Table of Contents
- The Problems with Normal Email
- Introduction to ProtonMail
- The Network Effect
- The Transparent Period
- The .onion Address
- Ephemeral Emails
- Limitations of ProtonMail
- My Personal Experience with ProtonMail
- Final Thoughts
- Further Reading and Links
As I explain here, secure communications are important even if we don't personally have anything to hide because we rely on people whom we would want to have privacy and security. This includes people who provide us with medical, legal, or financial services and people who serve and protect our valued democratic institutions, such as journalists, whisteblowers, and certain political leaders. By using secure channel ourselves, we help support the infrastructure that these people use, we make it socially acceptable to use them, and we can develop a habit of respecting each other's privacy and security.
So, let's suppose for the sake of discussion that we already agree that it's important to use secure channels of communications. Then the next logical question is, which platforms should we use? I will explain that, ProtonMail is the best secure email provider because of its built in PGP end-to-end encryption, transparent periods, Tor .onion service, and superb customer service.
The Problems with Normal Email
The original design of email is very insecure and not designed for privacy. Without proper configuration and caution, it's easy for third-parties to eavesdrop on conversations, to impersonate senders and receivers, and to redirect messages while they're in transit. Over time, email providers including Google and Microsoft have developed, deployed, or offered new security features for both free and business users to respond to these problems, but they are not powerful enough to serve privacy-conscious consumers.
So, if email has these problems, why do we still use it? As Bart Butler, CTO of ProtonMail explains in the following video, "email is by far the most democratic communication protocol in history." Email is the basis of the digital identity and just about everybody needs one to use digital services. Almost all online accounts require email login. Moreover, people can communicate over email without using the same email provider, so it's decentralized – no single email company can control all of our email communications. The archival aspect of email makes it convenient to document our communications over time. There are circumstances when messaging apps such as Signal are better for communicating, but email is still essential for our digital lives.
Introduction to ProtonMail
Of the privacy-conscious email providers I linked above, ProtonMail is my favorite because it's leading the movement to make email more secure without requiring that everyone interested in secure email use its services.
It might be helpful to clarify what I mean by secure communications. In this discussion, I say that two entities (persons, groups, parties, etc.) are communicating end-to-end securely when they are sending and receiving messages to and from each other without allowing any third entity to access their message while it is in transit. For example, the third entity may be their respective governments, telecom providers, internet providers, as well as the providers of the service or platform they're using to communicate. The specific content of the message is called the message data while the overall subject of the message, the time that the two communicated, the identities of the two entities (e.g., username, phone numbers, email addresses), and the IP addresses that they communicating from are collectively called the metadata. I say that the two entities are communicating meta-securely if, in addition to communicating securely, they are able to prevent third-parties accessing this metadata.
ProtonMail Security Features
The zero-access feature of the ProtonMail inbox provides us with more privacy, but it makes our email message data unsearchable; the search feature in the ProtonMail apps can only search through our meta-data. But since our metadata isn't encrypted, we can assign filters our incoming mail into folders and labels based on senders, recipients, and subject lines. This helps prevent spam. If the subject of our emails are sensitive, then we can use misleading subject lines and still organize our mail with folders and labels. These security features can be found on their website. The ProtonMail explains their advanced security features and how to use them in greater detail on their blog and knowledge base. I won't go into them here as they're more technical and not important to reiterate here.
A Note on Jurisdiction
The above link on privacy-conscious email providers only mentions providers outside of the United States because the US Government has been known to surveil people's emails (thank you Edward Snowden, Laura Poitras, Glenn Greenwald, and everyone else who helped). The fact that ProtonMail is located and incorporated in Switzerland (a country outside the jurisdiction of the European Union), is a reason to favor it, but it's important not to overstate this benefit. It helps that ProtonMail can only give up our meta-data to Swiss authorities when subpoenaed by Swiss courts, but the end-to-end encryption and zero-access mailboxes are the real reasons why our conversations are protected.
