How cybersecurity is playing a role in global geopolitics – ProtonMail case

Global context – Why cybersecurity is more important than ever?

Terrorism, with its footprint in global scale from 9/11 in New York to ISIS Paris attacks, has put security the top issue of governments worldwide. The Paris attacker’s final text message claiming the start of the attacks, which was founded in the phone dumped near to the attacked place, is a strong argument for strengthening cybersecurity and building up national surveillance.
However, the pervasive secret surveillance programs have given rise to the debate on privacy and the legitimacy of such programs to allow governments to collect private data of citizens, as well as foreigners in some cases, who are not suspected of any connection to terrorism or any wrongdoing. PRISM, the top classified program, is the largest surveillance initiated by the President Bush after 9/11. The whistleblower, Edward Snowden, who was a former NSA (National Security Agency) contractor, has risked his career and life to challenge the privacy as one of the fundamental human rights in the digital age. He revealed that the NSA was not only scanning suspicious Americans, but virtually everyone that was communicating on the network.

It’s been nearly three months since Edward Snowden started telling the world about the National Security Agency’s mass surveillance of global communications. But the latest disclosures, by the Guardian, New York Times, and ProPublica are perhaps the most profound yet: the N.S.A. and its partner agency in the United Kingdom, the Government Communications Headquarters, possess significant capabilities to circumvent widely used encryption software in order to access private data. (The New Yorker: How the N.S.A. Cracked the web)

Email, as one of the most important communications channel, has gained a lot of attention in the US presidential campaign in 2017. Especially, the Clinton’s email scandal and Wikileaks about her emails have accelerated the debates about security and privacy. Yet, regardless of the scandal, both Clinton and Trump stated in the campaign that cybersecurity would be top issue to address in their presidential agenda: how to work with tech companies to protect cross-border data flow without jeopardizing citizens’ privacy.

What issue ProtonMail is trying to tackle?

As one of the earliest form of communication on the internet, Email is not safe and email encryption is just too complicated to the majority of the users.
Apple has long been an advocate of consumers’ privacy. Its battle with FBI over iPhone encryption case pushed forward the debate on whether the Federal agents can sacrifice the mass’s privacy in their effort to unlock San Bernardino shooter’s iPhone. In the court, Tim Cook pushed back the law enforcement to protect its users from criminals and authorities alike.
Similarly, Google recently announced that over 1 million accounts have been targeted by government-backed hackers. Therefore, gmail has developed a new feature to identify and notify its users from government-backed hackers.
Located in Switzerland, ProtonMail aims to host emails in a territory that is neutral and not impacted by major legal changes (Outside of USA, Europe, Russia, China). Also, it is founded to provide an easy-to-use end-to-end setup for the masses to secure and encrypt their emails.

Framework (Switzerland & Cyber world)

In order for us to better understand how the macro-environment affect operation of ProtonMail, we will use the fixed, semi-fixed and current factor framework to analyze the company’s situation. For ProtonMail, one of the key determine factors when setting up the company is which jurisdiction it will be under. The company believes that Switzerland would be able to provide the best protection.

Fixed

Firstly, for fixed criteria historical background and geographic location of Switzerland gave the country a natural advantage over other countries. Since Switzerland, a strategic highland locating in the center of Europe, has been a Neutral country since 1815, the country can enjoy a separate jurisdiction (outside both EU and and USA) without any interference from other countries. It’s separated from all its neighbors by mountains which gave the country a competitive advantage over the centuries against invaders.

Semi-fixed

Secondly for Semi-fixed criteria, the stability that Switzerland could provide both politically and economically allows ProtonMail to operate in a very safe environment. Switzerland is a country with high political stability with direct democracy. Swiss people can decide policy initiatives directly. Such system can better avoid manipulation of politician on critical issue (i.e. Privacy protection and cyber security). The country is also renowned to have a very strong defensive army (every citizen has to do his military service). And their policy regarding atomic shelters is very impressive: almost every house built after 1960 has its own shelter, and we could count around 300.000 shelters in 2006. So even with an apocalyptic war, Switzerland could continue operating for a certain time.
Switzerland’s stricter privacy provisions also cultivates the development of ProtonMail. Different from the EU, in Switzerland when gag orders are issued to prevent an individual from knowing they are being investigated or under surveillance, the prosecutors have an obligation to notify the target of surveillance as soon as possible, and the target has an opportunity to appeal in court. There are no such things as National Security Letters and all surveillance requests must go through the courts. Under such circumstances, it is very beneficial for encrypted email provider like ProtonMail.

