White Proton logo on purple background with some white question marks behind it

Some thoughts on Proton

by

Every now and then, something happens that I can hardly talk about in the 500 characters I have on Mastodon making it relatively hard to dive deep into it. Well that’s an issue no more. After a bit of work I’ve now got a page on my site I can post about things as extensively as I want. Woohoo.

So why now? Well, every now and then I get some people asking me about my thoughts on Proton, especially after some internet drama has occurred. Recently the latest instalment of this has been happening based on Pivot to AI’s blogpost regarding Proton’s Lumo AI chatbot, but I’ve been getting questions about my thoughts over the years. So I figured I’m gonna write out a few of my 2 cents on Proton, some common discussions about them, as well as diving a bit into that blog post, because I’m getting a bit tired of all the “Proton is so evil” bullshit from people who either can’t read, don’t understand what they read, or purposeful write incorrect stuff. That’s not to say Proton is flawless btw, but their flaws should be discussed fairly, not by factual inaccuracies.

You can read what I currently think about Proton and my whole reasoning for it here. It’s gonna be a long one, but the tl;dr is that I think they are a good privacy-friendly option for most people and show no signs of changing that (rather, are only improving on that). Reactions can go on my Mastodon post (yes, get on the Fediverse to talk).

And just a disclaimer. I have zero affiliation with Proton other than being a customer. This is all written based on my personal opinion and publicly available information.

Trusting Proton

Yes, to use Proton services you need to put your trust in Proton. They handle your keys, not everything is open source, and even that what is relies on their servers and you can’t check what’s on there. Now people might say “they could turn evil” this is true for sure, but like most truthful points I wanna mention it has some more nuance.

You see, this is an issue with anything you don’t do 100% yourself. Unless you check all used source-code, have your own hardware, and handle everything yourself there is always some trust in a third party. Now, I don’t mean to say doing it yourself can’t be good or that you should blindly trust other parties, but the trust is more nuances. For one, doing it yourself is hard for most people. Not to get it working, per se. But it is to get it done securely. Hosting stuff yourself without the proper knowledge will simply add more and bigger issues than you are solving. At times, it may actually be a better choice to trust others over yourself.

So then, how do you decide who to trust? Marketing speech doesn’t tell you much. Parties like Google and Meta claim to care about your privacy like no other. Then what does? Well, a combination of official policies and documentation, source code reviews, audits, subpoena publications, legal entity set-ups, actions performed by the entity (from lawsuits to social media posts), and more of those kind of things that build a track record of the companies antics. When it comes to Proton, they actually score quite well on these kinda things.

Now, I was going to go all into it, but decided not to. Why? Because it would start looking like one of the many “Proton is trustworthy because” articles they wrote themselves (and I just searched an obvious one up, but they have a lot of explanations of what they do and why it’s supposedly secure). So I rather keep that part short and get into why these things mean they’re trustworthy, specifically diving into the parts that are more discuss-worthy (I don’t think I need to tell anyone why open source is good, for example, so I’m not gonna waste space on that). The post will be long enough without a deep dive into what they do. So in short, it’s a combination of the following:

  • A shit-ton of documentation spread out over their blogs and product sites, that explain quite well and believable how stuff works. Sadly no one ever seems to read this properly.
  • Open source code for client-side apps (server side not which is a bummer. But even if it was, you can’t check that’s what runs there so it’s also not a tell-all). And just as important, no real issues in that source that I’ve noticed, or heard credible complains about.
  • Independent audits on their company as well as their products, their latest being SOC2 (extra kudos to Proton for understanding that SOC2 is not a certification). Sadly, product audits are missing for Wallet, Authenticator, and Lumo. That being said, the later two are quite new and understandable to not have audits. That leaves only Wallet to be older, a bit over a year, which is enough time an audit could have been done but also would be understandable if it’s not entirely finished yet.
  • Quite a decent Terms of Service, Privacy Policy, and Data Processing Agreement. Yes, I read them. You should too.
  • Regular subpoena’s. While the contents of the subpoena are often not public record (due to law), everything points into the general answer being “we only follow legally correct request that we cannot fight, which means is has to pass Swiss authorities”, “there is no data until we’re forced to track”, and “what we can track is limited”. More on that later.
  • Proton is a non-profit Foundation, and doesn’t have a singular person able to take over (not even Andy). Again, more on that later.
  • They have been and still are actively lobbying for privacy-respecting and privacy-increasing laws, as well as for European sovereignty. As opposed to privacy-intruding companies who are often fighting these laws.
  • Next to that, they have trying to help these their claimed goals in other ways, like joining in legal battles against big tech.

