GETTING ON THE SAME PAGE
It appears that infosec Twitter community has found our newest mob opportunity and we really do enjoy a good mob. I certainly do too. However, I feel this whole ProtonMail argument has exploded way too far out of proportion and I want to reign it in before a company that I love and support and that many of YOU also love and support, suffers an unfair hit in income, user base, and publicity. It’s one thing to rally against uninformed people outside of the community for the intent of informing. It’s quite another to attack a metaphorical “one of our own”.
First, ProtonMail has consistently been a go-to service for security and privacy minded people for a long time now. They have built their entire user base and company on the premise of encryption and privacy. So, when a controversy arises that questions their entire business model, we should certainly give them some benefit of the doubt until all of the cards are on the table.
Second, Huawei sucks and they’re likely watching everything their users do and probably harvesting it all. Most of us agree on this, moving on.
Third, Huawei was remarked at eyeing “partnering” with ProtonMail. An agreement like this holds absolutely no changes on ProtonMail nor does it give Huawei access to any of ProtonMail’s services, servers, or proprietary information. It’s quite simply: ProtonMail will be available in the Huawei app store in addition to the Play Store. It’s the same app, no changes in code or anything that would compromise the app itself.
Fourth, and probably most important; ProtonMail has never agreed to assist Huawei in viewing or monitoring the data of it’s users and IT NEVER WOULD. That is why we use it.
Fifth and finally for this portion, device compromise != service or encryption compromise. (more on this in the next part).
REMEMBERING THE PAST AND PROTONMAIL’S STATEMENT
We just had this conversation about WhatsApp guys. Our concern with Huawei is device compromise. If you’re using one of their devices, it’s not unreasonable to think that they’re handing your data over to the Chinese government or other entities. Regarding my fifth point above, this does not negate encryption in transit or indicate a compromise of service. Now to be clear, I am not claiming that they can’t log or read ProtonMail data as it’s stored on a Huawei device. I don’t know about that personally. However, their reading of stored data on a phone cannot be and should not be indicative of the integrity of ProtonMail as a whole. When the WhatsApp article was blowing up (funny how Bloomberg loves to cause infosec upsets for clicks), everyone was in opposition to this one because we all agree that device compromise does not mean that encryption or the services on the phone are necessarily the problem.
ProtonMail has even released a response to all of this to tell their side of the story and it was well said. It was a side of the story that we all should have waited for before grabbing our pitchforks and lobbing our tweets. Our entire industry is based on our keen eye to details and information and the implications of those things. This should never have gotten to where it’s at and we have let a news article dictate our views of a company we love which is something we should avoid at all costs and figure out for ourselves.
We have to be reasonable, friends. Cautious, yes. Vigilant, yes. Skeptical at times even, yes. But also reasonable.