I was thinking about what I wanted to write about here on this blog for a few weeks now. I was thinking of writing about hate crimes online and what kinds of privacy and security implications that kind of threat poses, given that OSINT is becoming a more and more viable way to find out things about people and now hate mobs are becoming a viable misinformation tool for foreign governments. I was also considering covering some interesting cryptography books I've been reading. I also thought about going to some of the things I've been reading about regarding analyzing leaked datasets.
I'll likely touch on those topics on a later date. I was starting a post on the state of PGP in 2022, and as I got to writing the post warped into a longer discussion on Protonmail and the nature of trust. So here it is!
In the interest of full disclosure, I'll admit I'm not a software developer, journalist, government official, or anyone who would be required professionally to use PGP (or GPG) for communication or email. I'm just a random guy who got into privacy and cryptography by reading upsetting stories online about privacy abuses. I'm coming into this as a person who, out of the blue, wants to start using encryption day to day, if even just out of principle. Usually, the first stop the suddenly privacy-minded end up at is ProtonMail. It's been advertising for years and is generally considered the go-to email company to choose if you want some kind of privacy and don't want your email provider scanning and reading your email messages. Proton advertises that encryption is end-to-end and messages are encrypted by default. It's a good start for sure. I started paying for Proton's premium service and use their email and VPN services daily. Proton, as it is now called, is likely one of the better contenders in the emerging Privacy as a Service model and as far as I have been able to tell, it has a pretty good reputation in general. People in your circle of friends have likely heard of it. It doesn't hurt that they offer a free tier for people just stumbling into this stuff for the first time as well.
Nothing is perfect of course. Proton mentions on their website that end-to-end encryption is only enabled by default only between Proton email accounts, however you can attach your PGP key to email messages by changing your account settings. To be honest, most people are likely not talking about things so sensitive that PGP encryption ought to be on and stay on, and to be honest, really just want to make sure the contents of their messages are not scanned to create ad profiles. It would be better though for Proton to mention this limitation more prominently when you sign up.
In 2021, Proton came under fire for giving up user information when facing a court order. I remember the concern I felt when this story was breaking. A lot of people were very angry that a company that is so openly basing their business on privacy would do something like this. Proton in their defense claimed that under Swiss law, that they are bound to as a Swiss company, they were forced to comply to a demand of a French court as their customers had committed crimes that are also crimes in Switzerland. They were forced to comply or face legal measures, effectively meaning that their servers could have been forcefully seized by the Swiss government.
I understand as a company they didn't have much leeway and had to compromise the privacy of their customers to survive. The company mentioned that IP-addresses and browser fingerprints are not stored "by default" but this case showed that they can be coerced to save this data through court orders. As the Wired article I referred to mentioned, a way to surpass this is by using the Tor browser but depending on your threat model even that may not be enough.
So what do I mean by threat model? Simply, it's just who you're hiding from. For instance, if you don't want your spouse or friends logging into your computer and reading your messages, that is your threat model, and in this case the appropriate actions to take would be to lock your computer when you are not using it and have a password to unlock your computer or phone. It's pretty much as simple as that. There are layers upon layers of threats you can try to counter, going from preventing your acquaintances from snooping on your messages, to stopping hackers from stealing your banking details, to hiding the fact that you buy drugs and you don't want the police finding out. Each scenario has it's own set of actions to keep your messaging private.
In my case for using Proton, what am I trying to achieve? In reality, I just want (1) my email provider not directly reading my email (2) create less data points for large companies to use to create a data profile on me. This leads to the question why I even care about those two points and that may require another blog post. (In short, it's because I don't know what that profile will be used for.)
Does Proton cover the points I mentioned? The answer is yes to the best of my knowledge. Until I am shown evidence to the contrary, I feel Proton's mail and VPN services help me keep up some privacy on these fronts. If I was doing something that would incur the wrath of the state, on the other hand, I would need to completely re-evaluate what a premium Proton account can offer me. If you're reading this and wondering what it would require to actually hide your communications from a nation-state actor, I'm telling you that it's going to require a whole lot more that just buying a service from a company.
Servers are physically always located somewhere and so fall into some justification somewhere and can be seized or searched through court orders. Although most of the time that isn't even needed as most of the information that is needed to track you is gathered by how you use your internet connection and what kinds of data you put out on internet services. The most concerning way you can be tracked is how the people you interact with use the internet. If your being surveilled by a big enough actor, you could encrypt your hard drive and use PGP all day but all it takes is the person you're talking to starts treating privacy as an afterthought and it's game over for you as well. You can be tracked using your internet connection, the computer you use, the browser you use to access the internet, they way you write, the list goes on and on. It's not many people who value their privacy to the point of using single-use burner laptops running Tails OS on Starbucks Wifi.
If you want to pull out the tinfoil, their are people in certain circles that claim Proton is run like a CIA honeypot. This is starting to turn into a conversation about how do you really trust programs written by someone else(in this case, servers run by other people) but I'll save that for later.
I'm not trying to convince you not to use Proton services, as I mentioned, this is a company I give money to every month and feel pretty comfortable using. What I am saying though is not to just assume that Proton, or any privacy company, is going to give you complete privacy if you pay them money. Privacy is a mindset. It's stopping to think what you share, on what platform, and with who, nothing more than that. If you are thinking of using Proton services, think about what you want to share using Proton email and with who. If you're writing to your friends, you're golden. If you are going to start talking to a whistleblower, you are going to need to think a lot more about how you are going to use Proton services, what computers you will use and especially how your counterpart is going to use Proton those very same Proton services. Otherwise, you might run into some serious problems.
Later I might write more about threat models as I think it's an interesting topic that a lot of people would benefit from. I remember reading one too many forum threads where people act as if an email company complying to a court order to get information destroys their trust in that company altogether. I would hope that Proton doesn't take a pro-active stance and starts scanning my documents for potential crimes I've committed but I also know that in reality, any government is going to have to resources to get their hands on information I put out there and it's in my best interests to try to keep that in mind. If at all possible, it's best to protect your privacy yourself and not outsource it to a company.
If you want to respond to this article or give me suggestions on what to write on, send me an email.