ProtonMail’s encrypted email service exits beta, adds iOS, Android apps

As Apple continues to battle the US Government’s desire to work around the security of its mobile operating system, European encrypted email startup, ProtonMail, is choosing the latest skirmish in the crypto wars to launch its end-to-end encrypted email service out of beta — switching from invite-only to public sign ups today.

It’s also launching its first native iOS and Android apps. Previously the free encrypted email client has been accessible via a web interface.

“The best way to ensure that encryption and privacy rights are not encroached upon is to get the tools into the hands of the public as soon as possible and widely distributing them,” says founder Andy Yen, in a blog post announcing the public launch. “This way, we put the choice in the hands of the consumer, and not government regulators.”

Yen describes Apple’s stance in the FBI case as admirable, but believes Apple is doomed to lose the case — although he remains upbeat about privacy rights prevailing over the long run, as indeed he must given the nature of the startup he’s running.

“If one of the world’s largest tech companies is willing to publicly stand on the side of privacy rights, it means this entire space has gained a powerful ally in the inevitable future clashes with the US government, and this makes us less worried for the future,” Yen tells TechCrunch.

“Unfortunately, I think Apple is destined to lose this case, as the FBI has cleverly selected a case where popular opinion will be strongly against Apple. However, even if the case is lost, I think the new crypto-war will ultimately be won. If companies like Apple with millions of consumer users are standing on the side of privacy, then privacy will likely prevail in the long run.”

Switzerland-based ProtonMail fired up its business back in mid 2014, inspired by the fallout from NSA whistleblower Edward Snowden’s 2013 discloses of government mass surveillance programs. It went on to crowdfund half a million dollars to build a “zero access architecture” web-based email system. Idea being the company could never be put in the position of being forced to hand over encryption keys if it did not hold them in the first place.

Albeit, that position is looking rather more precarious now, if lawmakers are going to legislate that companies be required to go so far as be forced to rewrite their code to workaround their own security features — aka ‘hello backdoors’. (Or at least, lawmakers in certain jurisdictions… )

In ProtonMail’s case, the company has open sourced its web interface to bolster trust in its end-to-end encryption. The new mobile apps will also be open source in time. “We won’t do it right away at launch because we typically wait a bit for the code to stabilize before we start extensively commenting/documenting and cleaning it up for release,” notes Yen.

By March last year the startup had racked up more than 350,000 beta sign ups for its email service. It also announced its first tranche of VC funding ($2 million) — from Charles Rivers Ventures and Swiss not-for-profit incubator FONGIT. Now it has more than one million users — and will clearly be hoping to step that up quickly as it opens the doors to all comers, and as Apple vs the FBI raises public awareness around encryption and data privacy.

“For privacy reasons, we don’t closely track individual activity metrics. We track revenue however to gauge the sustainability of our model, and we are approaching break even through donations and paid accounts,” says Yen. “The distribution of users we know from voluntary user surveys. The current distribution is 49 per cent Europe, 29 per cent North America, 7 per cent Asia, and 15 per cent rest of world.”

ProtonMail chose to locate its business in Switzerland, which has had a reputation for robust privacy rights, as another bolster for its business. And again, in light of recent legal and legislative developments in other parts of the Western world, vis-a-vis encryption, that decision looks prudent.

That said, even in Switzerland, the political security screw is being tightened on individual privacy: ProtonMail has had to mobilize against a domestic surveillance law, passed last fall, that’s seeking to curtail Swiss privacy rights. The startup campaigned against the law via a petition and was able to collect enough signatures to achieve a public referendum — which will take place in June. (Yen coolly describes this as “a difference of opinion with the Federal government regarding how much surveillance should be permitted”.)

“Being in Switzerland, we haven’t gotten much pressure from foreign governments, although we do receive several data requests per month from foreign governments. In all cases, we refer them to seek a court order through the competent Swiss authorities,” he adds, when asked whether ProtonMail has been subject to specific political pressure over its stance on encryption.

Last autumn it did have to battle a sustained DDoS attack which took its email service offline for more than 24 hours. The hope had been to launch ProtonMail out of beta around that time but the team’s attention was presumably diverted to firefighting the sustained attack on its systems and to the adding protection mechanisms to prevent against attacks of a similar or larger scale in future.

“We have been under sustained attack many times since last fall, some of the subsequent attacks were even larger than the original attack. However, we have fairly good defenses in place now so the subsequent attempts haven’t been able to knock us offline,” says Yen.

The earlier attack is the subject of an ongoing criminal investigation, he adds. “We can’t say very much other than that the authorities in multiple countries are still actively investigating and we are helping with the investigation when we can.”

What’s next on ProtonMail’s to-do list? “We want to first add in full PGP support and allow users to import their own encryption keys so they don’t need to trust our key generation. Then afterwards, we will extend upon the custom domains support we recently introduced and allow multiple sub-users accounts associated with a single domain. This will allow us to offer a privacy focused Google Apps competitor in Europe.”