We Need A New Encrypted Email Service
The most secure email service of all would be one that doesn’t collect any user data at all.
Let’s face it, messaging hasn’t killed email as it promised it would. No matter how many verticals in messaging sprout, we always depend on email as our primary point of contact. To drive the point further, email is the main credential required to sign up for any online service: be it banking, ride-sharing, food delivery, social networking, media streaming or online shopping. Email is possibly the most vital communication medium between users and service providers. That said, increasingly in the crypto world conversations are being had over encrypted email. In fact, some of the most trustworthy crypto projects out there use encrypted email exclusively — which is a big plus when it comes to gaining technical credibility in the market.
When it comes to secure email there’s one name that comes to everyone’s mind: ProtonMail. The Switzerland based email company is the most popular encrypted email service in the world. There are few add on services like Criptext and Virtru that offer encryption for Gmail users, but these are not really direct competitors because, well, they work on top of Gmail and we all know security and privacy is not Gmail’s main concern. Ultimately, by merit of being the only player in the market, ProtonMail has become the de facto encrypted email service for privacy enthusiasts and the crypto community alike. But not all is smooth sailing for ProtonMail.
Just this week, Hamza Shahid published a story on BestVPN.co with the headline: “ProtonVPN is a SCAM — Unveiling the Dirty Secrets of Proton and NordVPN”. It reported that ProtonMail’s VPN service “ProtonVPN” is tied to a data mining company from Lithuania called Tesonet. The article went further into depth explaining the intricate relationship between the security company and the data mining firm. Such a close relationship immediately sparked skepticism and outrage. Both ProtonMail and ProtonVPN (same creators) replied publicly on July 7th 2018 on reddit.
Although Shahid’s article raised some red flags worthy of questioning ProtonMail, the story was posted on BestVPN.co (VPN services reseller), a competing VPN service provider to ProtonVPN and this leads one to believe it’s merely a smear campaign. The conflict of interest is further highlighted when you realize that the writer is also the owner or BestVPN. Furthermore, ProtonMail and ProtonVPN’s counter-arguments properly lay to rest many of the claims made by the writer. This, however, didn’t keep Shahid from pushing on Twitter, and ProtonMail’s response left us in awe.
The primary concern with the response was the secure email provider’s plea for trust. Essentially, we need to trust that ProtonMail is not a bad actor like Facebook or Google. As most of us know in crypto, we don’t trust — we verify. Regardless who’s side you’re on in this debate, it left something very clear: there needs to exist an email service provider that can improve upon ProtonMail’s benchmark and properly deliver privacy and security. To further understand why we need another encrypted email service, let’s take a look at the red flags surrounding ProtonMail.
What’s wrong with ProtonMail
- Tagline: ProtonMail’s main value proposition is right in their tagline: Secure Email Based in Switzerland. This is the first thing you read as you go into their website, suggesting that you should trust them not for their technology, but rather for their jurisdiction. This is fundamentally wrong as first and foremost the value of a secure communications provider lies in their technology that makes their platform secure. If the jurisdiction is boasted before their technology, then it begs the question: How robust is their technology?
- Jurisdiction: It’s common knowledge that Switzerland has strict privacy laws that protects users and bars states and agencies from subpoenaing user data. This is the foundation of the once thriving Swiss banking industry where the ‘don’t ask don’t tell’ M.O. was the standard. However, in recent years privacy banking laws in Switzerland have changed drastically and banks are now sharing customer information with states, governments and agencies around the world. The same is true for Panama, for example. A global push by governments to increase tax collection, and diminish corruption and money laundering has defeated the value proposition of the Swiss jurisdiction. If we use the banking industry as a proxy, there’s no reason to believe that your information would remain private in Switzerland any more than your money.
- Trust: During ProtonMail’s effort to put out the PR fire they literally appealed to users’ sentiment by saying “trust the people behind ProtonMail”. The privacy and crypto community share the same motto: we don’t trust — we verify. Trust is unnecessary when you have a system that’s robust enough to gain people’s trust out of merit, not request. In fact, when it comes to secure communication services, trust is the first thing that should be removed from the equation. Service providers can be sloppy and err into leaking sensitive data, or worse, they can be coerced by state agencies into turning in data (such is the case of Lavabit). Because the human element itself can’t be trusted, companies like ProtonMail should plainly remove this word from their dialogue.
- Data collection: Much like Gmail and Yahoo Mail, ProtonMail collects and stores all email data in its servers. While this enables email services to offer a ‘convenient’ way for users to access their inbox from anywhere, this methodology of data centralization can prove to be a big vulnerability. This sets things up so that there is one single point of attack if there is to be a data breach. Furthermore, because ProtonMail is collecting users’ data it’s put in a position where it has to convince users to trust them with their data. This year alone we’ve seen increased focus on tech companies by congress and governments due to the blatant misuse of user data. Consumers are increasingly more aware of data collection and regulation is becoming stringent on these kind of companies. No matter how secure the email service is, the fact remains that the most secure email service of all would be one that doesn’t collect any user data at all.
- Key management: The last red flag to point out is the fact that ProtonMail stores users’ private keys in their servers. Much like the the latter point on Data Collection, this enables ProtonMail to offer an ‘easier to use’ experience. Since the keys are also centralized in ProtonMail’s servers users can just login into their inbox from any device and any browser and read/send secure emails. Now, if you wouldn’t trust a third party with your Crypto private keys, why would you trust a third party with your email private keys? The dilemma worsens when you realize that your emails and the private keys are stored by the same 3rd party, which means that in the event of an infiltration hackers could get away with the vault and the key to unlock it. In this scenario, ProtonMail has complete control you and your data.
At the end of the day, despite all the pitfalls we’ve presented, ProtonMail is the best we’ve got — for now. It’s more secure than using Gmail and far more convenient than integrating PGP into an email client. As we’ve highlighted earlier, ProtonMail is far from perfect and this is exactly why the world needs more competition in the secure email space. Competition drives innovation and, in this case, it would drive us closer towards preserving online privacy. The growth and boom of the cryptocurrency market has undoubtedly benefited secure email companies and increased demands for their services. Now that a larger market has been established in this email vertical, I suspect that more startups will arise improving upon ProtonMail’s technology and VC money will follow. Let’s hope that this happens sooner rather than later.