Proton Mail Report

Executive Summary

We have a lot of concerns with ProtonMail (now branded as simply “Proton” to cover all their services) and believe it is not the bastion of security and privacy that we have been led to believe it is. Our primary issues are as follows:

    • Although HQ’d in Switzerland, where we have been led to believe they have more privacy protections than other countries, such as here in the USA, we have found the company and Swiss government have complied on numerous occasions with International and US authorities when pressed.
    • The funding of the company has ties to individuals with Barrack Obama and far-left allegiances.
    • Their executive team’s history and association with CERN (hence the “Proton” in their name) is extremely concerning.
    • Proton was forced to acknowledge their encryption is no better than that of Gmail.

Company & Services Overview:

  • Proton
  • Founder: Andy Yen
  • Established: May 16 2014
  • Employees: 201-500
  • Annual Revenue: $25-50M
    • Proton — Privacy by default (Mail, Calendar, Drive, VPN)
      • ProtonMail: An end-to-end encrypted email service founded in 2013 in Geneva, Switzerland. Proton uses open source, independently audited, end-to-end encryption and zero-access encryption to secure your communications
      • PGP Encryption Standard
      • Asymmetric Encryption
      • End 2 End Encryption (E2EE)
      • ProtonDrive: An end-to-end encrypted Swiss storage space for your files, photos, and videos
      • ProtonVPN: High-speed Swiss VPN with servers around the world that safeguards your privacy

Social Audience:

Notables:

Connections to Charles Rivers Ventures and Various Intelligence Agencies

  • Proton secured seed round funding from Charles Rivers Ventures (CRV) ($2 million)
    • At the time of the sale CRV founder Ted Ditersmith was selected by Barrack Obama as an alternate representative of the United States to the Sixty-seventh Session of the General Assembly of the United Nations. Appointments like this are almost always given to large campaign donors and friends of the President.
    • Ted’s bio also reads like the vast majority of Silicon Valley, ivy league educated, venture capitalist who preach the value of innovation and education while supporting whatever leftist agenda they are told by their Fund’s investors.
  • CRV, Israeli Intelligence and the CIA:
    • As a matter of “national security” we can say with certainty that one does not have a large portfolio of Israeli technology and security companies as a venture capital firm without a relationship with the intelligence arm of the country.
    • Proton’s origin story is questionable, at best, and appears to directly tie the founding of the company to MIT, the CIA and the NSA.
    • Although we have not found a direct link between CRV and In-Q-Tel (CIA’s VC Fund), they are targeting the same types of security and data collection companies, have offices very close to one another, run in the same circles in Silicon Valley, and largely target the same exits to the same DoD and related US Intelligence agencies.
  • CRV has previously condemned Trump in response to Peter Theile (well known Silicon Valley VC) supporting Trump.
  • Proton has/had a partnership with an Israeli Firm linked to the IDF; This would be a nonstarter but the story is complicated…

Is Proton More Secure as a “Swiss” Company?

  • Proton boasts on its website of ‘extra-legal protections’ because it’s based in Switzerland.
    • Proton deleted ‘we don’t log your IP’ from its website.
      • This contradicts their statement “By default, we do not keep any IP logs which can be linked to your anonymous email account.”
    • Proton gave the IP Addresses of climate activists to the Swiss Judiciary at the request of the French Police.
      • Initially one might think that there is no evidence that Proton is distributing their own keys with their users’ keys, but the evidence exists in the fact that Proton had mountains of data to scour through over one “climate change activist”; and they’ve maintained the stance they have no access to data, and the data that is stored is encrypted meta data… so where did the mountain come from?
    • Andy Yen released a statement on Twitter regarding handing over information to Swiss Law; “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended, and we’re required by Swiss law to answer requests from Swiss authorities.”
      • We are curious…
      • Who determines a crime has been committed?
      • Is the customer notified when their privacy protections have been suspended?
      • Lavabit claimed to previously be a secure email service but it was revealed in 2014 that a federal judge forced them to hand over the encryption keys to the government.
      • Hushmail also claimed to be secure but admitted they grabbed user passwords to decrypt emails and turned them over to the government.
    • Proton won exemption from data retention laws in Switzerland but this was not the victory people think it was and it was sold to the public as.

Is Proton’s Technology Special or More Secure?

Alice sends Bob an encrypted message to his public key, it’s harder for anyone else to read the message, but since Proton distributes the encryption keys to users, Proton can give Alice its own keys in addition to Bob’s thus encrypting the message in a way in which Proton could eavesdrop. (Apple iMessage has the same flaw)

  • Proton does not encrypt email subject lines.
  • Proton utilizes Phone Number Verification.
  • Proton has an Onion Domain that allows users to visit their site using the TOR browser as an apparent means to add anonymity to users. Proton even has an SSL certificate for that onion address, even though it’s completely unnecessary.
    • When a user makes a new account with Proton on TOR they are re-directed from Proton’s ‘.onion’ to ‘.com’ address which breaks your secure encrypted connection to their onion address, enabling your identification. This type of redirect was and is common practice for NSA/CIA honeypots.

Other Notables:

  • The European Innovation Council gave Proton $50,000 in October 2017.
  • $1.9 million in 2018
  • $2.2 million in 2019
  • PayPal froze Proton’s $328 thousand dollars… and then quickly unfroze it.
  • Proton donated 10% of revenue from new subscribers to Ukraine.
  • Proton claimed their DDoS attack in 2015 was a state sponsored attack.
  • Andy Yen co-founder and current CEO was previously a particle physicists at CERN and attended Harvard.
  • Proton was featured in Mr. Robot.
  • Russia blocked the use of Proton (Russia claimed it was used to send in fake bomb threats)
  • The relationship with CERN, given the money and ethos behind the money that supports and runs CERN, is a huge red flag to say the least.

Questions & Concerns:

  • What evidence is there, outside of Proton saying they are encrypted and secure, to prove they are in fact MORE encrypted and secure than most other email services?
  • What exactly does Proton’s partnership with Israel entail?
  • Did the CIA/NSA really have a role in the creation of Proton?

Conclusion

We don’t Trust Proton and recommend making a plan to migrate off their email system soon. This stinks, big time, as many on our team and in our circles have been users and proponents of the service for many years… until we started doing the homework, following the money and asking the hard questions.

  • There are alternatives to Proton that are owned by Americans and transparent in their ownership, founding and ongoing operations. To this extent we recommend considering:
Proton Mail

Scope
Organization

Score
Serious concerns or issues.

Created
Sept. 27, 2023, 5:52 p.m.

Updated
May 10, 2024, 7:25 p.m.

Availability
Public

Download
Premium Users

Contact Us

We'd love to hear from you.

Get In Touch