Accessibility links

Encryption Service Aims to Make Email Truly Private

An undated file photo made available by Google shows the campus-network room at a data center in Council Bluffs, Iowa.

An undated file photo made available by Google shows the campus-network room at a data center in Council Bluffs, Iowa.

Clicking through a clogged inbox overflowing with spam and unanswered messages, it may begin to feel that email is more nuisance than help in these days of instant texts and Snapchats.

Still, email remains a primary communications tool both for global business and personal matters.

Ensuring its privacy and security is of paramount importance – as seen in news last week that former Secretary of State Hillary Clinton used non-government email services.

Email is much less secure than we people think, analysts say.

Phishing, Trojan Horses, injection, spoofing – these are just a few of the many ways email continues to prove itself easily compromised.

Now, a partial solution might be at hand

It’s called ProtonMail, and while it isn’t fool-proof, it puts genuinely sophisticated encryption tools at hand of even inexperienced web users.

Fighting for privacy

“Many of us probably think, well, one email, there's nothing in there, right?” asks Andy Yen, co-creator of ProtonMail in a recent TED Conference presentation.

“But if you consider a year's worth of emails, or maybe even a lifetime of email, collectively, this tells a lot,” he said. “It tells where we have been, who we have met, and in many ways, even what we're thinking about. And the more scary part about this is our data now lasts forever, so your data can and will outlive you.”

For decades now, the basic structure of what we call email has remained the same as when first developed by researchers in the early 1980’s, long before the multiplying cyber-threats of today.

In those days the priority was inter-operability, meaning that a message sent by any one person could be read by any other person. Privacy was a non-issue, with the result being that emails – even to this day – are constructed in a way that largely lets anyone in the data chain read the message.

While it’s true that some tools allow users to robustly encrypt their email, they’re often universally time-consuming and difficult to use.

Joined by his colleagues Wei Sun and Jason Stockman at the European Organization for Nuclear Research, or CERN, Andy Yen decided to build an email system that was made robust privacy easy. The result is ProtonMail – a somewhat cheeky reference to their research work smashing atoms at the Large Hadron Collider.

“After the revelations by Edward Snowden, a lot of us in the scientific community at CERN felt compelled to take action because no good solution existed for email encryption,” Yen told VOA. “This was something that really drove us to take action because if we realized if we don't fight for privacy, nobody is going to do it for us.”

Andy Yen

Andy Yen

Keys are key

That sets ProtonMail apart from other emails services is where the messages are encrypted, and who holds the keys.

Many large email services, like Gmail, already encrypt the contents of your email once they enter the cloud. But they also hold the key to decrypting it.

That essentially means your unencrypted emails sit on Google’s servers, and are subject to governmental requests to review the content of your email, often without your notice.

ProtonMail messages are encrypted directly on the user’s computer, and as long as a user sends it to another ProtonMail user, the message never exists on the Internet in an unencrypted form.

ProtonMail users can also, if they choose, encrypt messages to non-ProtonMail users by using a “symmetric key,” or special pass phrase that the sender privately gives the receiver.

Additionally, ProtonMail uses a dual-key system – one public, the other private.

This “zero-access” model means that emails stored on ProtonMail’s servers are fully encrypted and cannot be decrypted by anyone including ProtonMail itself, but the user. ProtonMail servers are set in Switzerland, whose government has perhaps the highest level of privacy protection in the world.

Still, Yen cautions that ProtonMail is not fool-proof.

“ProtonMail, like any other security system is not a magic bullet, as there is no such thing as one hundred percent secure,” he said.

While ProtonMail will help keep personal or business email communication private, the company makes clear that email communication, at its core, is vulnerable.

“If you are Edward Snowden, or the next Edward Snowden, and have a life and death situation that requires privacy, we would not recommend using ProtonMail,” reads one post on the company’s blog. “For extremely sensitive situations, it is simply not a good idea to use email as a medium for communications.”

The trend of increasing “zero-access” encryption has alarmed some American and British law enforcement agencies.

FBI chief James Comey, recently warned that the growing use of encryption puts “the bad guys” outside the reach of intelligence services. Encryption, he warned, threated to take us “to a very dark place.”

But for Yen, encryption helps “the good guys” as well as the bad ones – and, he says, there are far more good guys than bad guys online today.

“The argument for surveillance is always ‘terrorists will kill your children’,” he said. “However, the loss of privacy comes with its own dangers.”

“If corporations or governments have access to all of our private data, we are giving them immense power over our lives,” he said. “We see this trend in other countries today like Russia, Iran, or Syria where it is impossible to even speak out against the government... In many ways, privacy and freedom go hand in hand.”

  • 16x9 Image

    Doug Bernard

    Doug Bernard covers cyber-issues for VOA, focusing on Internet privacy, security and censorship circumvention. Previously he edited VOA’s “Digital Frontiers” blog, produced the “Daily Download” webcast and hosted “Talk to America”, for which he won the International Presenter of the Year award from the Association for International Broadcasting. He began his career at Michigan Public Radio, and has contributed to "The New York Times," the "Christian Science Monitor," SPIN and NPR, among others. You can follow him @dfrontiers.

Show comments