Outrun the Bear: ProtonMail is Not for Activists

2017
Английский
History

Original text in English
Michele Gretes for the Civil Liberties Defense Center
2017
cldc.org

“You don't have to outrun the bear” is a security model where you stay safe from predators on camping trips by taking your chain-smoking, out-of-shape buddy along. In case of bear attack, you can feel secure knowing you can outrun your (former) friend. This security model is offered by many Snowden-era startups claiming to provide digital security to the masses. Can this be good enough for activists? Here, we take a look at easy-to-use ProtonMail — and why we at the CLDC can't recommend it (or its security model) for people opposing the powerful.

First off, if you currently rely on ProtonMail for your organizing, please don't feel you need to quit using it straight away. We're not saying it's downright dangerous or totally insecure, or that we have a specific reason to distrust the developers. That said, please, please stop telling other activists to use it. It might be OK for a quick fix when you need something more trustworthy than Gmail or Facebook Messenger. But it's not the right choice for your org's long-term communications security.

Before we get into any technical discussion, the straight-up dealbreakers for activists with ProtonMail are:

  1. There's no clear way to confirm that you are encrypting messages (only) to the right person.
  2. It's a (mostly-)closed system: easy to send private messages inside, but complex or impossible to exchange encrypted emails with people not using ProtonMail. This risks herding diverse movements into a single system for secure comms. Not good, if that system turns out to be not-all-that-secure after all.
  3. The ProtonMail developers say ProtonMail is only trying to help businesses or “Private Citizens with Privacy Concerns” avoid totally untargeted, mass surveillance (in other words, they say they only keep you safer than all those other people who may be prey for the info-hungry bear eagle State). So as an activist who could be targeted for political reasons, you'd have good reason to feel unprotected.

For verifiable, resilient, solidaristic email security, we recommend GPG/OpenPGP (Mozilla Thunderbird+Enigmail plugin[1]) combined with a trusted movement email provider like riseup.net — and if you can, support all of these efforts with money or time. Get in touch if you want a hand getting set up.

And now, the gritty tech details!

ProtonMail claims a number of security and user-experience advantages: end-to-end encryption; the possibility of anonymous accounts; open source (for their client — the app you run — but it's not clear if their server software is all open-source); two-factor authentication; physical and legal protection of their servers (located at CERN, guarded by Swiss privacy laws, for whatever that's worth); simple to use encryption (PM manages encryption keys for you); fancy webmail and custom mobile app; no-cost (freemium). However, in constructing such a slick user experience, a lot of disadvantages are created:

I do really like that ProtonMail offers end-to-end encryption and the possibility to create anonymous accounts — this latter choice is especially important for at-risk activists. The only issue with it is that you might have to refresh your Tor circuit a few times. Two-factor authentication can be a nice layer of protection, too. But fundamentally, its incompatibility with GPG and the ease with which PM could actively attack you to gain access to your encrypted email makes it impossible for us to recommend for anyone at elevated risk.

Once Ed Snowden disclosed the scope and scale of U.S. global surveillance, many folks began to take their digital privacy and security seriously. Not everyone did: “Well I have nothing to hide!” bleated certain liberals and Obama supporters. That might be a fair point. If you're willing to ignore/destroy your Fourth Amendment right to privacy AND totally conform your beliefs, words, and actions to those of an ecocidal/racist/colonial State, then I suppose you might have less to hide. Also, if you don't mind gaining security by making bait out of the masses or your erstwhile comrades, ProtonMail might be for you! But when you decide to take solidarity-minded, effective action in defense of our planet and its peoples and creatures, making good secure-tech choices is worth thinking about carefully. Get in touch. We can help you prepare.

And remember, there is no such thing as total security these days when it comes to digital communications. It is imperative for our movements to take ourselves and our political organizing seriously, which means keeping up to date on the best practices available to us. Become a CLDC member and support our continued efforts to provide digital security expertise for activists. Check out our digital defense posts for updates often and regularly!


1. 

No Trace Project (N.T.P.) note: As of 2021, the Enigmail plugin is not required anymore, because the PGP functionality it provided has migrated into Thunderbird.

2. 

N.T.P. note: As of 2021, it is now possible for ProtonMail users to exchange encrypted messages with non-ProtonMail users using PGP. However, the other reasons for not using ProtonMail are still valid.

3. 

N.T.P. note: As of 2021, it is possible to use ProtonMail with a local email client, but it requires a “Plus” ProtonMail account at 4€/month.