Since this Register article was recently published, some activists are concerned about whether or not ProtonMail can be trusted.
The CLDC has expressed reservations that ProtonMail may not be the best choice for activists. Despite the worrisome recent news, ProtonMail is nevertheless a reasonable choice for encrypted email. As a service that manages your encryption keys for you, ProtonMail can’t offer as strongly guaranteed security as classic PGP/GPG encrypted email. But if your group doesn’t have the time, capacity, or willingness for each member to spend ~90 minutes with the CLDC doing an email encryption training and providing ongoing support, ProtonMail might be the best choice for you. Watch for updates to https://cldc.org/protonmail in the coming weeks, where we may thaw our original frosty take on ProtonMail somewhat.
Before we dissect recent media reports, let’s be clear: email is no longer the best choice for secure communications.
First of all, unless *every* member of your group is using the same, trustworthy email provider, no matter how strong the message encryption is, your metadata (information-rich stats about your data: who you are emailing, exactly when, and how often, plus the unencrypted subject line) is always widely visible to capable adversaries on the Internet. We’ll get into this in more detail in a future article, but the only easy-to-use encrypted communications apps that can protect your metadata are Signal[.org] (the best) or (next-best) Wire[.com] and Keybase[.io]. If you want any guarantees around protecting metadata, you’ll need to get into the weeds and use less user-friendly apps in combination with Tor. We’re happy to show you the ropes, but this can be a lot to take on. If you feel strongly that protecting people’s identities is important, please reach out.
So, what’s the current kerfuffle over ProtonMail? It *is* bad, but it’s nothing we didn’t already know. The article reports on suggestions that ProtonMail is collaborating with authorities to provide IP address logging. This means that ProtonMail seems to be working with Swiss police to collect and share email metadata. As we mentioned already, metadata is vital stats about your data—not what is being written, but who is communicating with whom, when, and how often. A rich source of information, certainly. But it’s very difficult to protect email metadata from a capable adversary (mainly governments with global surveillance capabilities and subpoena power, or well-connected corporations).
Your best bet for email is a movement-friendly email provider with a commitment not to disclose any user information, such as riseup.net or mayfirst.org. Using PGP/GPG in combination with a trustworthy email provider is ideal security culture. Your group or campaign has maximum protection (data and metadata). Your friendly movement email provider is also protected, as they would only be able to share indecipherable noise. Meaning: they don’t have to shut down or go to prison to protect your communications.
Of course ProtonMail is not an activist organization—and it’s true that by default they have no access to the contents of your email messages or attachments. But this is only true if they don’t actively attack you. Since ProtonMail appears to be possibly cooperating with Swiss cops to share metadata in certain cases, it’s important to know that ProtonMail could also do much worse, if compelled. Of course this is much more invasive and much less likely, but it is technically possible.
ProtonMail’s marketing is deeply misleading. They say things like:
“We don’t have the technical ability to decrypt your messages, and as a result, we are unable to hand your data over to third parties. With ProtonMail, privacy isn’t just a promise, it is mathematically ensured.”
Not true. The ProtonMail encryption scheme, while worlds better than Gmail and others, who can simply hand over all of your org’s data upon request, still requires that you have no choice but to trust them to do the right thing. Specifically, if motivated, ProtonMail could:
- Hand over your private key (which it possesses, protected only by the strength of your passphrase) to authorities, who can then use formidable resources to try to crack your passphrase using brute force methods (meaning: try all the passwords until they get lucky);
- Encrypt your email messages so they can also be read by an outside party (technically: encrypt your email to a public key controlled by a State agent)–this would probably require a malicious webmail client too.
If you are using ProtonMail, here are three steps to strongly defend yourself:
- Use a strong passphrase to protect your private key.
- Use the ProtonMail client (mobile app or ProtonMail Bridge for desktop) and never log in to read/send email using the ProtonMail website.
- To protect metadata, use Tor Browser or a trustworthy VPN (Tor is better, which requires no explicit trust) to create and always access your ProtonMail account.
If you take all three steps you’re actually able to achieve reasonable email security.
So, in the end, the Register article is not saying anything technical that we didn’t already know: ProtonMail is very convenient and offers a much better security situation than Gmail etc. However, left and liberatory movements should be aware that there are choices that offer much better security guarantees.
At the moment we love Keybase.io (but you have to trust them with your metadata). Signal.org offers the best possible metadata protection (with a very user-friendly interface), but you still need to trust them not to log and hand over your metadata, if compelled. Wire.com protects you from unsophisticated fascists or stalkers (You don’t have to give out your cellphone number in public meetings.) and it uniquely offers encrypted, small-group conference calls.
Hit us up with questions and training requests at https://cldc.org/contact. We can help keep you safe, so please reach out before you go public with your next campaign!