Email has been around for literally decades. But security and privacy were not included in the original design. There are several solutions to this oversight, but one stands out for me. I firmly believe you should try Proton.
Privacy Not Included
Email as we know it today was first developed in the 1990s, using open standards like SMTP and POP3. But security and privacy were not included. For this reason, emails – to this day – are much more like postcards than letters. While our computer connections that transport our emails are almost universally encrypted today, the email missives themselves are not. At a bare minimum, that means that your email service provider can read them. And if you’re sending an email from, say, a Yahoo email account to someone with a Gmail account, that means both email providers have full access to the conversation.
Phil Zimmermann developed Pretty Good Privacy (PGP) in the early 1990’s to address this problem. But even Phil has admitted that he doesn’t use PGP anymore and prefers messaging apps like Signal for secure communications. Email is going to be with us for quite a while and there are still situations where it feels more natural than a messaging app. For example, email let’s us focus conversations by topic – messages today are usually only organized by the participants involved. But while PGP is still quite secure, it’s just not easy to use. Thankfully, we have some newer options that are dead simple.
Private & Secure by Default
Again, the protocols underlying email were not designed to be secure and private. While we’ve tried to bolt on security after the fact, it hasn’t really worked out. What you really want is security and privacy by design. It should be built in from the get-go. And it should be enabled by default.
So, which modern email services are the most secure? That’s a bit of a loaded question. As I’ve said, most email service providers today use encrypted connections to transmit your email (‘data in motion’) as well as encrypted data storage for the messages that reside on their servers (‘data at rest’). But they hold the encryption keys, not you. Google and Microsoft can still read your emails and they are therefore open to hacking, subpoenas or even rogue employees. What you need is end-to-end encryption (E2EE), where only the sender and recipient can read the contents of the communication.
There have been several companies who have created email systems with true end-to-end encryption, including Tutanota, Mailbox.org, StartMail, Skiff, and Proton Mail. Many offer a free tier or at least a free trial, so you can test them out and see which you like better. But I’ve tried all of these and my favorite is Proton Mail.
In the spirit of full disclosure, I’ve interviewed Andy Yen, CEO and founder of Proton, several times. And I have not interviewed anyone from the other companies (okay, I did interview someone from StartPage, but not about StartMail). Andy even wrote the blurb on the back cover of my book. But I’m not here to say that those other services are bad. I’m also not saying Proton Mail is perfect – it’s not. I’m here to explain why I prefer Proton Mail to all the others:
- Proton Mail has a modern, easy-to-use pleasant interface. I’ve been a Proton Mail user since March of 2016 when it first came out of beta. The interface has improved greatly over the years to the point where I believe it’s just a refined as Gmail, Outlook or other modern web apps.
- Proton Mail can be used on all major platforms. It has both iOS and Android apps, all major browsers, and allows you to use Mac and Windows mail clients like Apple Mail and Outlook via their Proton Mail Bridge.
- Proton Mail is open source, which allows third parties to vet their code.
- Proton Mail uses OpenPGP and other top-notch encryption protocols which have been audited extensively and are battle-tested.
- Proton Mail allows you to use end-to-end encryption with non-Proton email users, including PGP.
- Proton offers simple tools to help you switch from your current email provider to Proton, including importing old emails.
- Proton employees and data are located in Switzerland which has strong privacy laws.
- One downside to supporting OpenPGP is that it does not encrypt email subjects end-to-end, so be aware of that.
- Using Proton Mail with a regular email client like Mail or Outlook will require a paid Proton tier. But of course, you can just use the web client in your browser, which I personally prefer.
- Using end-to-end encryption with non-Proton requires jumping through some hoops.
But Wait, There’s More
There are actually a lot of other reasons I like Proton Mail. One of the most compelling is that Proton also offers several other secure and private services. When you’re competing against Google, Apple and Microsoft, you really need to have a complete suite of productivity apps. To Proton’s great credit, they realized this and have developed a secure online calendar, cloud storage, virtual private network (VPN), password manager and will soon be rolling out online photo backup. Andy has told me that they’re working on a ‘docs’ online collaboration suite, as well. Finally, they recently merged with SimpleLogin, which offers easy-peasy email aliases. And they are even available (though limited) with the free tier. Again, these services aren’t perfect – but they cover most needs very well and they’re getting better all the time.
Give Proton a Try
We need to support companies like Proton who are trying to build secure products and protect our privacy. To do this, we need to use their products, spread the word to others and, where possible, support them financially (that is, subscribe for paid versions of their services). I would love a secure and workable alternative to Google’s suite of tools. Google makes a lot of products, so it’s not really impossible to find a single company that can replace all of them. (By the way, Google also routinely abandons many of their products, too, which should give you another reason to find alternatives.) But in my view, Proton has done the best job at this and (like Signal) it’s an easy-button recommendation for anyone and everyone.
Proton has a very usable free version, so it’s easy to try with no commitment. If you want, you can get a free trial of their paid tier using my referral link. They’ll give me a kickback for this if you eventually subscribe, but that’s not why I’m doing it. I generally avoid affiliate-type stuff so there’s no conflict of interest, but referrals benefit both parties and I think it’s currently the only way to get a free trial of the paid tier. (If you do subscribe, you should use your own referral link with friends and family.) Note that Proton also has a Family Plan, which costs about 2.5X as much as the Ultimate plan but covers up to six people.
So… give it a shot. You have nothing to lose and lot to gain. And better yet, you can support the cause and help to manifest a future with more and better privacy-respecting services.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!