The Network Effect
Since ProtonMail doesn't have access to our message data, they're unable to scan our messages and sell targeted ads based on them. One might wonder how ProtonMail pays for these free accounts and why. In the above video, CTO Bart Butler explains that ProtonMail subsidizes free accounts with the subscriptions of paid users because the value of ProtonMail increases when more people use it. This increase in value is known as the Network Effect.
In addition to the security features, I think the network effect is one of the most important reasons to favor ProtonMail over some other providers even though it's easy to forget. Some companies, notably Tutanota, may offer similar end-to-end secure and zero-access email services with other useful features including encryption of the subject line (improved meta-security) and improved search of the message data. But their methods of encryption are not interoperable with other secure email providers.
There are probably three possible scenarios for the future of secure email:
- Everybody uses the same secure email provider.
- Nobody uses email anymore.
- People use different providers.
If we had the first scenario, then it would probably be a good idea to sign up for Tutanota to take advantage of the encrypted subject lines and innovative search feature. But having everybody using the same email provider would violate the principle of decentralization, which is a very bad thing to do. When everybody uses the same email provider, then that provider could have the power to create a backdoor even if they didn't want to or had no intention of doing so. The possibility itself is a bad thing to have. Indeed, the decentralized nature of email is a reason why it is so powerful and remains widely used – one doesn't need to have to be authorized by a central authority in order to use it.
Besides, even if it's a bad idea for everybody to use Tutanota, it's also very unlikely that everybody will want to do it. Tutanota doesn't work with Microsoft Outlook, Mozilla Thunderbird, and Apple Mail, so we won't be able to write with our preferred email editor (see ProtonMail's Bridge). The current ways of using email are very convenient and respective of individual choice that it's difficult for me to reasonably imagine that everyone will want to use Tutanota.
Innovative technologists have used followed this same logic to other services including social media, cloud storage, and chat rooms. If we want to, we can own and host our own Twitters, Dropboxes, and Discords/Slacks with Mastodon, NextCloud, and Rocket.Chat. I hope that one day we can also host our own encrypted email servers (see Mail-in-a-Box), but it's unlikely that this will occur anytime soon given how complicated it is to do it reliably.
Moreover, the importance of email to our digital identity makes the second scenario unlikely. Email has lasted decades, and will likely continue to last decades.
As a result, we will likely have the third scenario – people will use different email providers. This means that if different encryption systems were to provide comparable end-to-end security and zero-access, then the system with the greater number of users would provide more value.
Thus, even if Tutanota and ProtonMail offered the same features, ProtonMail would still have greater value because the network that it works with is bigger. Many email providers besides ProtonMail implement OpenPGP, including Posteo.de, Mailfence.com, StartMail.com, Mailbox.org, and Neomailbox.com (in no particular order). So if our contacts sign up to use accounts at those providers, then the value that ProtonMail's service provides to us increases as well. People can even use OpenPGP with their Gmail, Outlook, and Yahoo mail with Mailvelope. Everybody's privacy needs are different, and so people should be able to send and receive end-to-end encrypted email within the comfort of their current email providers if they want to. Rather than trying to trap us into their service, ProtonMail is leading the email industry into making email more secure for everybody.
The Transparent Period
So, if many email serves offer OpenPGP integration, what makes ProtonMail better than the others? In my view, one important but underappreciated reason is that ProtonMail makes periods transparent.
One might notice that emails sent to [email protected] and [email protected] are sent to the same inbox, but emails sent to [email protected] and [email protected] are sent to different inboxes. That's because the dots are transparent on Gmail but not on Microsoft Outlook or Apple Mail.
