Like many of you, we have seen the story this weekend where it was revealed that ProtonMail was being used by White House staff.
As a matter of policy, we never comment on individual accounts, so we will not confirm nor deny the authenticity of this account. And while we were hoping to not have to comment at all, after two days of silence, there are some misconceptions that we now feel are necessary to correct.
Don’t be a password idiot
First of all, just to get it out of the way, don’t be a password idiot. Do not write your password down on a piece of paper and then lose that piece of paper. Also, enable two factor authentication. Without good password practices, no amount of encryption will keep your data secure. We highly recommend reading our email security guide. In other words, don’t be this guy:
— Sam Biddle (@samfbiddle) March 17, 2018
Wanting more security is not suspicious
It is incorrect to say that using ProtonMail implies you have “something to hide.” ProtonMail provides more security and privacy compared to Gmail or other email services, and security is desirable for practically anyone that uses the internet.
What makes ProtonMail more secure is that we use zero knowledge encryption and end-to-end encryption, which means that we do not have access to your emails, and an adversary which breaches our systems also cannot decrypt the emails stored on our servers. We cannot read your emails, we cannot share data with third parties, and we do not do business with advertisers who want your data. We comply fully with both Swiss and EU privacy regulations, including the upcoming GDPR legislation.
Encryption doesn’t prevent the creation of records
There is a broadly held misconception that encryption is being used to prevent the creation of government records. This is technologically incorrect. Encryption does not prevent the creation of records. If anything, it is an important tool for improving the security of records.
As it pertains to the Trump administration’s use of ProtonMail, the actual issue is whether or not non-governmental accounts are (allegedly) being used for government work. This is an entirely separate issue that has nothing to do with encryption, and it is a mistake to confuse the two.
It is also important to note that it is not illegal for government officials to possess private email accounts (ProtonMail or otherwise) for personal use, and the presumption should be innocent until proven guilty.
Encryption is not about hiding, it is about securing
Encryption by itself generally does not permit a government official to hide communications. Emails, encrypted or not, can be subject to subpoenas. The difference is that when it comes to encrypted emails, it is not possible to obtain them from the service provider, and instead the subpoena must be served to the individual or organization under investigation. This is the way that things should be, and is far better than the alternative (prohibiting the use of encryption), which would weaken security for everyone, treat all users as guilty until proven innocent, and leave data vulnerable to leaks and breaches.
Like all services, ProtonMail can be used both legally or illegally, but there is nothing out of the ordinary with possessing an account. Millions of people use ProtonMail, including journalists, activists, doctors, lawyers, businessmen, and people from all walks of life. Our technology is used to protect online freedom, keep societies democratic, and provide improved cybersecurity. While we may not always agree with all of our users, we are committed to keeping ProtonMail accessible to all who use it in a lawful manner.
The ProtonMail Team