UPDATE April 3, 2020: The information in this article is outdated. As of last year, we no longer have any contract with Radware.
ProtonMail is one of the only email providers which provides comprehensive DDoS protection. In order to provide this protection, we have partnered with Radware, one of the leaders in DDoS protection. Recently, malicious rumors have surfaced that our partnership with Radware means Israel has compromised ProtonMail email privacy (since Radware’s international headquarters is in Israel). These rumors have mostly been spread by conspiracy theorists who don’t at all understand ProtonMail’s technology.
These rumors are categorically false and stem from a fundamental misunderstanding of how ProtonMail’s DDoS protection works. ProtonMail protects against DDoS attacks by using BGP redirection and GRE tunnels. This means that Radware only handles incoming traffic, and all incoming traffic is encrypted. Both encryption layers (SSL and ProtonMail’s OpenPGPjs) are intact in this solution. That’s why we picked BGP redirection instead of more inexpensive DNS based DDoS protection systems like Cloudflare. In other words, Radware only sees encrypted packets and nothing else. Furthermore, we only send traffic to Radware when ProtonMail is under DDoS attack, during normal conditions, traffic is routed normally through Zurich and Radware doesn’t even see encrypted ProtonMail network traffic.
The statement that ProtonMail traffic is proxied through Israel is also false. When traffic is redirected during a DDoS attack, ProtonMail traffic goes through DE-CIX in Frankfurt, Germany. This can be seen by doing an IP lookup of the last hop of the traceroute. The IP address is at DE-CIX, so traffic passes through Frankfurt (subject to German data privacy laws) and NOT Israel. However, as discussed above, even IF the traffic did pass through Israel, the DDoS protection technology we have selected means there would be no compromise to ProtonMail email privacy.
We take privacy seriously at ProtonMail which is why we carefully designed and implemented a DDoS protection scheme that would not lead to ANY weakening of privacy. The solution we have implemented protects privacy on a technical level, so that no DDoS protection company, regardless of where they are based, can compromise our email privacy. Thus, ProtonMail offers the best of both worlds, comprehensive DDoS protection without sacrificing privacy.
On a related note, we have also had people ask us about ProtonMail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality. The only position we take is that security and privacy are fundamental human rights which should be guaranteed for all.
When picking companies to partner with, we only consider two criteria:
- Does the proposed solution meet our technical requirements regarding security and privacy?
- Does the proposed solution meet our budget constraints, given that ProtonMail is largely supported by donations?
When viewed entirely objectively, Radware satisfies both conditions which is why we entered a partnership with them. While many conspiracy theorists have criticized our partnership with an Israeli company, many of these same people miss the fact that we also partner with Cyberkov, a company from Kuwait that is very active with helping Palestinian dissidents (https://cyberkov.com/partners-references/). This is in fact a long running partnership dating back to June 2014 which well pre-dates partnering with Radware.
In fact, it is due to this partnership that ProtonMail was wrongly attacked by the US media as being used by ISIS. Thus, the inference that we don’t support Palestinian activists is not only entirely false, it ignores the large risks we continue to take to support that community with Cyberkov. We believe that selectively boycotting companies solely based on nationality and government policies that companies cannot control, is not only incorrect, but counter to the principles which ProtonMail is based upon. For this reasons, we remain fully committed to maintaining our neutrality and protecting privacy rights for all groups.