The added value of making periods transparent in the usernames is tremendous. If somebody's username has length n, then they can actually receive email from 2n ProtonMail addresses without having to use any of the unlimited "+" aliases. Here's the proof:
Proof: Ignoring "+" aliases, each email address has the form [email protected]. Let n be the number of letters and numbers in the username. For example, [email protected] has n = 11. We say that two usernames are versions of each other if removing all the dots from each username would result in the same username letter for letter, number for number, and in the same order. For example, exam.ple20202pm.me, [email protected] and [email protected] are versions of each other. For any given username with, we want to find the number of versions it has.
The space between each letter or number in a username can either be empty or filled with a dot. To visualize the spaces, we can replace them with underscores, so [email protected] can be visualized as [email protected] For a username with n letters and numbers, there are n-1 spaces and each space has 2 possibilities (an underscore or a dot), so the number of versions for each username is 2n-1. Since ProtonMail lets us receive emails at @protonmail.com and @pm.me for free (sending from @pm.me is for paid users), we really get to receive mail at 2*2n-1=2n addresses without using any "+" aliases. □
ProtonMail, like Google, gives us all of these addresses for free in our accounts. It's one reason to prefer Google over Outlook and iCloud Mail (for a "free" email, anyway). It's also one reason to prefer ProtonMail over Tutanota, Mailfence, StartMail, and Mailbox.org, which charge us extra for these additional addresses. (I didn't try posteo.de or neomailbox.com because they didn't have free trials. There are probably others I haven't heard about.)
This means that, if my email address were [email protected], then somebody can send me emails to [email protected], [email protected], [email protected] and be assured that they're sent to me. If they click on the email address, this won't be a big deal, but if they're manually typing my address from my business card or from a form I've written on, this could make a difference. This also means that it's much harder for malicious people to impersonate us or to steal data from us. If we're in a rush, or if we're stressed and tired, we might not notice an extra dot in somebody's email address if they set their display name and footer signature of somebody we're accustomed to sharing sensitive information with. ProtonMail helps protect us in these situations with with transparent dots and other features, such as digital signatures.
Note that, on Google, we can send emails from different versions of our username, but on ProtonMail, we can only send emails from one of them. That particular version can be changed by contacting support.
One might point out that the benefits of transparent periods in usernames is less valuable when we are using a custom domain, but then we have to worry about people impersonating us by using a similar domain. We're also subject to DNS hijacking, and he basis of our digital identity is then also accessible from two points — our email service provider and our domain registrar, which uses our email. We can note, however, that the transparent dots apply to usernames at custom domains as well.
The transparent period gives ProtonMail's service much more value than other email providers. For a secure email provider, it only makes sense to take steps to avoid impersonation, and I'm puzzled by the fact that other providers did not do this as well.
The .onion Address
ProtonMail tries to improve its security and trustworthiness by conducting independent security audits and publishing their encryption libraries, iOS app, and web client for independent and anyone else who wants to look at them. However, even if the code and math are valid, it takes a lot of trust to use an encrypted email service. Our email can be very personal, and we have to trust that the software they publish on their GitHub is the same as the software that they deploy on their servers and not a modified version with secret backdoors. This is true for every email provider.
Remember that the Tor browser, not VPNs, provides greater anonymity on the internet. Other secure email providers (e.g., Tutanota) allow access to their website from the Tor browser, but to my knowledge, ProtonMail is the only other secure email service that provides a .onion site. In addition to hiding our IP addresses, ProtonMail explains, using the Tor network and routing our traffic through the .onion site helps prevent man-in-the-middle attacks and prevent eavesdroppers from knowing that we are using ProtonMail, which is important for people in countries where using encrypted services is itself illegal. The .onion site also makes our connections to the through the Tor network fully end-to-end encrypted (as opposed to mostly).
ProtonMail users include normal people who are simply privacy-conscious (e.g., me) as well as people who rely on it for their work and livelihood. The .onion site is a part of ProtonMail's infrastructure that makes its service accessible to people who need it. As I mentioned before, I believe that supporting privacy-conscious infrastructure for people who need it is itself a good reason to use it, and ProtonMail provides the most robust infrastructure, so perhaps it's the best encrypted, secure email service.