Subpoena’s and other police matters

We’ve seen examples where Proton got subpoenas (as any decent sized service provider will) and complying to them. While some might say “how dare they give info” the reality is not that simple. Proton is, like everyone, bound by law. That’s good, because many of those laws protect us against privacy intrusion. Not giving the info will just result in the people behind Proton getting arrested and data where needed getting confiscated, killing your privacy-friendly service in the process. But outside of that, it shouldn’t matter if they comply with a subpoena. Because a true privacy-friendly service isn’t one that has all your data but promised not to share it (looking at you, Telegram), but one that doesn’t have it in the first place. After all, nothing can let them give away data they don’t have, nor can it be leaked out.

Now, they might start tracking data after receiving a subpoena, for sure. But proper subpoena’s aren’t being given out freely, and a decent service doesn’t give data until they have one that fully meets legal requirements (which includes having to be in the right jurisdiction, currently that means going trough Swiss authorities are the only way. No shortcuts by using a less favourable jurisdiction). That means that before they start tracking, there has to be strong enough proof to convince those with the right to authorise that the person who needs to be tracked is breaking the law and that the tracking is justified compared to the allegations. At that point, the Average Joe is quite well protected, and frankly, a privacy-friendly service is not the same as a hide-criminality service.

Jurisdiction

So then let’s get into jurisdiction. It’s no secret Proton has always been promoting itself with falling under the strict Swiss privacy laws. This is great, as currently Swiss laws are strong. That being said, there is some turbulence when it comes to that point. Proton however, has been lobbying for privacy-respecting laws for years. They also have claimed to move out of Switzerland if this goes badly, and seems to have start preparing for that option by moving most of the infrastructure out of Switzerland and into the EU, where we pride ourselves of some of the stronger privacy-laws in the world. Nice to see preparations before it’s too late, instead of walking behind the facts. Something with exit strategies and stuff.

It is worth noting however, that moving infrastructure does not make them no longer fall under Swiss jurisdiction as long as their company is still registered there, but rather fall under both.

Legal entity

Proton AG is run by a the (non-profit) Proton Foundation. This is important for a few reasons. For one, that means they should have no incentive to do things just for profit. Now, some nasty set-ups exist to abuse this for profit anyway, but there is no indication Proton is doing this. And luckily, there is more to it. When you are a foundation, certain laws apply. What those are exactly change depending on the jurisdiction your in. As mentioned before, Proton falls under Swiss jurisdiction, with data hosted in the EU having to comply to certain EU-laws as well.

So, some of those laws are rather interesting. For example, it prohibits Proton from supporting any political party. Proton, as a company, cannot give support to any political party, be it financially or in another way. This of course, doesn’t stop them from lobbying for legal changes that match their organisation’s mission but it does prevent them from sitting front row at an inauguration, so to say.

Furthermore, Proton Foundation is ran by a board of trustees who all have equal votes, and has a majority share in Proton AG. This means that Proton AG cannot do anything without the majority of the Proton Foundation board agreeing. As all members of the foundation have equal votes, this means a single one cannot go behind their backs. So while Andy might be the face of the company, he doesn’t make decisions on his own. And while his posting on social media could be a paragraph of their own, even if Andy himself would have evil plans he cannot by himself change Proton. Instead, the whole foundation would have to change course. Of which again, there is no indication of this happening.

Now, you may also noticed I say things like “there is no indication Proton is going to do this”. Because yes, it is technically possible that it could change or that they are secretly hiding things. A lot is possible. But by that logic, nothing is good enough because there are always possible changes and secrets that make the best things horrible. In security, we normally look at risks, chances of those risks, and the impact if they happen. While you generally really don’t need to write out a whole thread model for yourself (assuming you’re an Average Joe) it is good to think about this in your head. So we look at what we know, while keeping up to date with what’s happening. Many of the bigger changes that could happen require quite some paperwork (with it’s trails), and wouldn’t go unnoticed. However, it seems to me Proton is only moving for the better, not worse.

