Private Email to Foil the Snoops – ProtonMail Review

As we’ve been learning over the past few years, privacy has been getting the thousand cuts treatment. Everyone’s been in the act. Et tu Google? You betcha.

Fortunately, you can stop inadvertently BCC’ing Google, the NSA, the Chinese government, hackers, marketers and other creepers of your personal content. That’s thanks to some good people who actually live by the mantra to “Do No Evil” who have created ways for email users everywhere to keep their messages between them and their recipients.

Over the past week, I’ve been exploring one of these, ProtonMail.

The True Cost of Free Email

Most email services are profitable because they sell everything that you type and attach in your emails to marketing companies. Vast profiles about you are generated from this content. Think about it: what diseases you talk to your relatives about, your political and religious beliefs, who you spend your time with, even documents you attach from tax info to intimate photos. It’s all in there, and it’s all for sale.

You might immediately wonder why your email provider is collecting all this. It’s none of their business, right? Well, it is because you made it their business when you agreed to the terms of service. Even down to the attachments, by using services like Gmail and Yahoo! Mail, you are granting that company to access and sell the content to ad companies and beyond.

Now imagine that this database on you was to be hacked. Can’t happen? It has. The Chinese government hacked Gmail and has likely gleaned a ton of information on the world’s Gmail users. Most likely, they were interested in what their own citizens were writing, but if you ever wrote anything critical of China or work for a company with exposure to China, they might find that interesting too. Who knows!

The US Government has also hacked into Google (and just about every other Western tech firm) as well.

And if these entities can do it, so can criminals and the mischievous. So, again, why are we letting these firms put our information at risk in the first place?

Good news: you don’t have to anymore…

Private and Secure Email

Alternatives to Gmail and other market intelligence-based email services include:

HushMail and StartMail were early services that took your privacy seriously. Both promised not to ever sell your data, but their business model made up the difference by charging you for the pleasure of living privately and secure.

Tutanota and ProtonMail, on the other hand, are free. Both use similar end-to-end encryption techniques and are quite similar in most respects. When I weighed which one to go with, I ended up choosing ProtonMail, only because their servers are based in Switzerland, a country that has outlawed the seizure of private computer content.

My ProtonMail Experience

ProtonMail was created by developers working at the CERN lab in Switzerland who were inspired by Edward Snowden and who were shocked at how weak online security was becoming, thanks to very aggressive and dangerous actions by global intelligence services.

ProtonMail uses encryption that is unlocked locally, on your machine, so even if anyone broke into ProtonMail’s servers, they would need a few more years than the age of the Universe to decrypt your content. Translation: it’s pretty damn secure, despite claims that the NSA can decrypt encrypted data. They would still need a lot of time and effort to do so, so it’s unlikely they’ll go to such an effort unless you’re an active terrorist (or the leader of Germany).

Best of all, you can send securely encrypted emails even to people using Gmail or Hotmail. You do this by checking a box, creating a password and an optional password hint for the recipient. They then receive an email with a link to ProtonMail. By following that link, they are taken to a secure web page inside ProtonMail where they can read and reply to your message by using the password. Or, if it’s nothing you’re worried about sending, you can just send it as regular, unsecured email to your Gmail friends, in which case it works as normal…but can be gleaned for any info you might have carelessly included.

Here’s how ProtonMail pans out.

UI and Functionality

This is more than just a bare bones email service. ProtonMail comes with a secure Contacts manager, email search and many other features you would expect in a modern email service.

The UI is clean and very straightforward.

Probably the hardest thing about using ProtonMail is the encryption, but not because it’s complicated…it’s drop dead simple…but only because it adds a step to your email creation if you plan on sending encrypted emails to people on Gmail, for example. In this case, you just have to come up with a good password and hint that your friends can figure out. It can actually be a little hard to come up with something that isn’t as easily hacked as “The city we met in.”

