Proton
Subscribe by RSS

A brief intro to Proton Mail’s design philosophy

Andy Yen

Share this page

A couple days ago, one of the first reviews of Proton Mail showed up on the web, the review I’m referring to can be found here:

http://www.hacker10.com/other-computing/review-encrypted-email-service-protonmail-ch/(new window)

We were actually a bit surprised to see this since Proton Mail is still in a very limited beta. At the moment, Proton Mail accounts are still relatively exclusive since we haven’t fully opened up a public beta yet.

Anyways, returning to the review, we found it to be fair but at the same time a bit troubling because a number of the characteristics of Proton Mail we were faulted for were actually things we had intentionally built in. It was almost as if the reviewer had missed the point of Proton Mail.

Upon reflection, this is not the fault of the reviewer, it seems we have never fully explained the design philosophy behind Proton Mail. So briefly below, I will lay out our main objectives while responding to some criticism made by our very first reviewer.

1. Make encryption easy to use.

In truth, there is not a whole lot that Proton Mail does that is not already accomplished by PGP, at least from a security standpoint. But, to quote what Bruce Schneier(new window) said to us when he visited MIT, “all PGP has demonstrated is that even one click is too much”.

Basically, security is not useful if it is not easy enough for mass adoption. It is simply difficult to convince people to adopt a higher standard of security if it forces them to do more work. So from day one, the principle guiding our architecture was that the end product cannot be more complex than Gmail.

And in the end, I think we have accomplished that. Encryption in Proton Mail is end-to-end, like PGP, but at the same time, completely invisible to both recipient and sender. What we gave up to accomplish that however, and what the reviewer faulted us for, is compatibility with PGP. In effect, we cannot easily abstract away the complexity of a system like PGP while maintaining backwards compatibility with it.

The keyword in the above sentence actually is ‘easily’. It is actually possible in our architecture to support PGP, but in the end, we decided this was less of a priority because our end goal is a more secure internet. The current users of PGP already benefit from end-to-end encryption and don’t need our help. What we really want to provide is privacy for the much larger segment of the population that isn’t sophisticated enough to use PGP.

2. Trust the user not to be stupid.

Our reviewer pointed out that we don’t have a password length requirement, and we don’t have an auto logout. I think it is common knowledge nowadays that you using a password like ‘1234’ or ‘1111’ is NOT a good idea. But it is also NOT a good idea to force a user to use a password like ‘yYbkza#NGMeAW_kE21fxeQbB’. At that point, a user would simply find Proton Mail too much of a hassle to use. What we try to do is take the middle road. When you go to set your password when creating your Proton Mail account, we will tell you whether your password is strong or weak, and then let the user make the final decision. Our philosophy here is simple, we trust that our users are not stupid, but we’re not going to turn you away either if you are stupid.

As for the auto logout….early Alpha builds of Proton Mail had a 10 minute auto logout. As somebody who was using it day in and day out for all of my email communications, you should trust me when I say a 10 minute logout is incredibly annoying and does NOT enhance the product.

3. Give the user control

The reviewer pointed out that encrypted messages to outside users do not instantly destruct. This again, is intentional. Instead of instant destruction, we give the sender control over when they want the message to destruct (or if they want it to destruct at all). So you can fine tune the time for each email. Right now, the minimum is 1 hour from the time the message is sent, but in the future, we will also be adding the option for instant destruction once the message is read.

And, one final loose end…

The reviewer pointed out that we are not audited by third parties. Actually, we have been audited by the computer security staff at CERN (European Center for Nuclear Research), that’s actually where half of our developers work. But better yet, you can audit Proton Mail yourself. Our front-end JavaScript encryption/decryption codes are sent to browsers uncompressed, a simple view source and you can see our source code!

We look forward to continuing to improve Proton Mail so don’t hesitate to send us comments or suggestions!

Protect your privacy with Proton
Create a free account

Related articles

How to delete all photos from Google Photos
Using Google Photos to store and share your pictures means allowing the company to see, analyze, and process them. Many people concerned about their privacy have taken steps to move away from the Google ecosystem, despite the company’s efforts to hid
Proton Wallet
  • Product updates
  • Proton news
  • Proton Wallet
Introducing Proton Wallet – a safer way to hold Bitcoin
WHAT IS PROTON WALLET? Our long-term vision is for Proton Wallet to be a digital wallet that gives you full control of your digital assets. While the type of assets that you can hold in Proton Wallet may evolve over time as we add more capabilities
  • Privacy guides
What is Bitcoin?
Bitcoin is an innovative payment network that leverages peer-to-peer transactions to remove the need for a central bank. Bitcoin has revolutionized the core principles of value exchange by showing that a network of fully independent nodes can operate
Proton Wallet is a digital asset wallet that currently supports self-custody on-chain Bitcoin. In this article, we review the key features and security architecture that make Proton Wallet a private and secure wallet that is as easy to use as email.
proton scribe
Most of us send emails every day. Finding the right words and tone, however, can take up a lot of time. Today we’re introducing Proton Scribe, a smart, privacy-first writing assistant built right into Proton Mail that helps you compose and improve yo
People and companies are generally subject to the laws of the country and city where they are located, and those laws can change when they move to a new place. However, the situation becomes more complicated when considering data, which can be subjec