Plenty of email systems claim to be highly secure. The newest of them, ProtonMail, attracted widespread attention after the main character on the hit hacking show Mr. Robot used it. But just how secure is it?
Email applications that say they're strong enough to foil government snoops and advertisers too often have chinks in their armor. In 2014, a federal judge forced the now-defunct secure email company Lavabit to turn over its encryption keys to the government, though Lavabit earlier claimed its service was “so secure that even our administrators can’t read your email." Going further back, we learned that encrypted email provider Hushmail was totally cool with spilling secrets to the government, which it did by grabbing user passwords to decrypt email and turning them over to law enforcement in plaintext. It, too, claimed that even its own admins couldn't read the encrypted email.
But ProtonMail, founded in August, 2013, by scientists who met while working at the European Organization for Nuclear Research in Geneva, seems to offer protections other email services don't. The service claims on its website that it “cannot decrypt or share your data with third parties." It also boasts extra legal protection because it’s based in Switzerland, a country with strict privacy laws. And it's attracting loads of backing---it raised $2 million in seed funding in March, and about half a million users have requested an invitation for a free 500MB account.
Let's start with ProtonMail's security advantages. It requires two passwords, which provides an added layer of protection.
“It’s actually really nice that they have two sets of passwords,” said Micah Lee, a technologist at the Intercept who focuses on privacy and cryptography. “The login password gets sent to the server, and that’s how you prove that your username is actually yours. And the second is the mailbox password, which never gets sent to ProtonMail’s server. The second password runs in your browser and decrypts your messages there.”
Another significant security perks is ProtonMail stores your email encrypted to disk, which means the emails would be undecipherable without your password if a government agency compelled the company to hand over your communications.
Of course, this doesn’t mean ProtonMail couldn't give the government plaintext messages---just that it would require ProtonMail to actively attack you and steal the required password. Most email services can much more easily hand over your communications because they store them in plaintext or in such a way that the service could easily decrypt them.
Now let's address ProtonMail's weaknesses. One of the big issues is that it isn't easy to know whether a message sent to another ProtonMail user is being encrypted to the recipient’s correct public key, which is stored on ProtonMail’s keyserver. For example, if Alice sends Bob a message encrypted to his public key, it's harder for anyone else to read the message. But since ProtonMail distributes the encryption keys to users, it has the technical ability to give Alice its own keys in addition to Bob’s, thus encrypting the messages in a way that would allow it to eavesdrop.
This problem is not unique to ProtonMail, says Joseph Bonneau, a technology fellow at the Electronic Frontier Foundation. Apple's iMessage and the now-encrypted WhatsApp have the same flaw. (Services like TextSecure, Silent Circle, and Threema, on the other hand, allow users to verify fingerprints to assure that they have the proper keys for one another, thus mitigating that threat.)
ProtonMail does allow you to export your public key and send it to another person, but you can't easily confirm whether your ProtonMail messages are being sent to the same key. It would take serious tech chops to verify the key. “They could look at the network request or open the browser's JavaScript inspector, but both of those are so far beyond normal UI that I wouldn't say that's a reliable defense against man-in-the-middle attacks,” Bonneau says. (ProtonMail co-founder and CEO Andy Yen said that a feature allowing users to import and verify key fingerprints is coming.)
This isn't ProtonMail's only weakness. It could also serve malicious code to a targeted individual (based on a specific IP address, for example) if legally compelled to do so. “You have to completely trust that the server is not compromised because every single time you load the page, you download a new copy of the JavaScript,” Lee says. “They could just wait until you load the page and give you a malicious version of the JavaScript. This would be much more difficult to do if it was a browser add-on or a native program you install because then if they wanted to make their client malicious, they would have to add a backdoor and make it malicious for everyone, and everybody would have evidence of that backdoor.”
ProtonMail is addressing this---it is beta testing a native mobile app for iOS and Android, and Yen says the company plans to offer a browser add-on option after ProtonMail’s code becomes more stable. These remedies would limit ProtonMail’s ability to infiltrate your data so long as you stuck to your mobile app or used only the browser add-on on your regular computer. But because ProtonMail will continue to offer the option of using a random computer to log in, users who want convenience or don’t know any better still would be vulnerable to ProtonMail's ability to infiltrate their data.
This brings us to ProtonMail's legal advantages. As we've established, ProtonMail would have a hard time decrypting your communications, but the service is not so secure that it would be impossible. And while ProtonMail cites its location in Switzerland as added protection, it’s certainly not a fail-safe. That’s because Switzerland has a mutual legal assistance treaty relationship with the United States. These treaties require foreign governments to hand over to a requesting government any information legally available to their local authorities. That means that Switzerland would have to give the US access to any data that it could itself access. So if you’re planning to use ProtonMail to sell steroids, leak government secrets, or engage in FIFA-style wire fraud/money laundering/racketeering schemes, Swiss law probably won’t help you.
“People seem to think that data privacy laws in Europe or in foreign countries pose problems or would be a roadblock," says Victor Vital, a trial lawyer at Barnes & Thornburg, "but that’s just not the case, because under those treaties the countries obligate themselves to cooperate as broadly and as much as possible."
Yen concedes ProtonMail isn't exempt from Swiss laws. "We have just intentionally selected the framework that gives the best possible protection to our legitimate users. The greatest protection, of course, comes from the underlying technology,” he told WIRED in an email.
As mentioned, ProtonMail encrypts your emails to disk. Unfortunately, it's an open legal question whether a government could force ProtonMail to falsify keys or serve malicious Javascript to users.
“It is fairly standard for the government to require companies to turn over information about their customers already in their possession. The critical legal question is whether the government can compel companies to do more than that,” says Alexander Abdo, a staff attorney in the ACLU's Speech, Privacy and Technology Project. But, he says, there's a big distinction: “There is an important difference between requiring a company to turn over information it already has and conscripting it into becoming a spy for the government ... the latter raises serious constitutional questions,” he says.
If you have high security needs, it’s better to store your own key rather than outsourcing it to ProtonMail or anyone else. You can do this by running GPG from a command line. Using GPG with Mozilla’s Thunderbird email application and the Enigmail plugin, or with a browser extension like Mailvelope, makes encrypting a bit easier and reduces the learning curve.
But if you have moderate security needs and simply want to add a layer of encryption to your email to protect against dragnet surveillance, or if you’re living in a country that doesn’t have an MLAT agreement with Switzerland, you might benefit from using ProtonMail--so long as you use really good passwords, you're OK with only having 500MB to 1GB of storage, and you can convince your friends and colleagues to make the switch with you.