Their CEO posts stupid things!

While I already mentioned that the influence he has in the company is only so much so his personal opinions aren’t the end-all for Proton, I still want to say a bit more about this. Andy is an outspoken person, for sure. But I think one thing that needs to be remembered is that most other companies and organisations don’t say much at all or keep to highly curated media outings. For good reason, you can see what happens. Years of doing good things, people like you. Post a negatively perceived post? You’re no longer trustable! Boycott that company!

Let’s be real. We don’t even know what most CEO’s are thinking most of the time. We don’t know if they have opinion you’d hate, because they simply won’t tell us. And likely, they too have opinions you’d hate. Now does that excuse Proton or Andy? Not really. But do you rather trust the guy you know relatively well and has a largely good track record, or the guy you don’t know at all? Personally, I prefer to former.

Now to be fair, their social media presence hasn’t always been the smartest. From not making a statement when they would be better of to do so, to saying little on their official accounts to then ending up with Andy making a statement on Reddit the official account doesn’t seem to know about, to stopping with any de-federated media requiring you to use privacy-unfriendly services to connect with them (I’m salty on that one). But while unprofessional, we need to remember Proton has grown like crazy and that means not always keeping up. And while it’s dumb behaviour, nothing that happened actually made the services worse. The biggest thing that needs to happen is Proton getting themselves some good media training so they can learn how to act appropriately.

You shouldn’t have your eggs in one basket!

Ideally, you definitely don’t. But sadly, the reality is not always ideal. Now, if you are willing to split stuff up, you should. It is the better option. Personally, I don’t use all of Proton’s services specifically because of this. Mail is one of the biggest part of your online identity, and combined with your credentials get you into almost anything. That’s why I have opted for using a password manager that isn’t Proton, as well as having my MFA (which you should have enabled everywhere possible) in a third place. Luckily, unlike Big Tech Proton doesn’t make this difficult on you. While stuff works nicely together, nothing is so interwoven you can’t easily choose what to use and what not.

But what also counts is that the best security you have, is the one you actually use. And most people in this world, don’t want to give up convenience for security nor privacy. Sadly, us privacy nerds are still a minority no matter how everyone should care about it. People are used to the convenience of Google, Apple, and Microsoft and will not settle for much less than that. That’s where the good side of one privacy-focused egg basket comes in. I will not get my grandpa and my nieces to switch to multiple different services that aren’t seamlessly integrated any time soon. Getting them on something like Proton however, may just be possible.

And that’s not only good for them. It also helps with the privacy of the people who are willing to go further. After all, things like email are only as strong as their weakest link. You can have the most secure, privacy-friendly mail provider in the world. But when your contact uses Gmail, all the contents still go to Google. And knowing that getting everyone on the most privacy-friendly option ever is an utopia, I much rather see it go to a Proton. They might not be the highest ideal situation but they do have their stuff in order.

It’s the same reason I prefer Proton’s implementation of the OpenPGP standard over Tutanota’s factually stronger and more widely applied encryption. And it’s also why I have some criticism on interoperability for things like private chats, but that’s likely gonna be a different blog post some day.

They should be focusing on their current products instead of making new ones!

Now, I can kinda relate to this one. As a Linux user, I wish they had more focus on making stuff work on my system. As someone who uses a phone without Google Play Services, I’m still a bit annoyed my email doesn’t even have notifications and most of my apps still can’t be found in F-Droid at this day. Like, c’mon.

But I also get the other side of it. Proton makes a point of not relying on the use of tracking, advertisements, government funding, or corporate funding to generate a sustainable income. So most of their money comes from paying customers. Now, you might think “then they should better their products” but frankly, a complete suit and new products do better in marketing to Average Joe. I mean, what looks more flashy: “Proton releases new alternative to [some Big Tech service]”, or “Proton adds another functionality in a piece of software”? Unless it’s a functionality you personally have been waiting for, the second doesn’t sound that big. And as such, Proton has to balance new services and improving existing ones.

When you look at their blog it seems Proton hasn’t entirely given up on feature updates, unlike what people online can often make you feel. They just make the news less often. So I feel like it is being balanced indeed more than being forgotten. Maybe not the balance some users like to see, but it may be a good balance for others. There is no pleasing everyone.

