1.Protonmail Behaves like a CIA/NSA “Honeypot”

Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary. When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification. There are absolutely no technical reasons for this feature. In fact, the only other websites that operate like this are suspected NSA/CIA Honeypots.

This is a huge security issue that was either created because Protonmail is managed by Particle physicists who do not understand computer security OR they have been forced to operate their website in a similar way as CIA/NSA honeypots. Both possibilities are serious concerns.

Protonmail Does Not Provide “End to End Encryption”

Professor Nadim Kobeissi mathematically proved that Protonmail does not provide End to End Encryption. Meaning, Protonmail has the ability to decrypt their own user’s data. When this was shown to be true, Protonmail users were outraged they had been lied to. Protonmail was forced to issue a public statement. Their statement begins like you would expect it would.. by shitting on the security researcher that revealed their dishonesty. Then they continued to say: “We lied to our users because other email companies did”. No apologies. They can decrypt any of their user’s data be sending them scripts that allow them to do so. However they advertise that they can not. Protonmail’s admission proves they offer the same security that Gmail offers. Both Gmail and Protonmail offer encryption that they can decrypt whenever they want.

Protonmail’s Was Created Under CIA/NSA Oversight

Gmail & Protonmail were both created in CIA/NSA funded departments with their oversight. Protonmail has tried to hide this part of their history. We wrote a whole article about it here.

4.Protonmail is Part Owned by CRV and the Swiss Government

After a successful crowdfunding campaign with promises to “remain independent” Protonmail sold equity ownership to CRV and FONGIT. At the time of the equity sale a CRV founder, Mr Ted Ditersmith, was working for the US State Department closely with President Obama. His position as a delegate required close contact with CIA & NSA administration. Mr. Ted Ditersmith had also witnessed the Edward Snowden revelations and made statements that he planned to use his corporate knowledge to “fight terrorism”. FONGIT is a Non Profit organization that is financed by the Swiss Government. Protonmail staff member, Antonio Gambardella, also works for the Swiss Government.

CRV, In-Q-Tel & the CIA

The CIA openly operates a front company, In-Q-Tel, whose stated purpose is to invest in tech companies on behalf of the CIA. In-Q-Tel has stated they have a specific interest in the information contained in e-mails and encrypted communication. In-Q-Tel has been shown to be the bridge between the CIA and Gmail. An analysis of staff members reveals CRV & In-Q-Tel connections. The US media confirms these connections when they interview CRV so that they can understand In-Q-Tel. Additionally, The mastermind, cryptographer & back end developer that created Protonmail, Wei Sun, now works for Google.

Protonmail Follows CIA Email format & Metadata Requirements

Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires. Protonmail offers no protection for users’ metadata and has officially stated that they turn metadata over to Law Enforcement. Edward Snowden revealed that the US government cares least about the content of emails. Mr. Snowden revealed the US Law Enforcement cares most about who a person is talking to, the dates & times of the emails, and the subject of the email. Subject and metadata encryption are not difficult to provide. However, Protonmail refuses to offer any protection on data that is most valuable to the CIA & FBI and they store it as plain text (No encryption). Edward Snowden stated the NSA “isn’t able to compromise the encryption algorithms underlying these technologies. Instead, it circumvents or undermines them by forcing companies to cooperate in other ways. Protonmail has refused to protect the information the NSA wants, this is a concern.

Swiss MLAT Law Could Give the NSA Full Access

Protonmail’s Servers Reside In Switzerland, a country with an MLAT treaty that could allow the NSA to continue it’s the mission of recording “nearly everything” about a person’s internet communication. Any doubts the MLAT treaty applies are removed when you take into account that Protonmail is part-owned by FONGIT, a Swiss Government-financed company. Protonmail has also recently revised its Privacy Policy to include wording and requirements from the MLAT treaty. Their actions show they are capitulating with the MLAT treaty. Revisions include a change to their privacy policy allowing them to track your location while you use their service in some situations.

