ProtonMail Review

I was asked to review an article from Privacy-Watchdog.io and came up with the following critiques.


Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary.

Obtaining an SSL/TLS cert is not unnecessary when using v1 or v2 onion links; because shorter-length onion links can be brute-forced by an attacker attempting to impersonate you. Using SSL/TLS in addition to Tor mitigates this threat.

When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification.

This does not compromise any of Tor's security guarantees. You're still connecting via Tor Browser (we all know Tor Browser is capable of browsing clearnet sites without compromise to anonymity, except on sites that require you to reveal personal information). In addition, it's already known that ProtonMail requires SMS verification to sign up (you can alternatively get access by donating).

Professor Nadim Kobeissi mathematically proved that Protonmail does not provide End to End Encryption.

This is incorrect. Proton provides E2EE. What it doesn't provide is a zero-trust security model (see https://fantasycookie17.onederfultech.com/posts/2020/12/dont-use-webapps.html). There are various third-party ProtonMail clients, accessible for free, that mitigate this risk.

Gmail & Protonmail were both created in CIA/NSA funded departments with their oversight. Protonmail has tried to hide this part of their history. We wrote a whole article about it here.

From https://privacy-watchdog.io/protonmails-creation-with-cia-nsa/

Why did Protonmail’s Reddit moderator try so hard to hide the part of their history from MIT?

Wait... We're allowing a Reddit moderator to affect our opinions on ProtonMail? That's like taking the word of an Apple-certified technician and thinking it's Apple's company policy.

This article leverages a semantic distinction to assert that ProtonMail is a CIA/NSA front... I think.

Going into the referenced article:

Since Wei Sun’s departure, Protonmail has deleted records of his contribution. (Source)(Archive)

When I loaded each link, they both had the same record of his contribution... So I don't know what that's about.

After a successful crowdfunding campaign with promises to “remain independent” Protonmail sold equity ownership to CRV and FONGIT.

Looking into CRV reveals:

Charles River Ventures is a venture capital firm focused on early-stage investments in technology and new media companies. The firm was founded in 1970 to commercialize research that came out of MIT.

I fail to see how receiving funds from a venture capital firm compromises user security/privacy.

And searching for FONGIT reveals

Fongit specialises in tech innovation in Geneva. We currently support 80 IT, engineering, cleantech, and medtech startups [...].

Another claim,

At the time of the equity sale a CRV founder, Mr Ted Ditersmith, was working for the US State Department closely with President Obama. His position as a delegate required close contact with CIA & NSA administration. Mr. Ted Ditersmith had also witnessed the Edward Snowden revelations and made statements that he planned to use his corporate knowledge to “fight terrorism”. FONGIT is a Non Profit organization that is financed by the Swiss Government.

is easily debunked by considering CRV is a venture capital firm. They would naturally have ties with many organizations.

Protonmail sold equity ownership to CRV and FONGIT.

ProtonMail's own comments about this can be found at https://protonmail.com/blog/protonmail-has-raised-2m-usd-to-protect-online-privacy/

Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires.

ProtonMail uses *.eml for email storage? Wow, amazing! They chose a common, standard format for email storage. They must me CIA

Protonmail offers no protection for users’ metadata and has officially stated that they turn metadata over to Law Enforcement.

Email metadata is, as a protocol limitation, not protected. This is a limitation of email itself, not ProtonMail. And while ProtonMail can release metadata in response to Swiss warrants (ProtonMail is based in Switzerland), they are not required to release data in response to other countries' warrants.

Protonmail’s Servers Reside In Switzerland, a country with an MLAT treaty that could allow the NSA to continue it’s the mission of recording “nearly everything” about a person’s internet communication.

While a quick DDG search fails to provide evidence of ProtonMail being affected by an MLAT treaty, I won't discount the possibility that Switzerland may have some intelligence sharing with the United States.

Protonmail has also recently revised its Privacy Policy to include wording and requirements from the MLAT treaty.

This part references a Reddit post as a source, yet the post directly contradicts their own claims:

If you make such a heavy claim, make it based on a given source (quote it), I am certainly not going to go through thousands of posts.

Ps: ~3 months ago PM said they were excempted.

I'll repeat the important bit:

~3 months ago PM said they were excempted.

Reading their privacy policy for myself (after reading this claim), I also see nothing to suggest they have changed their data collection/retention/sharing policies in response to such a treaty

We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.

If a request is made for encrypted message content that ProtonMail does not possess the ability to decrypt, the fully encrypted message content may be turned over. If permitted by law, ProtonMail will always contact a user first before any data disclosure. Under Swiss law, it is obligatory to notify the target of a data request, although such notification may come from the authorities and not from the Company.

Even better, it seems that Swiss law provides additional assurance against court orders:

Under Swiss law, it is obligatory to notify the target of a data request, although such notification may come from the authorities and not from the Company.

The post mentions Proton tracking users' locations:

Revisions include a change to their privacy policy allowing them to track your location while you use their service in some situations.

Yet the only mention of the location collection found in their privacy policy is

None of the software on our apps will ever access or track any location-based information from your device at any time.

Regarding ProtonMail's DDoS protection:

Privacy companies like Protonmail are required to use a DNS/DDOS service because of the frequent attacks against their service. Protonmail uses a company called Radware for this purpose. Radware is a low-quality service that has failed to provide adequate protection. Protonmail has been taken offline, sometimes by teenage kids, because they insist on using a sub-par service.

Umm, ok?