Current

Although like every other country, Switzerland has laws governing lawful interception of electronic communications, it’s only restricted to the freedom of Internet access providers, so ProtonMail, as a mere Internet application provider, is completely exempt from the Surveillance of Postal and Telecommunications Traffic (SPTT) ’s scope of application.
These combination of factors greatly reduces the risk that ProtonMail is being forced to turn over the whole company’s computer systems in the foreseeable future.
For factors that currently affect the company, the economic stability of Switzerland provides ProtonMail a good prospect to continue to develop. Switzerland has consecutively being ranked as the world’s most competitive economy according to the World Economic Forum’s (WEF) Global Competitiveness Index 2016-2017. The country also equips with excellent infrastructures, highly skilled labor force, and a per capita GDP among the highest in the world.
Besides internal factor, political turbulence in other countries also greatly affects ProtonMail. For example, the company’s CEO claimed that the Signups for the company service doubled after the US presidency election.

The Company

History

On 16 May 2014, a team of computer sciences engineers from the CERN launched a ProtonMail public beta platform. Within three days, ProtonMail was met with an overwhelming response and was forced to temporarily suspend beta signups while they worked to expand server capacity. A month later, the team launched a crowdfunding campaign on Indiegogo to develop further their idea. Although they were aiming for $100.000 they manage to raise $250.000. So the company quickly saw the potential for a great business.
The founding team met at CERN. Today, ProtonMail has become a major player as secure email provider with over one million users and with local presence in Geneva, San Francisco, and Skopje.

Encrypted email app

The science of cryptography exist since a long time and has been used in many different ways. With the arrival of computation power, this science has made huge steps forward. Email encryptions with public/private key encryptions were introduced in the 1970s and improved since then. Although the technology existed and was used by a few knowledgeable computer scientists, it has never become simple enough to be adopted by the masses as it was still complex to setup and many people believe there is no reason for them to care about encryption.
With the arrival of new technologies such as Gmail, Hotmail and Yahoo mail, those companies have started to see the potential to use to use email content for targeted marketing. Even though they claim offering end to end encryption, they still have a layer of automated profiling of the user based on the content which proves that they have access to the content of the email.
ProtonMail want to go a step further by providing a real platform with end-to-end encryption of user generated content. So even ProtonMail, as a company, has no way to access the content of the emails they’re hosting because it’s all encrypted on their servers.

Business model

As ProtonMail value proposition is to host encrypted email and to guarantee full security on the data, unlike a company like Google, they can’t generate revenue from targeted marketing or any type of ads.
Their business model is focused on subscriptions. They offer a very basic service for free and very quickly you need to pay ($4/Month) to have access to some features. You can also support them more to get additional features and donate to the company. Clearly the goal of the company is not focused only on profit because it’s fairly cheap, their goal is mostly to make email secure again.
The fact that ProtonMail also releases part of their code in open-source make them also a reliable partner as you can easily audit their performances and technical choices. A community of fans and developers was also created around it and provide additional support on the development of the platform itself.

Lavabit is also a provider to watch. Lavabit is previously used by Snowden. The company chose to shut down its service instead of complying to the requirement of US government. The company plan to relaunch its service in the end of 2017 and it could be a very powerful competitor for ProtonMail.

Security vs privacy? Is too much privacy good for society?

On the flip side, encrypted email might also be the paradise for criminal to commit crime. Following the Paris attack in the end of 2015, ProtonMail was reported that the company is on ISIS’s list of recommended email providers. Also, the company’s service is reported to be associated with Vijay Mallya, the founder of Kingfisher Airlines, India. Some argue that it is necessary to weaken cryptosystems to create a “backdoor” for law enforcement as a solution.
The main issue so far is that in the physical world, when a judge decide that an investigation has to be done about someone, he can give a mandate to the police to break into your house and search for proofs of your guilt. Once we come to the virtual world, there is no way to allow an authority to easily break into your data if it’s properly encrypted. Therefore one argue that “backdoors” should be implemented into cryptosystems to facilitate breaking “legally” in one’s system when authorized to do so by law. But backdoors are also weaknesses that can be exploited by anyone without the data owner noticing.

We must remember that security and privacy are forever linked. If security is done properly, it always comes with good privacy.

Way forward

The geopolitical scene has clearly been more and more influenced by the cyber world. The importance to master those tools to rule and receive the power has been proven.
The philosophical question is now to think at a higher level how the cyber world is changing the world as we know it. It has been clear that geography has had an important impact on the history in the past, but now a new dimension of power that is not so much determined by the geography has raised. Is the web the 21st century’s Mackinder’s pivotal area? It is certain that states and governments are trying to control more and more what is happening there because they realize how information is key to rule.
On the other side, democracy is threatened by those governments trying to acquire control over people’s data. We’ve seen during the Arab Springs how technology and free speech can also unlock people’s power. One need solutions such as ProtonMail and invent new ways to create a sustainable democracy while giving back the power to the people.
Today ProtonMail found a way to operate that allowed it to sustain by establishing the business in Switzerland. It is clear that the same would have been very different in other parts of the globe, as we’ve seen with Laravel, a competitor of ProtonMail in the US, that decided to go bankrupt instead of providing the content of their servers to the government. So there will always be connections between the cyber and the real world, but some entry points are better than others.
Note: more on the philosophical question about the right of privacy on Stanford Encyclopedia of Philosophy