Original article (was) here: https://privacy-watchdog.io/truth-about-protonmail/.
Update 2021/11/04. My thanks to the HN guys for their help and bunch of useful recommendations on this case. So, I have changed some things in this post:
- I have carefully read point 9 and the linked article to it, and now I can confirm that this is not a valid argument. I leaved it crossed out and did not delete it just for historical purposes;
- Renamed title (and changed link) to “Disturbing facts about ProtonMail”, so no absolutely truth is meant;
- Thanks to this comment author for adding two extra points (in this article they are 12 and 13).
Update 2021/10/28 domain registrator received abuse complaint against this article:
--- Dear Madam or Sir, Our Company, Proton AG, is a provider of secured Internet services, including ProtonMail, and end-to-end encrypted email service. We have recently been made aware of an article hosted on the website encryp.ch, and accessible via the following link: https://encryp.ch/blog/truth-about-protonmail/. This article is highly defamatory. It claims untrue and groundless “facts” about our Company and our services, which can cause great damages to our reputation and the conduct of our business. After investigation, it appears that the website is held by your Company. We would be very grateful if you could take down the content of this article, and provide us with all available information regarding its author. We remain at your disposal for further questions. Best regards, [redacted] Legal Counsel Proton AG ---
1. Protonmail Behaves like a CIA/NSA “Honeypot”
Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary. When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification. There are absolutely no technical reasons for this feature. In fact, the only other websites that operate like this are suspected NSA/CIA Honeypots.
This is a huge security issue that was either created because Protonmail is managed by Particle physicists who do not understand computer security OR they have been forced to operate their website in a similar way as CIA/NSA honeypots. Both possibilities are serious concerns.
2. Protonmail Does Not Provide “End to End Encryption”
Professor Nadim Kobeissi mathematically proved that Protonmail does not provide End to End Encryption. Meaning, Protonmail has the ability to decrypt their own user’s data. When this was shown to be true, Protonmail users were outraged they had been lied to. Protonmail was forced to issue a public statement. Their statement begins like you would expect it would.. by shitting on the security researcher that revealed their dishonesty. Then they continued to say: “We lied to our users because other email companies did”. No apologies. They can decrypt any of their user’s data be sending them scripts that allow them to do so. However they advertise that they can not. Protonmail’s admission proves they offer the same security that Gmail offers. Both Gmail and Protonmail offer encryption that they can decrypt whenever they want.
3. Protonmail’s Was Created Under CIA/NSA Oversight
Gmail & Protonmail were both created in CIA/NSA funded departments with their oversight. Protonmail has tried to hide this part of their history. We wrote a whole article about it here.
4. Protonmail is Part Owned by CRV and the Swiss Government
After a successful crowdfunding campaign with promises to “remain independent” Protonmail sold equity ownership to CRV and FONGIT. At the time of the equity sale a CRV founder, Mr Ted Ditersmith, was working for the US State Department closely with President Obama. His position as a delegate required close contact with CIA & NSA administration. Mr. Ted Ditersmith had also witnessed the Edward Snowden revelations and made statements that he planned to use his corporate knowledge to “fight terrorism”. FONGIT is a Non Profit organization that is financed by the Swiss Government. Protonmail staff member, Antonio Gambardella, also works for the Swiss Government.
5. CRV, In-Q-Tel & the CIA
The CIA openly operates a front company, In-Q-Tel, whose stated purpose is to invest in tech companies on behalf of the CIA. In-Q-Tel has stated they have a specific interest in the information contained in e-mails and encrypted communication. In-Q-Tel has been shown to be the bridge between the CIA and Gmail. An analysis of staff members reveals CRV & In-Q-Tel connections. The US media confirms these connections when they interview CRV so that they can understand In-Q-Tel. Additionally, The mastermind, cryptographer & back end developer that created Protonmail, Wei Sun, now works for Google.
6. Protonmail Follows CIA Email format & Metadata Requirements
Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires. Protonmail offers no protection for users’ metadata and has officially stated that they turn metadata over to Law Enforcement. Edward Snowden revealed that the US government cares least about the content of emails. Mr. Snowden revealed the US Law Enforcement cares most about who a person is talking to, the dates & times of the emails, and the subject of the email. Subject and metadata encryption are not difficult to provide. However, Protonmail refuses to offer any protection on data that is most valuable to the CIA & FBI and they store it as plain text (No encryption). Edward Snowden stated the NSA “isn’t able to compromise the encryption algorithms underlying these technologies. Instead, it circumvents or undermines them by forcing companies to cooperate in other ways. Protonmail has refused to protect the information the NSA wants, this is a concern.
7. Swiss MLAT Law Could Give the NSA Full Access
8. Protonmail Uses Radware for DNS/DDOS Protection
Privacy companies like Protonmail are required to use a DNS/DDOS service because of the frequent attacks against their service. Protonmail uses a company called Radware for this purpose. Radware is a low-quality service that has failed to provide adequate protection. Protonmail has been taken offline, sometimes by teenage kids, because they insist on using a sub-par service. It’s worth noting that Radware’s international office is a few miles away from the headquarters of the most powerful Intelligence agency on earth, The Isreali Mossad. Radware can gain complete access to all Protonmail user’s accounts in two ways. They could inject a few lines of code that would reveal all users log in username and passwords, thus allowing them to log in as if they are that user. They could also be given users usernames & passwords by Protonmail. Remember Protonmail has admitted they can access all user’s accounts and decrypt their data. Additionally, it has been reported that Radware has direct connections to the Israeli Defense Force.
9. Protonmail Developers Do Not Use Protonmail Protonmail’s developers are in a position to know the real security offered by Protonmail. And Protonmail’s developers do not use Protonmail. If you were served food by a cook who refused to eat the food, would that be a cause of concern to you? This is the same situation. Protonmail developers do not use Protonmail, there are likely good reasons for this.
10. Protonmail engages in illegal cyberwarfare
In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspects server. You can see the tweet they posted and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law. Based on Protonmail’s admissions only, they conducted an illegal hack.
11. Protonmail has a history of Dishonesty
From Protonmail’s creation lied to their users. Starting when they crowdfunded $550k to “remain Independent”, a promise they broke almost immediately by selling equity ownership to a US corporation with ties to President Obama and John Podesta.
12. Protonmail does not protect users, if it could cause any legal risk
Protonmail collaborating with EUROPOL in a clear case of political repression against anti-gentrification activists in Paris, and setup IP logging specifically for that user… So even in the clearest violations they are not standing up for users if it means taking legal risks for them.
13. Protonmail censoring “untruth” information about themself, even if you are a small blog
Prontonmail joining the long list of censor trolls asking registrars about identity of domain owner?! (see an aforementioned abuse complaint from Proton AG). They broke away from a tradition of free speech (debunk claims publicly), and from a traditional form of law enforcement. It is very unusual for corporate trolls with armies of lawyers to contact anyone to censor such vague claims on a random blog in a dark corner of the internet. It’s not exactly like the website named like protonmailtruth.ch or whatever.
In our opinion Protonmail is not an email solution you would use if you want privacy or security. Your emails are probably going to end up in a US data center right next to your Gmail emails.