UPDATE April 3, 2020: The information in this article is outdated. As of last year, we no longer have any contract with Radware.
Proton Mail is one of the only email providers which provides comprehensive DDoS protection(new window). In order to provide this protection, we have partnered with Radware, one of the leaders in DDoS protection. Recently, malicious rumors have surfaced that our partnership with Radware means Israel has compromised Proton Mail email privacy (since Radware’s international headquarters is in Israel). These rumors have mostly been spread by conspiracy theorists who don’t at all understand Proton Mail’s technology.
These rumors are categorically false and stem from a fundamental misunderstanding of how Proton Mail’s DDoS protection works. Proton Mail protects against DDoS attacks by using BGP redirection and GRE tunnels. This means that Radware only handles incoming traffic, and all incoming traffic is encrypted. Both encryption layers (SSL and Proton Mail’s OpenPGPjs) are intact in this solution. That’s why we picked BGP redirection instead of more inexpensive DNS based DDoS protection systems like Cloudflare. In other words, Radware only sees encrypted packets and nothing else. Furthermore, we only send traffic to Radware when Proton Mail is under DDoS attack, during normal conditions, traffic is routed normally through Zurich and Radware doesn’t even see encrypted Proton Mail network traffic.
The statement that Proton Mail traffic is proxied through Israel is also false. When traffic is redirected during a DDoS attack, Proton Mail traffic goes through DE-CIX in Frankfurt, Germany. This can be seen by doing an IP lookup of the last hop of the traceroute. The IP address is at DE-CIX, so traffic passes through Frankfurt (subject to German data privacy laws) and NOT Israel. However, as discussed above, even IF the traffic did pass through Israel, the DDoS protection technology we have selected means there would be no compromise to Proton Mail email privacy.
We take privacy seriously at Proton Mail which is why we carefully designed and implemented a DDoS protection scheme that would not lead to ANY weakening of privacy. The solution we have implemented protects privacy on a technical level, so that no DDoS protection company, regardless of where they are based, can compromise our email privacy. Thus, Proton Mail offers the best of both worlds, comprehensive DDoS protection without sacrificing privacy.
On a related note, we have also had people ask us about Proton Mail’s official position regarding the ongoing Palestinian-Israeli conflict and whether working with an Israeli company means we are taking sides in this conflict. The answer is NO. As a Swiss company, we adhere to a policy of strict neutrality. The only position we take is that security and privacy are fundamental human rights which should be guaranteed for all.
When picking companies to partner with, we only consider two criteria:
- Does the proposed solution meet our technical requirements regarding security and privacy?
- Does the proposed solution meet our budget constraints, given that Proton Mail is largely supported by donations?
When viewed entirely objectively, Radware satisfies both conditions which is why we entered a partnership with them. While many conspiracy theorists have criticized our partnership with an Israeli company, many of these same people miss the fact that we also partner with Cyberkov, a company from Kuwait that is very active with helping Palestinian dissidents (https://cyberkov.com/partners-references/(new window)). This is in fact a long running partnership dating back to June 2014 which well pre-dates partnering with Radware.
In fact, it is due to this partnership that Proton Mail was wrongly attacked(new window) by the US media as being used by ISIS(new window). Thus, the inference that we don’t support Palestinian activists is not only entirely false, it ignores the large risks we continue to take to support that community with Cyberkov. We believe that selectively boycotting companies solely based on nationality and government policies that companies cannot control, is not only incorrect, but counter to the principles which Proton Mail is based upon. For this reasons, we remain fully committed to maintaining our neutrality and protecting privacy rights for all groups.