Have you ever needed to send an email whilst ensuring that no one else but the recipient can see its content? Are you generally concerned with sharing private or potentially valuable information over email? If this is the case, then you might consider using ProtonMail. But what is ProtonMail, how does it function and is it really as secure as it is claimed to be?
The idea behind ProtonMail
ProtonMail is a secure email service developed in Switzerland. One of the main features of ProtonMail is the end-to-end encryption in the ProtonMail scope. This encryption process allows ProtonMail users to send and receive emails with other ProtonMail users, the content of which no one else can see. This is due to the fact only the user with the corresponding decryption key can decipher the original message. Furthermore, this also means that not even ProtonMail can view the information contained in any of the messages that are sent through the service. Ultimately, this is why it is regarded as highly secure and very protective of its users’ data.
How does this encryption work?
We have already mentioned that ProtonMail is an encrypted email service, but how does the technology behind it work? The answer is simple - by using a combination of public-key cryptography and symmetric encryption. To explain further, when you create an account, your browser will create two separate keys - one public and one private. The public key will be used to encrypt your user data such as email, whereas the private key will be utilized to decipher it once a symmetric key relationship has been established with another user. This process of symmetric key assignment is similar to that of Tor, which we have already covered in one of our previous posts - here. When an email is sent from one user to another, it is immediately encrypted with the recipient's public key. When they log in, their private key deciphers the email message allowing them to view its content.
Is ProtonMail really as secure as it seems?
While the service does provide an extra layer of security and data protection, being based in Switzerland means that it must abide by the country’s laws. What this entails is that if the Swiss law enforcement authorities request data from ProtonMail, the service must comply and present them with the required information, unless they manage to contest the orders. While ProtonMail cannot provide the content of the messages as it is encrypted, they can still supply authorities with other data (metadata) such as the subject of the message, the last login time, the device identification code and ultimately - the IP addresses of the sender and the recipient. Furthermore, while ProtonMail must only answer to the Swiss law authorities, this does not prohibit other countries from demanding this information by filing a request to Switzerland’s enforcement.
One such case recently surfaced in which the French authorities used Europol to send a request to the law enforcement of Switzerland asking for the IP address of a certain French activist, who was using ProtonMail. While the mailing service did not cooperate with the French authorities in a direct manner, they were forced to provide the information to the Swiss authorities, citing that they must cooperate with the local law enforcement. Consequently, this raises a question about the user anonymity when using the service. To further fuel this fire, the number of international and local requests for obtaining data from ProtonMail has been increasing annually as seen in their transparency report - from 13 in 2017, to 262 in 2018, 1465 in 2019 and reaching 3572 in 2020. In 2020 specifically, 3017 orders were complied with of which 195 were foreign requests approved by the Swiss authorities. While these numbers are still not dramatically high, their exponential growth is the most worrying factor, as the service, which supports user anonymity, might not be capable of maintaining it in a number of years.
Can I further increase the security?
While ProtonMail can be required by local legislation to provide some user information, this does not make it less secure as the content of the emails cannot be decrypted by anyone else. However, users can add additional security layers in order to further minimize information disclosure. Moreover, these solutions come from Proton themselves. Any concerned individuals can utilize Tor browser alongside ProtonMail in order to make their IP address harder to locate and preserve their anonymity. On the other hand, a second option that Proton offers is their virtual private network - ProtonVPN, which can be used to change user location and IP address. Furthermore, Proton’s founder - Andy Yen, assured that Swiss law prohibits the service from logging its VPN users’ IPs. There is also a third option, which involves utilizing both Tor and ProtonVPN simultaneously for ultimate security and anonymity.