Clarifying ProtonMail and Huawei

As there has been a lot of inaccurate information circulating online about ProtonMail and Huawei, the purpose of this blog post is to clarify the facts and provide information to the Proton community.

Background

On September 5th, 2019, we announced that we would be bringing ProtonMail to the F-droid alternative app store as part of our push to support alternative distribution channels in addition to Google Play, for users that either don’t want to, or can’t use Google. In our announcement, we mentioned 3 other alternatives that we are considering to support (these are being considered, so a final decision has not been made). The other options listed were the Samsung Galaxy Store, the Amazon App store, and the Huawei AppGallery.

This part of our announcement caught the attention of Bloomberg who published an article on September 6th that ProtonMail was in talks with Huawei about a potential “partnership”. This is a misunderstanding of the situation because just as being in the Apple App Store or the Google Play store does not imply that we are “partnering” with Apple or Google, this does not imply we are “partnering” with Huawei. Unfortunately, in the past 48 hours, this story has gained a significant amount of traction online, and continues to be misinterpreted by many people. Because of that, we would like to add some clarifications.

What is ProtonMail discussing with Huawei?

As stated above (and also in our original post), our discussions with Huawei are about continuing to make ProtonMail available to users who have Huawei devices. Today, ProtonMail is already available on Huawei, as our Android app is distributed on Huawei devices through the Google Play store, so in terms of supporting Huawei devices, there is no change from the current situation.

What is changing is that in addition to making ProtonMail available to Huawei users through Google Play, we may also make ProtonMail available through the Huawei AppGallery.

Why support Huawei AppGallery?

Today, there are already hundreds of thousands of people using Proton services on Huawei devices through Google Play. However, due to an ongoing dispute between the US and China, it is possible that all Huawei devices globally (not just the devices in China) would no longer have access to the Google Play store, making it impossible for Huawei device users to download or update the ProtonMail app. As Huawei devices are especially popular in developing countries where Proton has many users (Huawei is the world’s second largest mobile device manufacturer), publishing on the Huawei AppGallery could become essential to continue supporting these user communities.

Note, unlike what some have alleged, this does not indicate a shift in current policy, as today, we already offer support for Huawei devices. This is therefore, a question about whether or not we will continue to support Huawei devices going forward.

Will supporting Huawei devices put ProtonMail under Chinese control?

First, we want to reiterate that regardless of our decision regarding Huawei AppGallery, there is no change today as it is already possible to use ProtonMail with a Huawei device. Thus, the actual question is: “to what extent can China influence companies which offer services to its citizens?”. The answer to this question is completely independent from Huawei AppGallery.

The applicable Chinese law is the China Internet Security Law which came into force in 2017. The law essentially stipulates that foreign companies which operate in China and process the private information of Chinese citizens, must store such data in China and make it available to Chinese authorities upon request. An example of a company which has had to comply with this law is Apple, which has extensive operations in China. A similar law went into effect in Russia back in 2015 (known as Federal Law No. 242-FZ).

Proton does not have offices, employees, subsidiaries, or any permanent establishments in China or Russia, and even if the authorities in these countries considered us to be within the law’s scope, these laws cannot be enforced against us. Indeed, this is what happened in Russia in 2018 when the Federal Service for Supervision of Communications (Roskomnadzor) attempted to apply the Russian law to ProtonMail, with the threat of being banned from Russia if we did not comply. In this case, we politely declined to comply on the grounds that we do not operate in Russia.

Proton’s position on this is clear, and has never wavered from day one. As a Swiss company, when it comes to the data of Proton users, we will only comply with the laws of Switzerland, the jurisdiction of our headquarters and where all of our servers are located. As we have always consistently stated in our term and conditions and privacy policy, any requests which fall outside of Swiss law will be politely refused. That is not to say that we ignore foreign law enforcement requests and provide a safe haven for criminals, its just that we require all matters regarding Proton users to be adjudicated in Switzerland, through established international legal assistance channels.

Is it safe to use ProtonMail on Huawei devices?

As with any question of safety, the answer depends primarily on your threat model and who you trust. Depending on the user, Google may be more trustworthy than Huawei or vice versa, or perhaps both Google and Huawei are untrustworthy. The fact remains that Google’s Android OS powers 87% of mobile devices, and Huawei is the world’s second largest mobile device manufacturer, thus, these near monopolies are not avoidable for many people. We are committed to growing the Proton ecosystem to eventually offer a safe and private choice to everyone, fully independent from these monopolies, but even then, we cannot and should not eliminate user choice lest we become a monopoly ourselves.