We from Toilet-Duck

Now, this title probably only makes sense if you’re Dutch but it refers to an old advertisement from a brand of toilet cleaning solution called “WC-Eend” (lit. “Toilet-Duck”) in which they parody advertisements with “professionals” recommending the product by dressing up in lab coats and saying “we from Toilet-Duck recommend Toilet-Duck”.

I now see the Proton critics coming in already. You use Proton too much as your source. Of course they will say they’re good. Well, as stated before. Random online posts are hardly a source. All we can rely on is official documentation and statements, followed by check-able proof (like source code, audit reports, passed behaviour, etc). And well, most of that will have to come from Proton themself.

But don’t misunderstand, while marketing can be sneaky, things like policies are legally binding the way they are published. Statements on the other hand, can be compared to policies, actions, and laws to verify integrity. And while statements could be silently altered, rarely is something truly lost on the internet. You may notice that most sources on my post here link to a Wayback Machine copy of the pages (which where the same as the live ones are at time of writing). Exceptions are the post where you can comment, policy pages for which I encourage you to check out for the latest info, and a page showing the latest blogposts related to product updates. But old ones of those can be found on the Wayback Machine as well. The Wayback Machine is one of the many ways people ensure alterations are caught and provable, along with simpler things as good old screenshots. If Proton would keep going in and change things, we would have a lot more proof indicating that. Yet, we don’t.

So, about that blog post

Now if you made it till here you’ve been spending about 15 minutes reading my ramblings, according to Word Press at least (yes, that’s what this lazily made website is build on. I don’t like web development and I rather spend my time on the content). Told you it would be long. Now you know why I can’t fit it on Mastodon, even when using a threat with multiple posts.

I’m taking this blog post because it’s the most recent, but I like to emphasise that I’ve seen this quite often when it comes to Proton as well as some other security and privacy focused software and services. Going in direct response here is more to dive into what’s going on with explicit examples rather than to single this instance out. I mainly wish to encourage people to read themselves in using official sources (and do so carefully) rather than random blog posts. Yes mine included. Check a service’s documentation, check the owner’s track record, check applicable laws, and then decide based on that instead of listening to what people shout online.

So, let’s start with how it’s making comparisons with Proton’s mail set-up, mentioning “The cool trick they do is that not even Proton can decode your email. That’s because it never exists on their systems as plain text — it’s always encrypted! The most Proton can do if a government comes calling is give them the metadata — who you emailed and when — but not the text itself.”. It only focusses on the zero-access encryption. But remember when I listed Proton’s PGP implementation next to Tutanota’s? If you read it, you’ve read that it explain that it needs both parties to have each others public keys. Proton handles this when both parties use Proton, but else you’d need to add it manually. After all, without those keys it cannot be encrypted.

Now, let’s check what Proton actually claims:
“Emails between Proton Mail users are always end-to-end encrypted, meaning only the sender and the recipient can read the email message. Encryption takes place on the sender’s device using the recipient’s public key. All messages (including messages to and from non-Proton Mail users) are also stored using zero-access encryption on our servers and therefore inaccessible to us. Private keys are encrypted using users’ account password in a way that is not accessible to us.”

Well, that’s a bit more nuanced than “it’s always encrypted” no? If anything, it’s already listing some exceptions. And since those exceptions are send over their servers in plain text, Proton could be reading them (and do god knows what) during processing no matter how they are stored afterwards. The whole “That’s because it never exists on their systems as plain text” is simply not true. So for mail too, there needs to be some trust.

Alright. Then Pivot to AI goes on to Scribe, about which Pivot to AI claims “For one thing, for the assistant, your email has to exist as unencrypted plain-text on Proton’s systems”. “Has to” is just bullshit, as it can be ran locally in your browser. This is also not some shady hidden option, but a large pop-up as soon as you try to use it. If only Proton had clearly explained this, oh wait they did…. But okay, what about when we choose run it on Proton’s servers? Let’s assume we’re doing that for a moment. They complain “it completely breaks the security model where nothing is in plain-text at rest”. But this statement is also false, even when using the version running on Proton’s servers. The moment it’s being processed it’s not at rest. At rest does not equal “every moment on Proton’s servers”, and if it did, it would already break when email is send to any non-Proton using contact you didn’t manually save the PGP key from. Luckily Proton’s claim about this is are also more nuanced: “Your prompts and the generated emails will be encrypted in transit, immediately discarded once you’re done, and not used for any kind of model training”. Hey! That does go together with “nothing being plain-text at rest“!

