A brief intro to ProtonMail’s design philosophy

A couple days ago, one of the first reviews of ProtonMail showed up on the web, the review I’m referring to can be found here:


We were actually a bit surprised to see this since ProtonMail is still in a very limited beta. At the moment, ProtonMail accounts are still relatively exclusive since we haven’t fully opened up a public beta yet.

Anyways, returning to the review, we found it to be fair but at the same time a bit troubling because a number of the characteristics of ProtonMail we were faulted for were actually things we had intentionally built in. It was almost as if the reviewer had missed the point of ProtonMail.

Upon reflection, this is not the fault of the reviewer, it seems we have never fully explained the design philosophy behind ProtonMail. So briefly below, I will lay out our main objectives while responding to some criticism made by our very first reviewer.

1.  Make encryption easy to use.

In truth, there is not a whole lot that ProtonMail does that is not already accomplished by PGP, at least from a security standpoint. But, to quote what Bruce Schneier said to us when he visited MIT, “all PGP has demonstrated is that even one click is too much”.

Basically, security is not useful if it is not easy enough for mass adoption. It is simply difficult to convince people to adopt a higher standard of security if it forces them to do more work. So from day one, the principle guiding our architecture was that the end product cannot be more complex than Gmail.

And in the end, I think we have accomplished that. Encryption in ProtonMail is end-to-end, like PGP, but at the same time, completely invisible to both recipient and sender. What we gave up to accomplish that however, and what the reviewer faulted us for, is compatibility with PGP. In effect, we cannot easily abstract away the complexity of a system like PGP while maintaining backwards compatibility with it.

The keyword in the above sentence actually is ‘easily’. It is actually possible in our architecture to support PGP, but in the end, we decided this was less of a priority because our end goal is a more secure internet. The current users of PGP already benefit from end-to-end encryption and don’t need our help. What we really want to provide is privacy for the much larger segment of the population that isn’t sophisticated enough to use PGP.

2.  Trust the user not to be stupid.

Our reviewer pointed out that we don’t have a password length requirement, and we don’t have an auto logout. I think it is common knowledge nowadays that you using a password like ‘1234’ or ‘1111’ is NOT a good idea. But it is also NOT a good idea to force a user to use a password like ‘yYbkza#NGMeAW_kE21fxeQbB’. At that point, a user would simply find ProtonMail too much of a hassle to use. What we try to do is take the middle road. When you go to set your password when creating your ProtonMail account, we will tell you whether your password is strong or weak, and then let the user make the final decision. Our philosophy here is simple, we trust that our users are not stupid, but we’re not going to turn you away either if you are stupid.

As for the auto logout….early Alpha builds of ProtonMail had a 10 minute auto logout. As somebody who was using it day in and day out for all of my email communications, you should trust me when I say a 10 minute logout is incredibly annoying and does NOT enhance the product.

3.  Give the user control

The reviewer pointed out that encrypted messages to outside users do not instantly destruct. This again, is intentional. Instead of instant destruction, we give the sender control over when they want the message to destruct (or if they want it to destruct at all). So you can fine tune the time for each email. Right now, the minimum is 1 hour from the time the message is sent, but in the future, we will also be adding the option for instant destruction once the message is read.

And, one final loose end…

The reviewer pointed out that we are not audited by third parties. Actually, we have been audited by the computer security staff at CERN (European Center for Nuclear Research), that’s actually where half of our developers work. But better yet, you can audit ProtonMail yourself. Our front-end JavaScript encryption/decryption codes are sent to browsers uncompressed, a simple view source and you can see our source code!

We look forward to continuing to improve ProtonMail so don’t hesitate to send us comments or suggestions!



About the Author

Andy Yen

Andy is the Founder and CEO of ProtonMail. Originally from Taiwan, he is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and received his PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

14 comments on “A brief intro to ProtonMail’s design philosophy

  • Hello,

    Most of the criticisms I made about ProtonMail (PGP, password strength, automatic logout) reflect my personal opinion about certain features, it doesn’t necessarily mean that everybody is going to want them, it only means I personally would prefer it that way.

    I have now modified the post to reflect that ProtonMail has been audited as I was not aware of this.

    Best of luck with ProtonMail, looking good for an early beta.

  • I understand your approach of using PGP-based technology while not maintaining backwards compatibility with PGP in the interest of users not familiar with PGP. But what about those who don’t want to bother with PGP and still want the chance to communicate in a secure way with users of other services who do have PGP?

    It seems that ProtonMail is about to establish a isolated system with no secure ties to the rest of the world. This may be a business decision, but one I can’t understand, I’m afraid.

    • So there is nothing preventing you from sending and receiving PGP messages just like you might in Gmail, we just don’t natively add support for it using the keys we generate for our users. So you could use PGP with another key pair that you already have. This may in fact be safer.

    • Spam is only a problem with encrypted messages which we can’t read, but this is easy to fix. If a ProtonMail account gets flagged as spam too many times, we simply lock that account from further sending.

  • Is email sent from outside (expl. from gmail) to protonmail encrypted on your servers too? How are you not able to read those email messages since they are delivered unencrypted from the sender?

    • Our servers can read the messages incoming from outside when they come in, there’s not much we can do about that. It is also irrelevant because an unencrypted copy of that message is probably saved in the sender’s outbox as well. That’s why we hope to eventually get to the point where everybody uses ProtonMail for complete security.

  • Hacker10 made some decent observations. If you worked in an enterprise environment with (at least average) security policies you would know.
    In short, he made free constructive criticism for you guys and for your users too.

    It looks like you have an expert answer to any legit question, including spam. That is a bit arrogant while you rely on sendgrid.net email marketer to deliver your messages.
    Having deliverabiliy needs proves you don’t have much experience in emailing.
    Hence, before encrypting an email service you need deep experience in emailing. That will take you years or you need to pay for it.

    Your email server has no protection against incoming spam – not even a basic one.
    Outgoing spam is a serious problem which your previous answer on this topic simply tells you ignore it. Big companies like Google, Yahoo are still struggling in certain cases. That complicated is to keep spammers away from creating accounts.

    You’ll need only one spammer sending spam from your system and all your users will not be able to send out any message.

    At your unproved experience would be great to watch how you’ll prevent that in a content encrypted environment. Spammers are anything, but not stupid! You are about to provide them an imaginable “weapon” which they will use and destroy in a matter of minutes.

  • I think PGP compatibility should be a high priority issue. Without it you are building a walled garden of ‘protonmail-specific’ encryption.

    There’s a major flaw in your “The current users of PGP already benefit from end-to-end encryption and don’t need our help” argument. And that is that both parties have to be encryption-capable in order for PGP to be of any use. If I use PGP and want to communicate securely with Alice who doesn’t, I’m not really benefiting from end-to-end encryption. I’d like to be able to tell her “just get an account at protonmail, and we’ll be good to go”, rather than having to either (a) walk Alice through setting up pgp, or (b) opening up a separate protonmail account for myself, even though I’m perfectly happy with whatever accounts I already have + pgp.

    So… FWIW, I urge you to reconsider your pgp compatibility stance.

    • Yes, we do intend to build in PGP compatibility, it is just not the highest priority right now. But we will eventually get around to doing it.

      • methinks it should be your highest priority. yes, it may be a bit more hassle but pgp has a huge base, and if you make it painless to use and compatible with other pgp platforms, you will have a huge advantage. otherwise, sorry, nobody but a few groups consisting of members who want to talk to each other and nobody else will use your stuff.