Radware can gain complete access to all Protonmail user’s accounts in two ways. They could inject a few lines of code that would reveal all users log in username and passwords, thus allowing them to log in as if they are that user.

I cannot definitively deny this, although I find it unlikely that a company such as ProtonMail (which publicly mentions that all equipment is deployed in-house with a strict chain of custody) would allow any third-party contractor the necessary access to perform attacks against users.

Protonmail’s developers are in a position to know the real security offered by Protonmail. And Protonmail’s developers do not use Protonmail. If you were served food by a cook who refused to eat the food, would that be a cause of concern to you? This is the same situation. Protonmail developers do not use Protonmail, there are likely good reasons for this.

ProtonMail's website doesn't list the personal email addresses of many of their employees, which is the justification for their claim (see https://privacy-watchdog.io/protonmail-devs-do-not-use-protonmail/). However, it listing people's personal emails publicly on the website of a globally-known service seems irresponsible without the permission of the email owner. I doubt those people need the extra spam from making their email public.

Many of the developers (according to privacy-watchdog.io) use Gmail. I would assume this means they don't intent on their personal emails being private in the first place (just because you develop a tool doesn't obligate you to use it).

If you were served food by a cook who refused to eat the food, would that be a cause of concern to you?

Each person has the right to choose what email provider to use. Clearly by the fact that many of these people use Gmail, privacy is not the goal here. Maybe they use ProtonMail addresses alongside Gmail (I personally keep many email accounts, but only share one publicly). Maybe they use Gmail because they know listing their address publicly will lead to huge amounts of spam they don't want to deal with on thair ProtonMail accounts.

Does not use Protonmail.com (No pride in “@protonmail.com”)

Umm, ok?

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspects server. You can see the tweet they posted and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law. Based on Protonmail’s admissions only, they conducted an illegal hack.

Umm, ok? I personally don't see a problem if a company “hacks back” when an attacker tries to compromise them. I can confirm that ProtonMail has engaged in practices that involved “hacking back”.

From Protonmail’s creation lied to their users. Starting when they crowdfunded $550k to “remain Independent”, a promise they broke almost immediately by selling equity ownership to a US corporation with ties to President Obama and John Podesta.

From https://www.indiegogo.com/projects/protonmail/

We firmly believe that ProtonMail can only succeed in its mission if it remains independent. By raising money through crowd funding, we can ensure that our first and only priority is protecting the privacy of our users.

From Privacy-Watchdog.io's comments on this equity sale

“The reason we have to be bootstrapped is because if we take our money from something like Google Ventures, there goes our credibility. By being in this market we have to fund ourselves,” Then he continued by saying they were going to crowdfund their idea in a month.

So... They wanted to refrain from associating with other firms in order to establish and maintain credibility. That's fair. Then, later they accepted funds from a venture capital firm? That's still not unreasonable (ProtonMail is a business, and businesses need money to survive). It's not perfect, but it's also not unreasonable.

From

We’re happy to announce that ProtonMail has secured a financing round of $2M USD from Charles River Ventures (CRV) and the Fondation Genevoise pour l’Innovation Technologique (FONGIT).

Remaining independent does not mean refusing investments. And despite what the original article wants to suggest, CRV is a venture capital firm. Venture capital is a common part of creating a business.

You can read more about Privacy-Watchdog.io's statements regarding this equity sale at https://privacy-watchdog.io/protonmails-crowdfunding-equity-sale/

From the Privacy-Watch.io ProtonMail false claims list:

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspected phishing server.

Cyber warfare isn't uncommon for businesses to implement against attackers. Why should we single out any specific company for something that's done commonly?

Protonmail has stated on Reddit that they are “controlled by the politics of the community that dominates the ProtonMail userbase”. So if a majority of their users wanted to ban an innocent minority group, Protonmail has stated they would “yield to community pressure”

I'm not sure why we're trusting Reddit on this, but it makes sense that this would be the case (every business exists because people buy their product, or in this case, use their service. ProtonMail is not exempt from the rules of economics).

Lie: “Protonmail is open source code.”

  1. Their front end code is open source. Their back end code and mobile code is kept private. This can be confirmed by reviewing their open-source code

It's impossible to audit a third-party's back-end code anyway. Any published server-side code is nothing more than a gesture anyway. Also, “ProtonMail is open-source” doesn't specify that the server-side code is also open-source. You may assume meaning, but that doesn't necessarily mean that meaning exists.

Lie: “By default, we do not keep any IP logs”

  1. Protonmail’s Privacy Policy States: “This includes, the sender & receivers, the IP addresses were emails originated from, message subject, messages sent & received times, storage space, total emails and login times.” Protonmail is also legally required to store all users data for 6 months in Switzerland.

I have reviewed their privacy policy and found no such mention of them collecting this data. In fact, I can't even find the word “include” in their privacy policy.

Lie: ProtonMail does not require any personally identifiable information to register.

  1. If a user tries to signup without personal information, via VPN or TOR, they detect it and require a “donation” with a credit/debit card or a confirmation with your personal phone.

This is a common way of reducing bot accounts that sign up. If you would like to buy ProtonMail anonymously, you can obtain a gift card anonymously and use that. I may write an article on anonymous payment in the future.


From what I read, the articles I'm responding to area few of many attempts people have made to discredit ProtonMail in the past. I have yet to see anyone make any real points, while I will admit they do find increasingly clever ways of justifying their claims. If you look deep enough into something you're inevitably going to find something to justify it. That doesn't mean you're right.

I recommend people read into internet confirmation bias.