ProtonMail Surpasses 50 Million Users

ProtonMail, the end-to-end encrypted email provider, has officially announced it has exceeded 50 million users worldwide, coinciding with its seventh anniversary.

A Milestone for Privacy

This represents a significant achievement for a service provider deliberately designed without a data-driven business model. Instead, ProtonMail operates on a privacy-focused principle of zero-access architecture.

This architecture ensures the company possesses no capability to decrypt the content of emails sent by its users.

Total Users Across Products

It’s important to note that the 50 million+ user count encompasses all of ProtonMail’s products, including its VPN service. A specific breakdown of email users versus users of other products was not disclosed.

CEO Statement on the Shift in Privacy

Andy Yen, founder and CEO, commented on the evolving perception of privacy. He stated that the discussion surrounding privacy has undergone a rapid transformation in recent years.

Privacy has transitioned from being a secondary consideration to a central theme in conversations about the future of the Internet.

Yen further explained that Proton has evolved from a crowdfunded concept for a better Internet to a leading force in the global privacy movement.

An Alternative to Surveillance Capitalism

ProtonMail presents itself as an alternative to the surveillance capitalism model employed by major Silicon Valley technology companies.

This allows the company to prioritize the needs of its users and society as a whole.

Expanding Product Suite

Founded in 2014, ProtonMail has expanded its offerings beyond email to include a suite of privacy-focused products.

These include a VPN service and a calendar application, Proton Calendar.

Additionally, a cloud storage service, Proton Drive, is scheduled for public release later this year.

Zero Access Approach to Data

The company asserts that all of these products adhere to the same ‘zero access’ approach to user data.

However, comparing end-to-end encrypted email with an encrypted VPN service presents challenges, as VPNs can observe network activity and metadata.

VPN Usage and Trust

Proton claims it does not track or record the web browsing activity of its VPN users.

Given its established reputation for privacy, this claim is more credible than those made by many other VPN providers.

Nevertheless, users must still place their trust in Proton to uphold this commitment, even in the face of potential legal pressures.

The technical guarantee of ‘zero access’ offered by its end-to-end encrypted email is not fully replicated with the VPN service.

Free VPN and Data Logging

Proton also provides a free VPN service, which can sometimes raise concerns about data logging practices.

The company clarifies that users of the paid version financially support the free service.

While the claim remains zero logging, users must still exercise their own judgment regarding the level of trust placed in this assurance.

The Rise of Privacy Concerns: From Snowden to 50 Million Users

The increasing emphasis on privacy as a key brand attribute is evident, as even large data-mining companies like Facebook are now making assertions about shifting towards prioritizing user privacy. Consequently, any public relations statements regarding ‘respect for privacy’ require careful examination.

While it appears implausible for an advertising technology firm such as Facebook to downplay its reliance on collecting personal data while simultaneously claiming a commitment to privacy, ProtonMail’s dedication to privacy is demonstrably strong. The company was initially established with the explicit aim of achieving immunity from extensive surveillance operations.

ProtonMail’s core principle from its inception has been to create a system that eliminates the need for users to place trust in the service provider.

Since 2013, the adoption of end-to-end (e2e) encryption has significantly increased, spurred by revelations from Edward Snowden, a former NSA whistleblower. These disclosures exposed the widespread data collection practices of government surveillance programs, which involved tapping into internet infrastructure and mainstream digital platforms to access user data without consent. This growth has been facilitated by user-friendly services like ProtonMail, which have made robust encryption more accessible.

However, legislative actions in several regions pose a challenge to the fundamental concept of e2e encryption and threaten its accessibility.

Following the Snowden revelations, nations within the ‘Five Eyes’ alliance progressively increased political pressure on e2e encryption. For instance, Australia enacted legislation in 2018 granting law enforcement the authority to issue ‘technical notices’ compelling companies operating within its borders to assist in hacking, malware implantation, encryption weakening, or backdoor creation.

In 2016, the United Kingdom reinforced its surveillance framework by passing a law enabling the government to mandate the removal or non-implementation of e2e encryption. The Investigatory Powers Act allows for the issuance of Technical Capability Notices (TCNs) to communications service providers, requiring decrypted access. Notably, providers are legally prohibited from disclosing information about TCN applications, including their existence, as highlighted by the ORG.

Recently, UK officials have continued to publicly express concerns about e2e encryption, portraying it as a significant impediment to child protection efforts. Concurrently, they are developing legislation – the Online Safety Bill – to legally obligate service providers to ‘prevent harm online,’ as summarized by the ORG. This bill potentially conflicts with messaging services utilizing e2e encryption, as these services fall within its scope.

The United States, conversely, has not undertaken any reforms to address warrantless surveillance practices.

Concerns regarding e2e encryption also exist within the European Union.

EU legislators have recently advocated for “lawful access” to encrypted data, without detailing how this access would be achieved without compromising or circumventing e2e encryption and the associated digital security benefits.

Furthermore, EU lawmakers have proposed automated scanning of encrypted communications, known as ‘chatcontrol,’ ostensibly to combat the distribution of child exploitation content. This raises questions about its potential impact on ‘zero access’ services like ProtonMail.

The European Pirate Party has voiced strong opposition, labeling the ‘chatcontrol’ proposal as “the end of the privacy of digital correspondence” and warning that secure, encrypted communication is at risk.

A vote on this proposal is anticipated in the coming months, leaving the EU’s final position uncertain.

ProtonMail is headquartered in Switzerland, a country known for its robust privacy laws and not being a member of the EU. However, Switzerland also expanded the surveillance capabilities of its intelligence agencies in 2016.

Switzerland also adopts certain EU regulations, raising the possibility that any pan-EU automated scanning of message content could potentially apply to services operating within the country.

Despite the growing threats to e2e encryption, the adoption of such privacy-focused services continues to expand.

ProtonMail acknowledged that the EU’s current, temporary chatcontrol proposal is voluntary, allowing companies to determine their own policies. However, they also noted “some support” within the Commission for making the chatcontrol proposals mandatory.

A spokesperson stated, “The extent to which a Swiss company like Proton might be impacted by such efforts would have to be assessed based on the specific legal proposal. To our knowledge, none has been made for now.”

“We completely agree that steps have to be taken to combat the spread of illegal explicit material. However, our concern is that the forced scanning of communications would be an ineffective approach and would instead have the unintended effect of undermining many of the basic freedoms that the EU was established to protect,” the spokesperson added. “Any form of automated content scanning is incompatible with end-to-end encryption and by definition undermines the right to privacy.”

While ProtonMail celebrates its growth to over 50 million users, driven by a consistent commitment to zero-access infrastructure over the past seven years, it is crucial for all privacy advocates to remain vigilant regarding the potential implications of future political developments on the privacy and security of our data.