“We're past the point where citizens are entirely dependent on governments to defend our privacy, we don't have to ask for our privacy, we can take it back” Edward Snowden, Reset the Net.
“All intelligence services... all of them, are afraid of easy to use, secure communications tools.” - Jacob Appelbaum.
“Security and privacy are fundamental human rights which should be guaranteed for all.” ProtonMail Statement
Most people probably do not need a secure email service. But there are some people who do. This includes attorneys exchanging confidential information with their clients, doctors and nurses exchanging information with their patients, businesses exchanging important information with their staff and customers, journalists exchanging confidential information with whistle blowers and political groups who may want to organize without the constant surveillance of the government. In this article, we will explain why a relatively new email service called ProtonMail is the best solution for these special groups. We will then explain how to set up your own free ProtonMail account.
We begin with a discussion about the corrupting influence of money. As you may know, Google makes money by scanning our Gmail emails and feeding us ads off of what we write about. This need to make money makes Gmail inherently insecure. In 2013, after Edward Snowden released information confirming NSA mass spying on emails, a group of scientists in Switzerland met to discuss how they could create a more secure email service. They decided to build their own system on their own Linux open source servers. In the summer of 2014, they held an online fund raiser and received $550,377 from 10,576 donors. Their business plan is rather simple. They do not use any advertising. Instead, they offer free accounts for most users and then charge only for additional storage space on their servers for those who need a lot of storage space for sending and receiving secure emails. Unlike other secure email services, ProtonMail is very easy to set up and use. The response to ProtonMail has been amazing. In just two years, more than 500,000 people have signed up for their email service. ProtonMail is now the world's largest private email service. Here is a link to their website where you can learn more about them: https://protonmail.com/
ProtonMail has three versions, an app for Android or Apple and a web version. Proton uses end to end encryption – including attachments.
How ProtonMail end to end encryption works
“We encrypt the data on the browser before it comes to the server. By the time the data comes to the server it’s already encrypted, so if someone comes to us and says we’d like to read the emails of this person, all we can say is we have the encrypted data but we’re sorry we don’t have the encryption key and we can’t give you the encryption key. We’ve basically separated the message that’s encrypted apart from the key – all the encryption takes place on your computer instead of our servers, so there’s no way for us to see the original message.”
“One of the key things we want to do is control our servers and make sure all the servers are in Switzerland which will increase privacy because Switzerland doesn’t do things like seize servers or tape conversations.”
ProtonMail also supports messages that self-destruct after a set time period. Recently, from November 3 to 7 2015, ProtonMail was under attack by a “technically advanced group with abilities similar to a state-sponsored group” that made the service largely unavailable to users. They have since installed additional programs to help them fight off future Denial of Service attacks.
Here is a statement from the ProtonMail blog about the attack: “In just three days, the ProtonMail Defense Fund has gathered $50,000 in donations, giving us the resources to resist further attacks against email privacy. By attacking the world’s largest free private email service, the attackers sent a message that they did not want online privacy to succeed. However, we have now sent them back an even stronger message, that online privacy is here to stay. The attackers hoped to destroy our community, but this attack has only served to bring us all together, united by a common cause and vision for the future. The road ahead will surely contain more difficulties, but together, we shall overcome.”
Currently, email storage space is limited to 500 MB (half a gigabyte) with attachments limited to 10 MB. Sent messages are capped at 1000 per month. So this account cannot be used for mass marketing. They plan to eventually have paid plans with more storage space. Their paid accounts will be $5/month and will provide 1GB of storage.
To get a ProtonMail account, you must submit an invite request. There are two kinds of accounts. The common account is
How to sign up for a ProtonMail account
Go to ProtonMail.com. Scroll down the page to “Get your secure email account.” Enter the username you would like to have. Then click GO to see if it is available. If it is, enter your normal email address. This can be deleted or changed later.
The initial account is for the email address (your name) at protonmail.com. We will switch to the protonmail.ch ending after we create our account because this version of proton mail is more secure than protonmail.com. To create your account, type in a Login Password twice, a Mailbox Password twice and an optional recovery email address.
