Outrun the Bear: ProtonMail is Not for Activists

by Michele Gretes for the Civil Liberties Defense Center (cldc.org)
Download: TEXT

"You don't have to outrun the bear" is a security model where you stay safe from predators on camping trips by taking your chain-smoking, out-of-shape buddy along. In case of bear attack, you can feel secure knowing you can outrun your (former) friend. This security model is offered by many Snowden-era startups claiming to provide digital security to the masses. Can this be good enough for activists? Here, we take a look at easy-to-use ProtonMail–and why we at the CLDC can't recommend it (or its security model) for people opposing the powerful.

First off, if you currently rely on ProtonMail for your organizing, please don't feel you need to quit using it straight away. We're not saying it's downright dangerous or totally insecure, or that we have a specific reason to distrust the developers. That said, please, please stop telling other activists to use it. It might be OK for a quick fix when you need something more trustworthy than Gmail or Facebook Messenger. But it's not the right choice for your org's long-term communications security.

Before we get into any technical discussion, the straight-up dealbreakers for activists with ProtonMail are:

  1. There's no clear way to confirm that you are encrypting messages (only) to the right person.
  2. It's a (mostly-)closed system: easy to send private messages inside, but complex or impossible to exchange encrypted emails with people not using ProtonMail. This risks herding diverse movements into a single system for secure comms. Not good, if that system turns out to be not-all-that-secure after all.
  3. The ProtonMail developers say ProtonMail is only trying to help businesses or "Private Citizens with Privacy Concerns" avoid totally untargeted, mass surveillance (in other words, they say they only keep you safer than all those other people who may be prey for the info-hungry bear eagle State). So as an activist who could be targeted for political reasons, you'd have good reason to feel unprotected.

For verifiable, resilient, solidaristic email security, we recommend GPG/OpenPGP (Mozilla Thunderbird+Enigmail plugin) combined with a trusted movement email provider like riseup.net - and if you can, support all of these efforts with money or time. Get in touch if you want a hand getting set up.

[Note from CSRC: as of 2021, the Enigmail plugin is not required anymore, because the PGP functionality it provided has migrated into Thunderbird.]

And now, the gritty tech details!

ProtonMail claims a number of security and user-experience advantages: end-to-end encryption; the possibility of anonymous accounts; open source (for their client - the app you run - but it's not clear if their server software is all open-source); two-factor authentication; physical and legal protection of their servers (located at CERN, guarded by Swiss privacy laws, for whatever that's worth); simple to use encryption (PM manages encryption keys for you); fancy webmail and custom mobile app; no-cost (freemium). However, in constructing such a slick user experience, a lot of disadvantages are created:

  • A) Security issues
    1. ProtonMail wants to make strong, end-to-end encryption completely invisible to the user. They do this by managing all encryption keys for you on their server. This means that there is no way to independently confirm (like we recommend you do for Signal) that you are using the authentic keys for your contacts.
    2. This is a security weakness because it allows the ProtonMail server (if ProtonMail were so compelled) to send you an alternative key that would encrypt to someone else (an eavesdropper) - this is the same design flaw present in Apple's iMessage.
    3. The JavaScript that does the encryption is sent to you each time you open a web browser, making it easy for ProtonMail to target an attack against you.
    4. Even if ProtonMail isn't evil and wouldn't do these things, the ProtonMail server could be compromised by a State or corporate attack (via legal or extra-legal channels) and made to do these things.
  • B) Centralized design
    1. You can only exchange encrypted messages with other ProtonMail users (locking your community in to ProtonMail). [Note from CSRC: as of 2021, it is now possible for ProtonMail users to exchange encrypted messages with non-ProtonMail users using PGP. However, the other reasons for not using ProtonMail are still valid.]
    2. If all political activists jump onto the same email bandwagon it may make that wagon a bigger target for State and Corporate surveillance and/or Neo-Nazi attacks as compared to GPG email encryption, which lets you use your existing email address and spread the target, eliminating a single point of failure for social movements.
    3. ProtonMail doesn't work with a local email client (IMAP), so you can't use it with our recommended option (Thunderbird/Enigmail GPG). There is a Closed-Source Beta IMAP Client in the works that will let you use an email client, but there's no way right now for anyone to assess its security. [Note from CSRC: as of 2021, it is possible to use ProtonMail with a local email client, but it requires a "Plus" ProtonMail account at 4€/month.]
    4. You have to rely entirely on PM servers to play nice. (Someone is working on a project to run your own PM server if you wanted to, but this effort is unsupported by PM itself, and we haven't examined how well it works or how secure it is.)
    5. PM doesn't issue a warrant canary, which is a way for online service providers to reliably let their users know if they have been compromised in the event they are served with a warrant or other court order containing a gag order (Riseup does this.)

I do really like that ProtonMail offers end-to-end encryption and the possibility to create anonymous accounts–this latter choice is especially important for at-risk activists. The only issue with it is that you might have to refresh your Tor circuit a few times. Two-factor authentication can be a nice layer of protection, too. But fundamentally, its incompatibility with GPG and the ease with which PM could actively attack you to gain access to your encrypted email makes it impossible for us to recommend for anyone at elevated risk.

Once Ed Snowden disclosed the scope and scale of U.S. global surveillance, many folks began to take their digital privacy and security seriously. Not everyone did: "Well I have nothing to hide!" bleated certain liberals and Obama supporters. That might be a fair point. If you're willing to ignore/destroy your Fourth Amendment right to privacy AND totally conform your beliefs, words, and actions to those of an ecocidal/racist/colonial State, then I suppose you might have less to hide. Also, if you don't mind gaining security by making bait out of the masses or your erstwhile comrades, ProtonMail might be for you! But when you decide to take solidarity-minded, effective action in defense of our planet and its peoples and creatures, making good secure-tech choices is worth thinking about carefully. Get in touch. We can help you prepare.

And remember, there is no such thing as total security these days when it comes to digital communications. It is imperative for our movements to take ourselves and our political organizing seriously, which means keeping up to date on the best practices available to us. Become a CLDC member and support our continued efforts to provide digital security expertise for activists. Check out our digital defense posts for updates often and regularly!