Protonmail Uses Radware for DNS/DDOS Protection

Privacy companies like Protonmail are required to use a DNS/DDOS service because of the frequent attacks against their service. Protonmail uses a company called Radware for this purpose. Radware is a low-quality service that has failed to provide adequate protection. Protonmail has been taken offline, sometimes by teenage kids, because they insist on using a sub-par service. It’s worth noting that Radware’s international office is a few miles away from the headquarters of the most powerful Intelligence agency on earth, The Isreali Mossad. Radware can gain complete access to all Protonmail user’s accounts in two ways. They could inject a few lines of code that would reveal all users log in username and passwords, thus allowing them to log in as if they are that user. They could also be given users usernames & passwords by Protonmail. Remember Protonmail has admitted they can access all user’s accounts and decrypt their data. Additionally, it has been reported that Radware has direct connections to the Israeli Defense Force.

Protonmail Developers Do Not Use Protonmail

Protonmail’s developers are in a position to know the real security offered by Protonmail. And Protonmail’s developers do not use Protonmail. If you were served food by a cook who refused to eat the food, would that be a cause of concern to you? This is the same situation. Protonmail developers do not use Protonmail, there are likely good reasons for this.

Protonmail engages in illegal cyberwarfare

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspects server. You can see the tweet they posted and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law. Based on Protonmail’s admissions only, they conducted an illegal hack.

Protonmail has a history of Dishonesty.

From Protonmail’s creation lied to their users. Starting when they crowdfunded $550k to “remain Independent”, a promise they broke almost immediately by selling equity ownership to a US corporation with ties to President Obama and John Podesta.

In our opinion Protonmail is not an email solution you would use if you want privacy or security. Your emails are probably going to end up in a US data center right next to your Gmail emails.

Privacy Watchdog

Comments

You must log in or register to comment.

Hitler_Was_Right OP wrote on July 25, 2021 at 12:45 PM

Protonmail’s False Claim List

Lie: “Protonmail obeys the law”

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspected phishing server. You can see the tweet and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law.

Lie : Protonmail offers “Zero Access” or “End to End Encryption”

A professor who teaches computer science and cryptography Nadim Kobeissi proved that Protonmail does not provide End to End Encryption. Protonmail has since publicly acknowledged that they can decrypt anyone’s encrypted content by obtaining their password/passphrase.

Lie: Protonmail protects free speech

Protonmail has stated on Reddit that they are “controlled by the politics of the community that dominates the ProtonMail userbase”. So if a majority of their users wanted to ban an innocent minority group, Protonmail has stated they would “yield to community pressure” and ban all those users from their platform even if their terms of service are not broken. So Protonmail protects free speech as long as it agrees with the majority of their users. Protonmail is not safe for any minority group including Jews, activists or missionaries. If Protonmail has a majority group ask them to ban a minority group of users then Protonmail has stated explicitly that they will do it even if no terms of service are broken. Read Protonmail’s statements here.

Lie: “Protonmail is open source code.”

Their front end code is open source. Their back end code and mobile code is kept private. This can be confirmed by reviewing their open-source code here

Lie: “By default, we do not keep any IP logs”

Protonmail’s Privacy Policy States: “This includes, the sender & receivers, the IP addresses were emails originated from, message subject, messages sent & received times, storage space, total emails and login times.” Protonmail is also legally required to store all users data for 6 months in Switzerland.

Lie: ProtonMail does not require any personally identifiable information to register.

If a user tries to signup without personal information, via VPN or TOR, they detect it and require a “donation” with a credit/debit card or a confirmation with your personal phone.

Lie: “When a ProtonMail account is closed, data and emails are immediately deleted from production servers”

By Swiss law, Protonmail is required to record all data for 6 months. When a user deletes an email, the email and all meta-data must legally be retained for 6 months

Protonmail Claims to be “Independently Audited”.

There is only 1 company listed as conducting an Audit of Protonmail, Cyberkov.com. Cyberkov’s website says it’s connected to Harvard, MIT & CERN. And their team is full of Harvard and MIT grads, exactly like Protonmail. So Protonmail’s audit was probably done by Protonmail’s college friends or colleagues. Protonmail also shows a list of people who’ve audited their code, but anyone can email Protonmail to add their name to the list. Years later Professor Kobeissi did a real independent audit and proved Protonmail doesn’t provide “end to end encryption Privacy Watchdog

https://privacy-watchdog.io/protonmails-false-claims/

Rambler wrote on July 25, 2021 at 6:20 PM

The question is, then, who do you trust for secure email? Is email, by design, inherently 'bad' or 'flawed'?