Now we’re finally getting to Lumo. Lumo also has a pretty well written page about how it works from a security and privacy side. And while it got released a day after Pivot to AI’s blog was posted, I would argue that one should get their facts straight before saying stuff and not make bold claims when they don’t know for sure yet. And while Pivot to AI complains about the lack, I would argue that if they kept tabs, they knew it generally comes after a bit of time. Have some patience dear.

But whatever, let’s get technical. If you call yourself Pivot to AI, I feel like I’m allowed to be nitpick-y on your opinions about an AI service. So, let’s start with the remark “If you’re using a remote chatbot like Lumo, the chat has to exist as plain text for the chatbot to see it, for some unspecified length of time.”. While Lumo does do this, the statement is false. Because again, you don’t have to. Like Proton also explains so nicely, fully homomorphic encryption could ensure full E2EE that even the LLM can’t read. Sadly, but also well explained, this also is so resource intensive that it’s not really usable for the use-case of an LLM (yet). Hmmm, I’m starting to feel Proton actually dived deeper into this than Pivot to AI did.

Alright, then let’s get to the open source part. They make the following statement: “They just say the word “open” a lot — “Lumo is based upon open-source language models and operates from Proton’s European datacenters.”But that’s misleading. The actual large language model is not open. The code for Proton’s bit of Lumo is not open source. The only open source bit that Proton’s made available is just some of Proton’s controls for the LLM.”. Well, there is quite a bit to unpack here, but I’m failing to see the misleading part. Proton claims the service is based on models that are open-source, but that doesn’t mean Proton has to have the source code in their repositories. If Proton didn’t change the models, only build something on top, it would be reasonable not to. And that does seems to be the case. If anything, that’s the whole point. So to find that source, one shouldn’t be on Proton’s Github but on the repositories from whoever owns the models…

They then continue to say Proton has released their instructions for using those models (also includes the website). And we just concluded the models where already out there, Proton didn’t make them. So they are open? Yes, they are. And now you may say “but the apps weren’t open yet”. That’s true, those where released on August 22. But the blog is obviously talking about the models and their instructions and not the mobile apps. If anything, it completely fails to mention the apps and the status of their source code, which would have been the one decent complaint (even if the app is basically just the released web part with some integration to allow voice control. It’s nice to be able to check it’s indeed just that). But in the end, that too is just another matter of “give them some time to get everything released” as it often releases not long after, and did.

Then what about the implication of Proton supposedly vibe-coding everything? Well, are they? I don’t know. I can’t look into Proton’s business. But I don’t think this single file proves that. Heck, for all you know they where researching something and had the file there from that. The truth could be anywhere from there up to “they vibe code the whole shebang (pun intended)”. So they might, or they might not. However, considering the extend of their explanations about choices made, I feel it’s safe to say their software has been thought out and well designed. To make those designs to then not code them like that, makes no sense. It’s the designing and figuring out how it should work that takes the effort more so than producing the code itself. Since they already do that, I think it’s more likely they use it as a productivity tool at most than go on full vibe-coding.

Alright, then what about this claim Pivot to AI makes about the supposedly found system prompt: “If this prompt is the real deal, then your files and everything else are just dumped into the model’s context.”? Well, that would be quite an issue no? Luckily, that’s not what the prompt says at all. The prompt is just a pretty general “don’t tell people Proton’s internal info”. And then I mean Proton’s, not yours stored at Proton. Things like hardware specs of the stuff in their data centre, to give you an idea. Which is quite normal to do. Giving out full specs on this is giving attackers a list of what organisation is vulnerable to what. That doesn’t even have to do with not keeping stuff up to security standards. Attackers can find vulnerabilities before researcher do, and abuse them instead of disclose. Furthermore, patches aren’t always made at an instant, it takes time to find the issue and fix it. There is a reason they often publish about it only after the fix is out. I don’t even know where Pivot of AI got the idea that this prompt means Proton throws all your encrypted files unencrypted into Lumo. It makes no sense, there is zero connection between that thought and this system prompt.

