ProtonMail security promise

2014-05-30 00:00:00 +0100

While I can only praise any new attempts to build usable, cryptography-enabled email service I doubt that ProtonMail is really able to deliver all the privacy promises it declared. Everyone has read these action novels about “password-protected Swiss bank accounts” and for years Switzerland indeed enjoyed an image of country specialised in high-profile financial services and focus on protecting bank secrecy. This is probably why over the last few years we saw a number of security-related startups riding the “made in Switzerland” image.

ProtonMail is a new security and privacy enabled webmail provider which gained some publicitly recently on the wave of the “collect it all” panic. Here’s their PR side:

If you really don’t like the idea of the government (or anyone but the recipient for that matter) reading your email, you may want to check out ProtonMail, a new email service which claims to be immune from prying eyes. (Gigaom)
Our servers are all located in Switzerland and our company is also incorporated in Switzerland. Being Swiss based has the advantage of being beyond the reach of US and EU surveillance laws and regulations. As a result, we can offer an even higher level of legal privacy protection compared to companies based in German or France where there the governments have broader surveillance powers. (...) Requests from law enforcement are ignored unless they are accompanied by an enforceable Swiss court order. These court orders are extremely difficult to obtain as the case must first work its way through the Swiss legal system which has strong privacy protections. And even then, we do not have access to user encryption keys so any data we do turn over would be encrypted. (Freedom Hacker)

But then, if you actually go and read Swiss surveillance laws, they are pretty much like in every other civilised country. And this is something they actually clearly state on their website:

All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and entities. Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have. (ProtonMail)

So how is that different from legal surveillance laws in US or EU countries? And how does the Swiss data retention policies differ from those in the EU? I see no difference.

And let’s be clear — I fully support any project that intends to bring a more usable cryptography to the masses as it’s usablity that we need rather than more cryptographic protocols. What ProtonMail offers from functional security point of view looks pretty much like what HushMail offered back in 1999, during the first iteration of the mass surveillance paranoia, which was called ECHELON these days.

HushMail offered client-side encryption, “we don’t see your data”, if you forget your password we wont’t be able to recover your password, exactly what ProtonMail says. And they were located in Canada, which was seen as a safe-haven from US crypto export laws (true) and surveillance laws (false).

On Wikipedia you can read pretty good description of what happened next (more details on Cryptome). And it was not really an one single, huge incident or complete shutdown. They were forced by Canadian court orders to provide details of communications of specific persons, and they complied. It’s less important how they did it — whether by modifying their Java client to compromise users’ privacy, whether by forcing them to use the less secure server-side encrypting SSL interface. It was quite obvious that they will do this — or face same fate as brave Ladar Levison from LavaBit did.

There is another bit that makes me a bit skeptic about ProtonMail. The original HushMail was Java applet for client-side encryption (pretty much as more modern Wuala storage engine), which meant that the full encryption engine was running on your computer in self-contained environment of the Java virtual machine. What is ProtonMail using for client-side crypto? They don’t state it explicitly, but this citation from CryptoCoin News suggest this might be JavaScript:

All of our encryption and decryption code is viewable to anyone in their web browser by doing a simple “View Source” click. Nothing is compressed, which means it will take an extra half second to load, but on the upside it’s fully viewable and auditable in real-time! Also, we plan to open-source key parts of our code as well later on.

JavaScript is completely unlike Java and it’s probably the worst programming language to implement cryptography. I can’t really see how they could fullfill the “we don’t see your data” promise using JavaScript as these are hundreds of easy ways to do this, way easier that in case of Java application.

And then there is this piece…