1. Protonmail acts like a CIA/NSA “honeypot”
Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL certificate for that onion address even though it’s completely unnecessary. When a user creates a new account with Protonmail on TOR, they are redirected from Protonmail’s “.onion” address to “.com”. This breaks your secure encrypted connection to their onion address, allowing your identification. There is absolutely no technical reason for this feature. In fact, the only other websites that operate like this are alleged NSA/CIA Honeypots.
This is a huge security issue that was either created because Protonmail is run by particle physicists who don’t understand computer security OR they were forced to operate their website the same way as the CIA/NSA honeypots. Both possibilities are serious concerns.
2. Protonmail does not provide “end-to-end encryption”
Professor Nadim Kobeissi has mathematically proven that Protonmail does not provide end-to-end encryption. This means that Protonmail has the ability to decrypt its own user’s data. When this turned out to be true, Protonmail users were outraged that they had been lied to. Protonmail was forced to release a public statement. Their statement begins predictably…by shitting on the security researcher who exposed their dishonesty. Then they kept saying, “We lied to our users because other email companies did.” No excuses. They can decrypt all their users’ data by sending them scripts that allow them to do so. However, they announce that they cannot. Admission of Protonmail proves that they offer the same security as Gmail. Gmail and Protonmail both offer encryption that they can decrypt whenever they want.
3. Protonmail was created under the supervision of the CIA/NSA
Gmail and Protonmail were both created in CIA/NSA funded departments under their supervision. Protonmail attempted to hide this part of their story. We wrote an entire article about it here.
4. Protonmail is partly owned by CRV and the Swiss government
After a successful crowdfunding campaign with promises to “stay independent”, Protonmail sold the stake to CRV and FONGIT. At the time of the stock sale, a founder of CRV, Mr. Ted Ditersmith, was working for the US State Department working closely with President Obama. His position as delegate required close contact with the administration of the CIA and NSA. Mr Ted Ditersmith had also witnessed the Edward Snowden revelations and said he planned to use his business knowledge to ‘combat terrorism’. FONGIT is a non-profit organization funded by the Swiss government. Antonio Gambardella, a staff member at Protonmail, also works for the Swiss government.
5. CRV, In-Q-Tel and the CIA
The CIA openly operates a front company, In-Q-Tel, whose stated purpose is to invest in technology companies on behalf of the CIA. In-Q-Tel said it has a particular interest in information contained in emails and encrypted communications. In-Q-Tel turned out to be the bridge between the CIA and Gmail. A scan of staff members reveals CRV & In-Q-Tel connections. US media confirms these connections when interviewing CRV so they can understand In-Q-Tel. Additionally, the mastermind, cryptographer, and back-end developer who created Protonmail, Wei Sun, now works for Google.
6. Protonmail follows CIA email format and metadata requirements
Documents leaked to Wikileaks show that the CIA requires emails to be stored as an EML file type. There are several ways to store emails, and Protonmail has selected the format required by the CIA. Protonmail does not offer any protection for user metadata and has officially stated that they hand over metadata to law enforcement. Edward Snowden revealed that the US government cared the least about the content of emails. Mr Snowden revealed that US law enforcement cares most about who a person is talking to, the dates and times of emails and the subject of the email. Subject and metadata encryption is not difficult to provide. However, Protonmail refuses to offer any protection on the most valuable data for the CIA and FBI and they store it in plain text (no encryption). Edward Snowden stated that the NSA “is unable to compromise the encryption algorithms underlying these technologies. Instead, it circumvents or undermines them by forcing companies to cooperate in other ways. Protonmail has refused to protect the information the NSA wants is a concern.
7. Swiss MLAT could give the NSA full access
8. Protonmail uses Radware for DNS/DDOS protection
Privacy companies like Protonmail are required to use a DNS/DDOS service due to frequent attacks on their service. Protonmail uses a company called Radware for this purpose. Radware is a shoddy service that has failed to provide adequate protection. Protonmail has been taken offline sometimes by teenagers because they insist on using substandard service. It should be noted that the international office of Radware is located a few kilometers from the headquarters of the most powerful intelligence agency in the world, the Isreali Mossad. Radware can gain full access to all Protonmail user accounts in two ways. They could inject a few lines of code that would reveal all users’ usernames and passwords, allowing them to log in as if they were that user. They might also receive usernames and passwords by Protonmail. Remember that Protonmail has admitted that it can access all users’ accounts and decrypt their data. Additionally, Radware has been reported to have direct ties to the Israel Defense Forces.
9. Protonmail engages in illegal cyber warfare
In 2017, Protonmail appears to have used illegal cyber warfare capabilities to illegally break into a suspicious server. You can see the tweet they posted and read about it here. They quickly deleted the tweet and said, “We can’t confirm or deny if anything happened.” In 2013, the European Union parliament voted to make hacking a crime punishable by up to 2 years in prison. Hacking back is also illegal under Swiss law. Based on Protonmail’s confession alone, they carried out an illegal hack.
10. Protonmail has a history of dishonesty
Since the creation of Protonmail, they have lied to their users. From the moment they funded $550,000 to “stay independent,” a promise they broke almost immediately by selling a stake in an American company with ties to President Obama and John Podesta.
11. Protonmail does not protect users, if it may cause legal risk
Protonmail is collaborating with EUROPOL in a clear case of political repression against anti-gentrification activists in Paris, and setting up IP logging specifically for this user… So even in the clearest violations, they are not defending users if it means taking legal risks for them.
12. Protonmail censors “false” information about itself, even if you’re a small blogger
Prontonmail joins the long list of censor trolls asking registrars who owns the domain? ! (see aforementioned abuse complaint from Proton AG). They broke with a tradition of free speech (publicly debunking claims) and with a traditional form of law enforcement. It’s highly unusual for corporate trolls with armies of lawyers to contact anyone to censor such vague claims on a random blog in some dark corner of the internet. It’s not exactly like the website named protonmailtruth.ch or whatever.
In our opinion, Protonmail is not an email solution you would use if you want privacy or security. Your emails will probably end up in a US data center right next to your Gmail emails.