The other complication is that you have two passwords. One is used to access your mailbox and the other is used to decrypt the messages. So you have to enter two of these. In my case, I use KeePass password manager, so I just create super crazy, long, gibberish-based passwords for both of these and store them in the manager. Then it’s just a copy and paste action that I need to do twice when I log in…slightly easier, in fact, than using the two-factor authentication I use with Google, compounded by my non-use of cookies.

The Mom Test

I tested the recipient experience with my Mom (very non-technical) and some friends (generally non-technical) to see if any of this would keep people from reading and replying to me. So far, ProtonMail only snagged my mom, because she didn’t think of using caps on a name I was using for the password.

My mom also didn’t understand that she had to reply from within the browser window. Some caveats here: I believe she still thinks of email as something that she has to do in AOL.

My friends fared much better with no reports of trouble. So overall, I’d say there is a small learning curve for some recipients.

The Private Future

The hope here is that most people will gravitate over to ProtonMail or services like them, so that everyone’s on the same, private page. As I mentioned above, there are some extra steps with using ProtonMail with non-ProtonMail recipients. But if you’re communicating with friends that also use ProtonMail, the encryption is already there and you can relax…so obviously, I hope you all join ProtonMail.

Advertisements

5 thoughts on “Private Email to Foil the Snoops – ProtonMail Review

  1. Thanks for the review. I’ve tried them both as well, went with Tutanota because it’s open source. Also Switzerland has data retention up to six months. Unfortunately, they aren’t any better in spying than any other country.

  2. Mom Testing Update: I heard back from a “low-tech” friend that she thought the email from ProtonMail was suspicious…perhaps because she was just the victim of a phishing attack. But anyway, it sounds like it was the redirect and request for a password that threw her.

  3. I have been using Hushmail for several years. I started with their free service for a year but jumped to their premium because I ran out of storage space. Last year, I tried StartMail because I like their XQuick. They only offer a free version for a very short period of time. I liked the fact that their servers are in the Netherlands but I ran out of testing time. They need to lengthen the free service so customers can settle in and get comfortable. Recently, a good friend changed email service from Hushmail to ProtonMail…..after he studied the pros and cons. ProtonMail has a forever free option. I love free! I like the fact that they are Swiss and camp out inside a mountain. I LOVE the fact that users must sign in with TWO (yes “2”) passwords. Folks, you got to love that if you are serious about privacy! So far I am still finding that Hushmail (my primary) is very user friendly. Hushmail has a killer contact-list platform and their customer service gets back with premium users very quickly. I’m having to get use to ProtonMail but everything I am seeing indicates they are working hard to make everything work. I have found some glitches i.e. two of my encrypted messages could not be opened by the recipients. That seems to have been worked out but I’m not going full time with them until all the bugs are worked out. I am getting some age on me and ProtonMail does not provide a way to increase font size. Hushmail does not have that problem. I have read comments from reviewers on other forums that they look down at Hushmail because Canada honors US Government to subpoenas and will open their customer’s email to same. For some folks, that might be a problem and it concerns me to some degree. The Swiss will toast any bureaucrat who tries to do that. So if you need superior encryption and super secrecy, go with ProtonMail. However, you might want to test them first with their free version. I’m still testing it with family and very close business associates but not friends. Not yet!

  4. Note. Web-based encrypted email services have their limitations. There are ways to silently feed you new javascript code, for example (this is what encrypts/decrypts your mail) at the request of a court. In fact, HushMail did exactly this in 2007.

    Other services are not immune to court requests. ProtonMail is utterly transparent about this. They publish what they are asked to do here: https://protonmail.com/blog/transparency-report/ Note: Thus far, they have never given up unencrypted data.

    ProtonMail and TutaNota are working on ways for consumers to know if folks muck with the javascript that empowers the cryptographic process so that even they can’t trigger a replacement without a consumers knowledge. Their iOS and Android applications, on the other hand, are mo re secure.

    So… if you are a whistleblower, a political dissident, a person engaged in controversial activities, etc… you should consider using local applications and GPG encryption. Or… continue to use ProtonMail and TutaNota, but only use their Android or iOS versions. The rest of us… are less at risk, but you never truly know if and when you will come under the watchful eye of a government.

    Good luck, folks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s