We will use our Gmail address as a recovery email address. Then click FINISH at the bottom of the screen. There will be a three-second account creation screen followed by your email account screen at this URL: https://protonmail.com/inbox
The initial free storage is only 500 MB. Click on the Welcome email to read it:
Thank you for creating your ProtonMail account! We look forward to bringing you easy-to-use, encrypted email. To get started, we have gathered answers to common questions we've received from new users. If you would like to learn more, please visit our knowledge base: https://support.protonmail.ch
What data is encrypted? The bodies and attachments of emails you exchange with other ProtonMail users are always automatically end-to-end encrypted. End-to-end encryption means that even ProtonMail does not have the ability to read your messages. You can tell if an incoming email is end-to-end encrypted by whether there is a purple lock next to it:
If you don't have friends on ProtonMail yet to benefit from end-to-end encryption, ProtonMail still provides extra security and privacy. For all non-end-to-end encrypted emails, the message bodies and attachments are still stored encrypted so that only you, with the correct mailbox password, can decrypt them.
Can I use this with my friends who use Gmail?
Yes! However, the messages they send to you will not be end-to-end encrypted. You can send messages to outside users as well. For outgoing messages to non-ProtonMail users, the default is unencrypted emails, which are sent just like any other email.
PM → PM (end-to-end encrypted)
Gmail → PM (not end-to-end encrypted, stored encrypted)
PM → Gmail (not end-to-end encrypted by default, can be encrypted)
You can send a friend using Gmail an end-to-end encrypted message by selecting the lock icon in the lower left corner of the composer window. You will be prompted to set a message password to encrypt the message - this is the password you give to your friend through another channel. When your friend receives your encrypted email, they can simply click on a link in the email, enter the password to decrypt the message, and then reply to you end-to-end encrypted! On the other hand, messages exchanged between ProtonMail users are automatically encrypted without requiring passwords for individual messages, so invite your friends to also use ProtonMail!
What is protonmail.ch vs. protonmail.com?
The .ch is the top-level domain for Switzerland and since v1.14, users can send and receive emails with both
Go to the Settings page to pick your default alias.
What is Message Expiration?
With ProtonMail, you have more control of your data. For ProtonMail to ProtonMail emails, you can set how long you want an email to exist after it is sent using the timer icon in the composer window. After the expiration time has elapsed, it is automatically deleted forever. If you are sending to an outside user however, this feature only works if you encrypt the message. Keep in mind that one can forward an expiring email to keep permanent copies of it.
How to use ProtonMail on mobile devices or mail clients?
ProtonMail can be accessed from most updated browsers, including those on mobile devices. Currently, we do not support POP/IMAP for mail clients due to our encryption. However, we are working on mobile apps that will make mobile access even easier and more secure.
Is ProtonMail free?
ProtonMail is completely free to use and will always be free. In the future, we will introduce premium accounts with more storage space and features to help pay the bills. In the mean time, feel free to make a donation here: https://protonmail.ch/donate
What to do if problems come up?
Many issues are related to browser extensions or add-ons so try another browser or the incognito window of Chrome and private window of Firefox. If you happen to find a bug, we would really appreciate it if you use the Report Bug button in the top right to let us know. We're constantly working to improve ProtonMail and we'll be fixing bugs and adding new features daily.
We strive to deliver the highest quality customer support and read every email that comes in. For general and support inquiries, and for feature requests, please contact us via our support website: https://support.protonmail.ch
We will next go to the Settings page to pick up a more secure email alias.
In the lower right corner are your two options. Drag the dot ch option up to make it the default option.
How to Import Your Email Contacts to ProtonMail
Next, we will import our Contacts from our Gmail account by clicking on Contacts in the top menu.
