End-to-end encrypted email provider ProtonMail has officially confirmed it’s passed 50 million users globally as it turns seven years old.
It’s a notable milestone for a services provider that intentionally does not have a data business — opting instead for a privacy pledge based on zero access architecture that means it has no way to decrypt the contents of ProtonMail users’ emails.
Although, to be clear, the 50M+ figure applies to total users of all its products (which includes a VPN offering), not just users of its e2e encrypted email. (It declined to break out email users vs other products when we asked.)
Commenting in a statement, Andy Yen, founder and CEO, said: “The conversation about privacy has shifted surprisingly quickly in the past seven years. Privacy has gone from being an afterthought, to the main focus of a lot of discussions about the future of the Internet. In the process, Proton has gone from a crowdfunded idea of a better Internet, to being at the forefront of the global privacy wave. Proton is an alternative to the surveillance capitalism model advanced by Silicon Valley’s tech giants, that allows us to put the needs of users and society first.”
ProtonMail, which was founded in 2014, has diversified into offering a suite of products — including the aforementioned VPN and a calendar offering (Proton Calendar). A cloud storage service, Proton Drive, is also slated for public release later this year.
For all these products it claims take the same ‘zero access’ hands off approach to user data. Albeit, it’s a bit of an apples and oranges comparison to compare e2e encrypted email with an encrypted VPN service — since the issue with VPN services is that they can see activity (i.e. where the encrypted or otherwise packets are going) and that metadata can sum to a log of your Internet activity (even with e2e encryption of the packets themselves).
Proton claims it doesn’t track or record its VPN users’ web browsing. And given its wider privacy-dependent reputation that’s at least a more credible claim vs the average VPN service. Nonetheless, you do still have to trust Proton not to do that (or be forced to do that by, for e.g., law enforcement). It’s not the same technical ‘zero access’ guarantee as it can offer for its e2e encrypted email.
Proton does also offer a free VPN — which, as we’ve said before, can be a red flag for data logging risk — but the company specifies that users of the paid version subsidize free users. So, again, the claim is zero logging but you still need to make a judgement call on whether to trust that.
From Snowden to 50M+
Over ProtonMail’s seven year run privacy has certainly gained cache as a brand promise — which is why you can now see data-mining giants like Facebook making ludicrous claims about ‘pivoting’ their people-profiling surveillance empires to ‘privacy’. So, as ever, PR that’s larded with claims of ‘respect for privacy’ demands very close scrutiny.
And while it’s clearly absurd for an adtech giant like Facebook to try to cloak the fact that its business model relies on stripping away people’s privacy with claims to the contrary, in Proton’s case the privacy claim is very strong indeed — since the company was founded with the goal of being “immune to large scale spying”. Spying such as that carried out by the NSA.
ProtonMail’s founding idea was to build a system “that does not require trusting us”.
While usage of e2e encryption has grown enormously since 2013 — when disclosures by NSA whistleblower, Edward Snowden, revealed the extent of data gathering by government mass surveillance programs, which were shown (il)liberally tapping into Internet cables and mainstream digital services to grab people’s data without their knowledge or consent — growth that’s certainly been helped by consumer friendly services like ProtonMail making robust encryption far more accessible — there are worrying moves by lawmakers in a number of jurisdictions that clash with the core idea and threaten access to e2e encryption.
In the wake of the Snowden disclosures, ‘Five Eyes’ countries steadily amped up international political pressure on e2e encryption. Australia, for example, passed an anti-encryption law in 2018 — which grants police powers to issue ‘technical notices’ to force companies operating on its soil to help the government hack, implant malware, undermine encryption or insert backdoors at the behest of the government.
While, in 2016, the UK reaffirmed its surveillance regime — passing a law that gives the government powers to compel companies to remove or not implement e2e encryption. Under the Investigatory Powers Act, a statutory instrument called a Technical Capability Notice (TCN) can be served on comms services providers to compel decrypted access. (And as the ORG noted in April, there’s no way to track usage as the law gags providers from reporting anything at all about a TCN application, including that it even exists.)
More recently, UK ministers have kept up public pressure on e2e encryption — framing it as an existential threat to child protection. Simultaneously they are legislating — via an Online Safety Bill, out in draft earlier this month — to put a legally binding obligation on service providers to ‘prevent bad things from happening on the Internet’ (as the ORG neatly sums it up). And while still at the draft stage, private messaging services are in scope of that bill — putting the law on a potential collision course with messaging services that use e2e encryption.
The U.S., meanwhile, has declined to reform warrantless surveillance.
And if you think the EU is a safe space for e2e encryption, there are reasons to be concerned in continental Europe too.
EU lawmakers have recently made a push for what they describe as “lawful access” to encrypted data — without specifying exactly how that might be achieved, i.e. without breaking and/or backdooring e2e encryption and therefore undoing the digital security they also say is vital.
In a further worrying development, EU lawmakers have proposed automated scanning of encrypted communications services — aka a provision called ‘chatcontrol’ that’s ostensibly targeted at prosecuting those who share child exploitation content — which raises further questions over how such laws might intersect with ‘zero access’ services like ProtonMail.
The European Pirate Party has been sounding the alarm — and dubs the ‘chatcontrol’ proposal “the end of the privacy of digital correspondence” — warning that “securely encrypted communication is at risk”.
A plenary vote on the proposal is expected in the coming months — so where exactly the EU lands on that remains to be seen.
ProtonMail, meanwhile, is based in Switzerland which is not a member of the EU and has one of the stronger reputations for privacy laws globally. However the country also backed beefed-up surveillance powers in 2016 — extending the digital snooping capabilities of its own intelligence agencies.
It does also adopt some EU regulations — so, again, it’s not clear whether or not any pan-EU automated scanning of message content could end up being applied to services based in the country.
The threats to e2e encryption are certainly growing, even as usage of such properly private services keeps scaling.
Asked whether it has concerns, ProtonMail pointed out that the EU’s current temporary chatcontrol proposal is voluntary — meaning it would be up to the company in question to decide its own policy. Although it accepts there is “some support” in the Commission for the chatcontrol proposals to be made mandatory.
“It’s not clear at this time whether these proposals could impact Proton specifically [i.e. if they were to become mandatory],” the spokesman also told us. “The extent to which a Swiss company like Proton might be impacted by such efforts would have to be assessed based on the specific legal proposal. To our knowledge, none has been made for now.”
“We completely agree that steps have to be taken to combat the spread of illegal explicit material. However, our concern is that the forced scanning of communications would be an ineffective approach and would instead have the unintended effect of undermining many of the basic freedoms that the EU was established to protect,” he added. “Any form of automated content scanning is incompatible with end-to-end encryption and by definition undermines the right to privacy.”
So while Proton is rightly celebrating that a steady commitment to zero access infrastructure over the past seven years has helped its business grow to 50M+ users, there are reasons for all privacy-minded folk to be watchful of what the next years of political developments might mean for the privacy and security of all our data.