Well, maybe they misunderstood Privacy Guides remark “Isn’t everything proton makes supposed to be open source?” but the simple answer to that is “no”. As said earlier, their client apps are open source, but not “everything Proton makes” is. To be fair, Privacy Guides question “why even try to hide the system prompt” is a much better one, because the prompt itself is really not that interesting that it should be hidden. More likely, I’m guessing Pivot to AI misunderstood that “files explicitly added to the context of your Lumo chat and turned on at the moment of sending a request” isn’t the same as “every piece of data stored at Proton ever is always available to it”. Because that is much more likely how adding files to the context of your current chat works.

Alright, let’s move on. Next thing they claim is: “Proton is moving its servers out of Switzerland to another country in the EU they haven’t specified.” However, they did. It’s in Germany. Great, Germany is one is the better places to be even when compared to other EU countries. Oh, and they also said they’re gonna infest 100mil Swiss money into Norway so we can already add that one to the list for future places. And to put the icing on the cake, the claim “The Lumo announcement is the first that Proton’s mentioned this.” is also false. It was already mentioned since May, and Proton has made multiple remarks about it in reaction to the proposed changes in Swiss privacy laws since.

Now, there is some more “it’s impossible with Proton mail” and “Proton doesn’t tell us” remarks which can be put together with the ones I already went into, leaving only the conclusion: “Proton’s Lumo chatbot is a pile of openwashing and securitywashing using Proton Mail’s previously solid reputation to sell you something where the security is: cross your fingers and trust us.”. Personally, I’m more likely to believe that Pivot to AI’s blog post is trying to create clicks with badly researched information relying on creating a shock-factor about something that is not shocking. Or perhaps pivoting into AI hurt the writer’s critical thinking. But more importantly, I think it shows just why you should not trust random posts on the internet. I’ve seen this blogpost go around on many places, and I’ve got multiple people sending it to me asking my opinion. There are some pretty links and it’s shows up everywhere. So there must be some truth in it right? I guess not…

Some last notes

Now, one thing I want to mention about Lumo is kinda unrelated to this specific blog post (Pivot to AI did actually get this one right). I noticed a lot of sources saying Lumo is E2EE. However, Proton never claimed that (and no, an AI answer doesn’t count. We all know AI’s talk a lot of bullshit and Lumo is no exception). I even went back to check if they could have change the wording. But all news articles based on their pre-release shared info never say it is. Since I highly doubt Proton is able to change all the news outlets that post about them, I’m more inclined to believe it never said that and it’s another case of people assuming stuff and repeating what they heard said online rather than checking it themselves (and for those who wonder: giving a info to base an article on doesn’t mean they control the media. All they do with that is give some info so news outlets can prepare in advance, which is quite a normal thing to do).

Another thing I want to point out is people falling over “they didn’t tell us”. We need to remember that us techies are not the only target demographic of Proton. You’re non-IT auntie who still loves her TikTok feed is too. A lot of posts need to be understandable for them as well as catching their interest, which means keeping things simple. And those are the group of people that won’t wait, but wanna jump on the band wagon before the hype is gone, where most nerds want to first check how it works and waits until they had time to figure it out. From a marketing perspective, and Proton needs marketing if they’re to make money without sneaky shit like tracking, it makes sense to post those first. So far, detailed explanations for the techies have always come later on. Just because Proton didn’t tell you (yet), doesn’t mean it’s a secret. If you don’t want to wait for the info to appear, you might want to try simply asking them before getting mad.

And as last, don’t get me wrong thinking I’m saying Lumo fixes our AI issues. It doesn’t. There is a lot to say about AI, and a lot to complain about as well. Personally I’m not against it in general, even quite like it and spend quite some time of my life researching it. But I am against the current implementation and usage of it. I had started to look into Lumo specifically because Proton tends to be better than the big AI companies. But that’s a whole discussion in and of itself. Important point is: Lumo definitely doesn’t solve all of those issues. But luckily, it isn’t trying to do so if you read the claims it actually does and doesn’t make. And regardless of the things you can say about AI; people are wanting to use AI, and use it now. They don’t wanna wait until it’s fixed. If they are going to do it anyway, I rather see them using Lumo than ChatGPT. At least the privacy-side is done quite decently.