Proton AG bills itself as a privacy-centric company and repeatedly touts the CERN roots of its founders. Sir Tim Berners-Lee, the inventor of the World Wide Web, joined the Proton Advisory Board in September 2021. Whether Sir Tim has an active role in the running company or whether he was just recruited to burnish the marquee is unclear.
In recent years, there have been many assertions that Proton and its services are honeypots. These claims are not based on any concrete evidence but on several assumptions extrapolated from several incidents that put Proton’s claims of being in the vanguard of the war for online privacy into question. Plausible as it may be, does the honeypot theory hold any water?
Is ProtonMail actually private?
No. ProtonMail isn’t private. During sign-up, the company strong-arms into revealing your identity. You have to verify you’re not a bot through email, text, or donation. You can’t use temporary email or SMS providers. You can’t even use another ProtonMail address. If you donate, they only accept credit cards and Paypal.
When ProtonMail outed a customer to the cops
In September 2021, a French activist discovered the limits of ProtonMail’s privacy when the company shared their IP address with law enforcement after a court order. Proton insists they have to comply with Swiss law.
The French police requested the IP address through Europol, which notified Swiss authorities, who in turn demanded the information from Proton AG. Proton will comply with any law-enforcement request for information from any country as long as it is approved by Swiss authorities.
The French activist in question wasn’t some suicide bomber. The unnamed activist was part of a “collective” squatting on premises a Parisian restaurant wanted to expand into because they considered the expansion to be gentrification.
Information ProtonMail will disclose upon a law enforcement request:
- Email addresses and phone numbers associated with the account (you give this up on sign up).
- IP addresses used to access your ProtonMail account
- The IP addresses of incoming mail
- Devices used to access your ProtonMail account
- Email addresses you communicate with and the times those messages were sent
- The subject lines of incoming and outgoing emails
- The contents of any email sent by unencrypted external providers. So if someone using an unencrypted service sends you an email, the entire contents of that email can be disclosed. Proton can’t read emails sent by users of its own service because of the end-to-end encryption but with governments trying to pass laws that would put backdoors in this encryption, who knows how long this will last?
Swiss law requires ProtonMail to notify a user whenever a third party files an information request but this notification can be “delayed” for up to eight months. I don’t need to tell you what that means.
To its credit, ProtonMail advises customers to use its Proton VPN or Tor to access its services. Since Swiss law doesn’t allow logging of IP addresses for VPN users, in the event of an information request, the IP address they disclose to authorities will either be that of a VPN server or a Tor endpoint, virtually useless for tracking. Bt the government requesting your information will still know whom you are talking to, when you’re doing the talking, and the subject lines on those emails.
While this incident is sobering for anyone who relies on ProtonMail for privacy, we should have seen it coming. As Proton CEO Andy Yen put it, “In general though, unless you are based 15 miles offshore in international waters, it is not possible to ignore court orders.”
Governments are also aware of Proton’s services and the people who use them. While Proton received only 26 information disclosure orders in 2017, that number stood at over 6,000 in 2021.
Is ProtonMail a honeypot?
- The case for ProtonMail being a honeypot
ProtonMail’s popularity has exposed it to several honeypot conspiracy theories. The “ProtonMail is a honeypot theory” picked up steam following the case of the French activist whose information the company released. While Proton AG may only have been following the law, when you bill yourself as a “user-privacy centric” company, people have certain expectations.
Despite the company’s explanation, ProtonMail was roundly criticized for disclosing user information. This was a user that many people didn’t consider a criminal in the first place. Less than a week after this controversy, Proton announced that Sir Tim Berners-Lee was joining its advisory board.
The cases of Crypto AG and Anom, the FBI’s fake encrypted messaging app for criminals, play a large part in fueling allegations that ProtonMail is a honeypot. Crypto AG, a Swiss security company specializing in the manufacture of “encrypted” communication equipment, was secretly owned by the CIA from 1970 to 2018 when it went defunct.
In its 48 years of operation, it sold its backdoored equipment to countless organizations and governments. For 48 years Crypto AG made millions while simultaneously spying on its customers, a fact that only came to light two years after the company went defunct. Cases like this one make any company in the secure communications sector suspect. And Swiss law may not be a big help here because Swiss intelligence knew about and benefited from Crypto AG’s espionage.
Ever since the Snowden leak, governments know we know about their surveillance operations. How do you spy on people who know you’re spying on them without them knowing you are doing it?
You create things like VPNs and “encrypted” communication channels of course. These kinds of services attract exactly the kinds of people who don’t want you spying on them. These are usually the very kind of people a government wants to spy on. It’s self-selection at its finest.
One of these VPN and secure communication companies has to be a honeypot. The problem is separating it from the crowd. Many people have pointed the finger at Proton because of its popularity and lack of commitment to anonymity.
- The case against ProtonMail being a honeypot
A point in favor of ProtonMail being legit is that they released their source code. ProtonMail is now open-source. It took them forever to do that but ProtonMail’s source code is available on Github for anyone to freely review and contribute to.
No one has found any backdoors yet but it doesn’t put them in the clear because their back end remains closed-source.
The company says its backend is only optimized for large deployments and contains sensitive logic on blocking spammers and abusers. This puts a damper on their whole transparency shtick because it requires you to trust that they’re not doing anything funny in the back end. Not a good plan. Partial transparency is not transparency.
Nevertheless, there is no evidence that ProtonMail is a honeypot despite the conspiracy theories. But companies like Anom and Crypto AG should not be forgotten. Treat any opacity as a warning sign and act accordingly. ProtonMail is an excellent choice if you want to avoid tracking from Google and the like but it’s not a great option for complete anonymity or for avoiding government surveillance.
Verdict: Should you trust ProtonMail and Proton VPN?
No. You shouldn’t trust any single organization with your privacy. Treat privacy like medieval castle defense and use the principles of defense in depth. Use several anonymizing practices and layer them on top of each other. That way, your privacy won’t be compromised by a single point of failure.
Best ProtonMail alternatives
In no particular order: