonMail inbox.

DO NOT FORGET YOUR MAILBOX PASSWORD!  As mentioned earlier, this is never transmitted to ProtonMail and they will be unable to recover it for you.  Another published point of their design philosophy is "Trust the user not to be stupid."  If you elect to use a password of "1234" or "password", you deserve whatever you get.  Likewise, if you come up with an excellent, ridiculously complex password, you had best make sure you cannot possibly forget it.  The folks at ProtonMail expect us to be grownups.  Let us try not to disappoint them.

Once you're in your mailbox, you'll find yourself in familiar territory - aside from the color scheme, the layout looks virtually identical to Gmail's.  Commonly used text formatting is available, and both contacts and attachments can be added via UI or drag-&-drop. There doesn't appear to be a way to define new folders or to tag messages but this seems an insignificant inconvenience compared to the security advantages the service provides.

Clicking "Compose" generates a new email and begins to show its personality better, with a right-hand panel displaying simple options for encryption and expiration.  Encryption is automatic for other PM users but is optional for non-PM recipients.  If you select the "Encrypt for Outside Users" option, you will then be prompted to assign a password for the message as well as an optional hint. Encryption is also automatic as soon as you create your email.  Auto-saved drafts are as secure as any sent item.

There is also an option to set an expiration date for encrypted emails, allowing you to permanently delete the message anywhere from one hour to four weeks later.  This is only for encrypted messages and isn't available for unencrypted emails to non-PM accounts.  Once the specified duration has passed, the text is gone forever and will not be accessible by anyone.

Once the message has been sent, your recipient will see whatever you entered in your Subject line but the body of the email will depend on your encryption choice.  If encryption was not selected for a non-PM user, they will see an email just like any other.  If it was selected or the message was sent to another ProtonMail account, they will see only a message that they've received an encrypted communication from you, a link to the message, and the expiration date of that message.  When they click on the link to retrieve the message, they will be prompted for the password assigned when the email was composed (this will have to be transmitted separately or agreed upon in advance). Once correctly entered, the text is displayed in a browser window - it could be copied into memory and pasted elsewhere, but there is no provision for forwarding it directly.  There doesn't appear to be any safeguard against too many invalid tries, or any counter that indicates how many times a message has been accessed (successfully or not). 

Again, the service is still considered to be in beta testing, and there are some features - such as auto-logout after a period of inactivity and encryption of attachments - that will be added in the future.  They also plan to add PGP compatibility for ease of use with users of that software.  There's currently no issue with receiving emails with attach PGP messages but ProtonMail doesn't t encrypt or decrypt with it natively. 

The developers are open about asking for evaluation and help, and have freely asked us, as their user community, to let them know if we encounter any bugs or usability issues.  I'd echo that request, seeing as how we all share what one might call a vested interest in having a solid defense against intrusion. I'd also recommend taking the time to review their Knowledge Base, Release Note, and Security blog archives to get a feel for known issues as well as what's already being worked on for future releases.

Bugs aside, ProtonMail also specifically warns against vulnerabilities to the following attack methods:

  1. Compromised User – ProtonMail does not and can not guard against a compromise of a user’s machine, such as keylogger software recording all of your keystrokes. 
  2. Man-in-the-Middle (MITM) Attacks – This is a very rare and difficult attack that can typically only be executed by a strong adversary (like a government) and is generally a targeted attack. It cannot easily be used on a large scale to perform mass surveillance.  The attacker would have to actually send the user’s browser a modified version of the ProtonMail website which may secretly pass the mailbox password back to the attacker and typically requires using a forged SSL certificate. There are browser plugins in existence today which can be used to detect forged certificates and greatly reduce the risk of a MITM attack.
  3. Unauthorized backdoor – Another attack vector would be if an attacker somehow gained access to ProtonMail’s servers in Switzerland without notice. The attacker would have to gain control of the server, instantly change the behavior of code scanners, and then modify the software without anybody at ProtonMail noticing. The odds of this being successfully executed is quite low.

Despite Forbes' labeling of "NSA-Proof," ProtonMail is the first to tell you that they offer "good (but not perfect) protection for the vast majority of users."  The service would do you little good if you were the specific target of a powerful government focusing vast resources on decrypting your data (of course, if that was the case... see the comic at the top of the page).  However, it helps to add intricate layers of difficulty for random, mass surveillance and, as they describe, "is an example where ‘good privacy’ can act as a meaningful substitute to ‘perfect privacy’."

We'll continue to evaluate this offering and will post any new developments or shortcomings we find.  For now, it seems like an excellent option for privacy-minded individuals looking to keep their communications' curtains drawn against any Peeping Toms.