After 350,000+ Beta Sign-Ups, ProtonMail Takes $2M To Scale Its Encrypted Email

Swiss based encrypted email provider ProtonMail, which we covered last summer during a crowdfunding campaign where it was promising a “zero access architecture” fit for our post-Snowden paranoia, has taken in its first tranche of VC funding — announcing a $2 million round from Charles Rivers Ventures and Swiss not-for-profit incubator FONGIT.

This bulks up the $550,000 it garnered last year from around 10,000 backers of the crowdfunding campaign. Co-founder Andy Yen describes the new raise — its first “outside money round”, as he puts it — as the equivalent of seed funding for the startup. It’s taking VC cheque at this point after “explosive” demand for the beta of its encrypted email product, noting it’s had more than 350,000 sign ups thus far. The beta launch was in May 2014.

It will be using the new funds to scale its infrastructure to meet demand, as well as developing new features for the product. It’s also moving into new offices in Geneva, and will be expanding its datacenters in Switzerland. It talks up its Swiss location as a USP for the product — thanks to the protection of “strict Swiss privacy laws”.

It’s not the only pro-privacy company choosing to settle in Switzerland, either. SGP Technologies, the company behind the Android hardened Blackphone smartphone — which is now wholly owned by secure comms provider Silent Circle — has made its HQ in Switzerland too, also citing the favorable legal regime.

That said, just this week politicians in the Swiss National Council, its lower house, voted to expand the data capture powers of its own intelligence services (the NDB). The Senate, its second chamber, has yet to vote. Among other powers, the new law would allow the NDB to tap phones, computers and networks — sub-optimal if you’re a startup trying to sell your pro-privacy services.

Albeit, in ProtonMail’s case, it can argue that because encryption happens on the client device it has no access to user data so cannot be compelled to hand over unencrypted data to government intelligence agencies. This end-to-end encryption sets its service apart from rivals like StartMail and HushMail, says Yen. A more similar service is Germany’s Tutanota, which will be heading out of beta early next week.

“Tutanota is also doing end-to-end encryption, but there are still a couple key differentiators,” says Yen, discussing how ProtonMail stacks up against Tutanota. “The most important to me is our cryptographic libraries. We use (and actively contribute to) the OpenPGPjs library which is open source, has been extensively audited, and has a large community of developers. This means our encryption is also fully compliant with the OpenPGP standard.

“When it comes to security software, being standards compliant is very important, for example, our users can decrypt ProtonMail messages using third party OpenPGP tools if they don’t want to trust our code. Tutanota has written their own library which is not OpenPGP compliant and is not actively reviewed by the community.”

Another difference he flags up is the way ProtonMail hosts its data. It’s not cloud hosted, but rather runs its own infrastructure out of two Switzerland-based datacenters.

“We control the server hardware and the network. We’re able to do this due to our team’s extensive large scale compute experience from building large hadron collider infrastructure at CERN,” adds Yen.

“As we saw from the NSA leaks, a lot of illicit interception happens at the network level so having control over the network is important,” he continues. “Our Swiss domicile helps with this as it places our infrastructure under very strict Swiss data protection laws which means all data requests must go through the court system and there is an obligation to notify the target of surveillance.”

However, as noted above, if Swiss laws are changing to afford homegrown spooks legal powers to tap computer networks directly then a portion of ProtonMail’s privacy USP — that court system check and balance which Yen mentions — is going to be eroded. And boasts about ‘Swiss grade privacy’ might carry a little less sheen.

Update: Yen has responded to a request for comment on the proposed law change, telling TechCrunch that ProtonMail intends to garner public support for a referendum on the issue — which he believes will be able to sway the legislation.

First, it is worth mentioning that if we look at the Euro-zone in general, the proposed legislation is not unusual and most countries have adopted similar legislation already. The fact that the Swiss intelligence services is barred from operating within Switzerland is really an anomaly.
Switzerland has an unique system of direct democracy. This means, tech companies in Switzerland, and even private citizens, have the ability to directly influence government policy. We haven’t publicly announced this yet, but ProtonMail, along with several other tech companies in Switzerland, are combining forces to take the issue to the polls this fall by collecting 50’000 signatures and forcing a public referendum. We are not the only group organizing such an effort in Switzerland. Given the public sentiment in Switzerland strongly in favor of privacy, we expect to prevail at the polls.