Proton Mail – a good secure email option?
Proton Mail is a secure email service run from Switzerland. How does it compare with standard email using Microsoft Outlook for Windows?
Proton Mail is an option to consider if you’re looking for secure email messaging but it’s not as easy to use as some instant messaging services available. Proton Mail is OK but nothing special technically. Their service is entirely open source, which is a very good thing.
For many years, there’s been a standard way to encrypt emails. There are variations in terms of the exact type and complexity of the encryption but the fundamentals are the same. To encrypt an email you need two things from the receiver. Their email address (obviously) and their public key. The encrypted email uses the receivers public key to scramble the message. Only the receiver (who has the vital ‘private’ key) can unscramble the email to read it. To anyone else, the email looks unreadable text with a small attachment.
Any email account (Fastmail, Gmail, Outlook.com etc) can store encrypted mail but has to be connected to an email program, like Outlook for Windows, which supports encrypting/decrypting messages.
Only a few email programs support encryption, including MS Outlook for Windows (not the Outlook apps or Outlook.com). The implementation is very clumsy and difficult to use. That’s deliberate because Microsoft would prefer to push customers to proprietary alternatives rather than streamline standard email encryption.
Web Based Secure Email
Proton Mail integrates secure email into a primarily web based email service. Messages are encrypted when stored on Proton Mail’s servers and only unscrambled on your browser.
There are a free and paid options available. Free Proton Mail comes with 500MB of mail storage The Paid service starts with 5GB of storage, custom email domain and other features for € 5.00 /mo or € 48.00 /yr.
Common email connection options like POP and IMAP are NOT supported by Proton Mail. That means you can’t link a Proton Mail account to Outlook or other email clients.
Proton Mail does have Apple and Android apps in beta test, but the beta testing has been going on for some time.
Ideally, all the people you want to exchange secure messages will have Proton Mail accounts. Then you can exchange encrypted messages which move through Proton’s own servers.
Secure messages to ‘outsiders’
Secure messages to non-Proton Mail users is also possible. These receivers get a link to view the email in their browser, but only if they enter a separate password (which you give them some other way, SMS, phone, IM etc).
These ‘external’ users can reply securely from their browser.
It’s possible to send your public key to non-Proton users (so they can encrypt emails to you) but it’s surprisingly clumsy. Surprisingly, Proton Mail doesn’t do that. You have to download the key file and manually attach it to emails. Outlook for Windows can be setup to send your public key with every outgoing message.
Proton also supports message ‘expiry’ ensuring that a message is deleted automatically after a set period of time (hours, days). That protects against intrusion onto the device at a later time; a past message can’t be viewed if it’s been properly deleted automatically.
Outlook has message expiry but the deletion of expired messages isn’t secure or complete (deleted messages in Outlook can still be recovered).
While the messages are encrypted there are other indicators of the messages. Just like a phone ‘call log’ from a phone company, email leaves a trail as it’s sent from sender to receiver. At least two servers will have a record that an email was sent between the email addresses. The content of the email isn’t known but the details of when, where and size are available to others. While Proton Mail (based in Switzerland) may be safe from legal government intrusion, that doesn’t apply emails sent outside their system.
‘Horses for Courses’
Proton Mail is certainly a viable option. A lot depends on what the encryption is protecting against. Accidental or casual ‘peeking’, corporate espionage or tracking a whistleblower, fear of police or government investigation? To put another way, the level and nature of your paranoia <g>.
Also the technical ability of the users and ease of use. No point in having a secure system which is so clumsy that people can’t be bothered to use it.
Another factor, not always considered, is the ability to send file attachments. An understandable focus here at Office-Watch.com because many of our readers want to exchange Office documents securely.
These days there are other secure messaging options that might be more appropriate and be less traceable than encrypted email, including Proton Mail.
WhatsApp has ‘end-to-end encryption’ but saves logs of who sends/receives those messages, the time, location etc.
Signal is a similar app (WhatsApp licences their encrpytion from Signal) and Signal doesn’t have logs of the individual messages.
However, WhatsApp supports attachments like PDF and Office documents. Signal doesn’t.
Signal has expiring (called Disappearing) messages, WhatsApp does not.
We’d prefer to use Signal for secure messaging but the lack of document attachments is a ‘deal breaker.
For regular use, WhatsApp is far and away the most popular service out there. Most people use it is reasonably secure and has the necessary features including document attachments.