With regards to the concerns that many in the ProtonMail community may harbor (and which we also share to some extent), we believe that adding a second distribution model on Huawei devices in addition to Google Play, isn’t inherently more or less secure with regards to the risks of Chinese spying. Mobile device security is intimately connected to the preloaded operating system, so whether it is Apple, Samsung, Google, or Huawei, regardless of how you download your apps, you are also relying on your device manufacturer to safeguard your privacy.

Another way to say this is, only you can decide if you trust Huawei or not, and if you don’t trust Huawei, don’t use a Huawei device, and don’t download ProtonMail from Huawei AppGallery. We just don’t think it makes sense to preemptively drop support for users who may not have a choice in this matter.

What about China’s policies and human rights violations?

At ProtonMail, Swiss neutrality is one point that we take a lot of pride in. However, our views about human rights, online freedom, and democracy are well known. Words are empty in this regard, so we would prefer to let some of our past actions speak for themselves.

In the past years, we have trained journalists at the Second Asian Investigative Journalism conference, developed one of the world’s most widely used open source encryption libraries, and helped force a nationwide referendum on Swiss surveillance laws. We’ve spoken about privacy at TED and at a United Nations conference about combating terrorism while protecting human rights online. We recently worked with Reporters Without Borders Berlin to sponsor a scholarship program for journalists, and also provided funding for the largest independent news outlet in Belarus.

There are not many who believe more strongly in privacy and freedom than us. Just like our support for Google Play does not mean that we agree with Google’s position on privacy (in fact, we have condemned it strongly), supporting Huawei does not imply that we agree with China’s position on a number of issues. Our goal has always been to make privacy accessible to as many people as possible, and we just don’t think that goal is best served by cutting off support for the hundreds of millions of people who use Huawei devices.

Conclusion

We hope this offers more clarification and context to the community about this matter. As per our usual policy of full transparency, any decision that is made will always be announced to the Proton community on this blog. We welcome also your input in the comments below or on social media.

Best Regards,
The ProtonMail Team

About the Author

Andy Yen

Andy is the Founder and CEO of ProtonMail. Originally from Taiwan, he is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and received his PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

8 comments on “Clarifying ProtonMail and Huawei

  • See, this kind of transparency and responses to incorrect information are one of the reasons I love you guys, and subscribe to most of your services. The idea that you’d suddenly compromise your zero-knowledge architecture and design just to try to be in the Chinese market is ridiculous, and irresponsible for media outlets to imply. Keep up the good work, and try to shout down the propaganda!

    Reply
  • Very interesting choice of partnering with Huawei. This means that when you submit an app to the Huawei store the company will have full access to your source code and be able to analyse and find weaknesses in it.

    This is of course already what happens with Google and Apple, but they haven’t been accused of giving the source code of their products to the Chinese security services like Huawei has.

    I wonder what repercussions this will have for users using other software stores like Google – will the source code you disclose to Huawei be materially different than the one you give to Google, so that any vulnerabilities will only be limited to Huawei devices?

    Reply
    • Hi John! Thanks for your feedback. We’re still considering the implications of publishing the ProtonMail app in the Huawei store, and we haven’t made a final decision yet. However, the issue you describe isn’t a concern because we plan to open source our mobile apps in the near future anyway.

      Reply
  • With the current issues we have with Huawei, i do not support this parternship. Very serious privacy issues at stake. I will not be using proton mail until this is resolved and we have a definite answer of “No” partnership with Huawei.

    Reply
  • Well said and good on you for being a leader in a world full of wolves.

    This is not just an article about clarification on your position within a difficult landscape, it is more importantly an article about human rights and freedom from the ongoing onslaught of bad actors.
    Your response is a model template for how to deal with any position of aggression and miss information.

    My only question now is, “How can I contribute to this project further?”
    We need more companies and people like Andy Yen leading the world.

    Thank you.

    Reply
  • Your response, while helpful, does not address the possibility that the app could be technically compromised by being made available through the Huawei App Store. Are you confident that ProtonMail can mitigate this risk, either inn general or for particular users who might be targeted?

    Reply
  • The main threat I see is the distribution platform swapping the apk file you send with one they build that include a trojan. How do you counter that? Regular checks that the build is similar is feasible, but let’s imagine they detect the bot doing that is from one specific location (or several ones that they can identify), the platform can trick you and send different apks to different IPs.
    I’m not saying it’s fundamentally changing from Google Play Store (the NSA could trick specific people too with Google not having a word to say I guess), but this kind of attack could really damage ProtonMail’s image.
    Anyway, the best way to counter that (without building apks ourselves) is to download from F-Droid! Looking forward!

    Reply