What options does your average Joe have, outside of setting up his own mail server, and expecting his contacts to use PGP Encryption, which, may or may not be crackable by the big agencies.

Hitler_Was_Right OP wrote on July 25, 2021 at 6:48 PM

I will post some links with helpful information but some of it might be flawed.

It also depends of what you want to do, some need security, others need anonymity while others need invisibility.

https://reclaimthenet.org

https://restoreprivacy.com

https://www.privacytools.io

https://prism-break.org/en/

https://freedom.press/training/

https://epic.org/privacy/tools.html

https://www.eff.org/issues/privacy

https://choosetoencrypt.com/category/privacy/

https://v2.incogtube.com/watch?v=S4E4yAktjug

https://www.deepwebsiteslinks.com/best-privacy-tools/

GadgeteerZA wrote on July 26, 2021 at 7:30 PM

Exactly the same question I was thinking, and looking forward to the answer. I know of Tutanota but what's the point of doing a massive mail migration, only to find that Tutanota is worse than ProtonMail.

You can use your own OpenPGP key with Gmail (then Google cannot see the content) but 99% of your contacts receiving it (inc businesses etc), are clueless how to decrypt it.

BlueHat wrote on July 28, 2021 at 6:25 AM (edited on July 28, 2021 at 7:02 AM)

Very controversial article. It was posted multiple times on reddit where it got heavily criticized. Here are some threads I found ranged from most discussed to least.

(42 comments) https://old.reddit.com/r/privacy/comments/he87m5/the_truth_about_protonmail/

(19 comments) https://old.reddit.com/r/PrivacySecurityOSINT/comments/ol7gth/anyone_here_able_to_evaluate_the_truthfulness_of/

(17 comments) https://old.reddit.com/r/LinuxCafe/comments/hetbh8/the_truth_about_protonmail/

(3 comments) https://old.reddit.com/r/AntiMSM/comments/l8tsdr/protonmail_is_cia/

It was also submitted to HN but didn't gain much attention.

Related discussion on raddle, which was apparently forked from this 4chan thread

GadgeteerZA wrote on July 30, 2021 at 1:56 PM

Yes it is interesting... What I really detest though are people who speculate something controversial without any actual evidence. Dots often are connected where there is actually no thread. Of course ANYTHING (literally) is possible, but I like to see why exactly and what was found. What some present as "evidence" is too flimsy.

Take just providing information to the Swiss authorities - of course any legal organisation will have to state that, but they require formal warrants, and they can only provide what they have. It does not mean they can actually decrypt the contents of your mail and provide it. Which is why many organisations prefer to have as little access as possible, and not be able to decrypt information. Outside of the USA, Russia, and China, most countries legally do not allow fishing expeditions by the authorities to just see what they can fine, there has to be something of legal substance against an identified individual.

I look rather at examples like Facebook's Cambridge Analytica - broadly reported with the evidence found to actual events and outcomes. That was one of the vents that made me leave Facebook altogether. WhatsApps' terms and conditions that stated they would share my metadata to Facebook as well as their 3rd party partners - I ledt WhatsApp.

I'm certainly going to keep an eye open anything that does develop around ProtonMail though, and see if anything in that report actually gains traction.

Strangeways wrote on July 26, 2021 at 10:43 PM (edited on July 26, 2021 at 10:45 PM)

Very illuminating. Great research. Time to leave ProtonMail I think. The immediate alternatives aren't that great.

Tutanota I've had massive problems with them in the past. I've actually lost accounts there because of their so called 2FA security, the Belgian company Mailfence appears to be security-oriented but it comes at a small nominal cost. What about Rise Up? that is if you can get an account there.

Hitler_Was_Right OP wrote on July 27, 2021 at 10:20 AM

https://protonmail.com/blog/cryptographic-architecture-response/ https://eprint.iacr.org/2018/1121.pdf https://protonmail.com/blog/protonmail-has-raised-2m-usd-to-protect-online-privacy/ https://protonmail.com/privacy-policy https://protonmail.com/support/knowledge-base/protonmail-israel-radware/ https://cryptome.org/2015/11/protonmail-ddos.htm https://techcrunch.com/2018/09/06/protonmail-names-one-of-the-attackers-behind-a-major-ddos-this-summer