With ProtonMail, you can send and receive expiring emails. Learn how to do it here.
Limitations of ProtonMail
Even though ProtonMail is my favorite secure, encrypted email provider, I recognize that every encrypted email service is still a work-in-progress and that ProtonMail is not an exception despite being the most advanced. Here are some of its limitations.
- IMAP/SMTP access for desktop mail clients is only possible via the ProtonMail Bridge app. It's not possible to set up SMTP access for third party services (e.g., Mediawiki SMTP). I'm not sure how businesses can use ProtonMail in conjunction with external customer service software.
- ProtonMail has received external funding in the past, but their transparency report doesn't specify who the company is owned by.
- The setting to send end-to-end encrypted emails to people who don't use ProtonMail or PGP has to be re-enabled for every email, but the same setting on Tutanota is enabled for the entire conversation.
- ProtonMail's web client has customizable CSS, but it does not have a built-in night or dark mode.
My Personal Experience with ProtonMail
I found out about ProtonMail in October of 2019 when I was browser Twitter and came across Natasha Bertrand's profile. At the time, her bio mentioned her ProtonMail address.
As a national security correspondent for Politico, I recognized that she would handle sensitive information as part of her work, so I wondered why she would need or use a second email address at something like ProtonMail. I also didn't know what "DM for Signal" meant. I went to ProtonMail.com and that got me started thinking about digital privacy and security. I read through their terms, policies, blog, and knowledge base and signed up for a free account.
One of my friends told me there are other companies that try to offer similar services. After reading the works of many reviewing websites including PCMag, lifewire, techaradar, and restoreprivacy, I found that it's very difficult to know whether their claims are telling the full story and whether their reviews were written with good faith. Sometimes it seems that they're more interested in making money off of us by serving us advertisements (use uBlock Origin) and getting us to click on affiliate links provided by the highest bidders rather than actually telling us the truth about the products they were reviewing and thinking about what's best for the future of the internet.
I continued to test the products on my own and decided that ProtonMail is probably the best service for me. I've been a paid user since October 2019. I'm a very demanding customer, and I send ProtonMail many emails about their product to ask questions, express concerns, and give suggestions (some are shown above). They are able to get back to me almost every night. They are very helpful in their support emails, even for free users, so I think their customer service is superb.
Unlike review companies, my goal isn't to make profits off of my readers. In contrast, I'm a normal person who likes to think about technology. I'm not a security expert and I rely on their security audits, too. I'm a privacy-conscious end-user of ProtonMail's services, so I've spent a lot of time using its apps and thinking about what's important in an end-to-end encrypted, secure email service. I'm sharing my thoughts because I think these aspects of ProtonMail are understated, underemphasized, and underappreciated.
One disclaimer to make is that ProtonMail was the first encrypted email service that I heard of. This might have made me subconsciously biased against other providers when I was reviewing them. I don't really know how to tell if that happened, so maybe everyone ought to review each service for themselves, too.
ProtonMail is a premium email service. It's for people who want to use the best service and are willing to pay $3-5 per month for it. It's for people who are the privacy-conscious or want to join the biggest end-to-end encrypted email network. It's for people who want to take more control over their email communications and support our democratic institutions.
Tutanota is probably good for people who only email other Tutanota users. People who want to use OpenPGP but don't care about transparent dots and ProtonMail's other premium features or don't want to pay premium prices are encouraged to use other OpenPGP providers. More tech-savvy users are encouraged to use GnuPG with all their emails.
Sign up for a free account at ProtonMail.com.
Further Reading and Links
- Why Secure Communications Matter
- Ted Talk on Why Privacy Matters by Glenn Greenwald
- Email Self-Defense by the Free Software Foundation
- GNU Privacy Guard (GnuPG)
- Which Professionals Use PGP?