Before we upload our Gmail Contacts, we need to create a Gmail Contacts CSV file. Open a new browser window and go to your Gmail account. In the upper left corner, click on the word Gmail. Then click on the word Contacts. This will show how many email addresses are in your account. Delete any email addresses you no longer want in your email contacts list by clicking on the three dots to the right of an unwanted contact to show “More Actions” - then click Delete. After you have cleaned up your Gmail contacts, in the upper left corner of the screen, click on More. Then click Export. The following window may appear:
Click Go to Old Contacts. Then click the More button at the top of the screen. Then click Export.
Change the selection to Outlook CSV. Then click Export. This will place a CSV Contacts file in your home computer's Downloads folder called contacts.csv. Once you have your Gmail Account CSV file in your computer Downloads folder, go back to the browser window with your Photon email account and click on Upload Contacts in the upper right corner of the screen:
Click your cursor inside of this box. Then go to your Downloads folder and click on contacts.csv to select this file. Wait one minute for the following screen to appear:
Then click Upload. After the Contacts are uploaded, you can click on Contacts to add to or delete from them.
Other Proton Mail Settings
Now that we have our Contacts uploaded, click on Settings again and click on the Security tab.
ProtonMail created a public key for this account which you can download for other encrypted email services. If you do not know what a public key is and do not use other encrypted email services, don't worry. All is OK. You do not need to download this key to use ProtonMail.
Click on the Appearance tab. If you want the Composer Window to be maximized by default, then click Maximized. Then click Save. If you want email images to be shown by default then click Show. Then click Save.
Send Your First Test Email
To send your first test email, click Compose in the upper left corner to compose your first proton email.
Then click the Encryption button at the bottom of the page.
Put in a password for this message and a hint. Then click Set. The Encryption button at the bottom of the screen will turn blue.
Next click on the Expiration Time button.
Shorten the time so that this message will self destruct in 24 hours or less. Then click Set. The Expiration time will also turn blue. Finally, click on Attachments. Then attach a top secret document. It will be shown at the bottom of the screen and now all three buttons are blue. Click Send in the lower right corner of the screen. Then click on the Sent button in the left side menu. Hover over the clock icon to the right of this email and you will see a count down clock showing how much time is left until this email self destructs. Next, let's see what is it like to receive this email. Go to the email account you sent this encrypted email to:
Click View Secure Message:
To open this email, the receiver will need to enter a password which you and they have agreed to in advance. How you get this password to this person securely is best done in person or through some secure phone line or video line. In our next article, we will explain how to use Linux to set up an encrypted video conference. For now, enter the password to open this test email.
Click on the Attachment File to open it.
You can open the file or save the file. For now, we will click Cancel. Then click Reply to reply to this secure email. The reply will actually be secure, so you can let the person know that you received the top secret document.
Then click Reply to send this email. Then go back to your Proton Mail in box.
The purple lock by the email indicates that the email was sent securely.
Test Comparing Proton Mail to Google Gmail
We can use a free tool called Privacy Badger to determine if any web page has tracking devices. Here is Privacy Badge on a Gmail account page:
Google has at least two trackers monitoring and recording our emails. Here is Privacy Badger on a ProtonMail page:
ProtonMail does not track us. Thus, they have no logs of our emails. To log out, click on your name in the upper right corner of the screen and click Log Out. Here is the URL for the Log In screen: https://protonmail.com/login
Forward Your Old Gmail Emails to your New ProtonMail Account
To forward email from your old Gmail account to your new ProtonMail account, go to your Gmail account and click on Settings, then click on Forwarding. Then click Add a Forward Address. Enter your ProtonMail email address you want all email from your Gmail address to be forwarded to. Then click Next. Click Proceed. Next go to your normal email address and follow the confirmation steps.
You can see that Proton Mail is a very simple system that does not require any knowledge of encryption keys. The only real problems with this system is that it does not work with older browsers. You will need a recent browser even to create your initial account. Also, it does not work with email managers such as Thunderbird. So we do not recommend Proton Mail for your day to day email communications. But if you work in a profession that requires being able to send secure emails, this is a wonderfully easy solution. You will need to remember the passwords you create which should be different for different people. You can create your own table of passwords or you can use any of several free password managers.
Now that we have a secure email service, in our next article, we will look at how to set up and use a more secure web browser.