I am Dr. Andy Yen, a particle physicist who left CERN after the Snowden leaks to start ProtonMail, the world’s largest encrypted email service. AMA

Hello Andy, I recently saw, that ProtonMail cooperated with authorities in several criminal investigations. We know from history, that there is a difference between legal and right actions. Some activists or journalist could be considered criminals also these days. My questions:

- Do you also consider ethical aspects when you are asked for cooperation in criminal investigation?

- Which data could you actually provide if your service is fully encrypted?

Thank you for answer and all the good work!

This is a good question. Essentially, unless you are located on a ship 100 km offshore, you will have to fall under the jurisdiction of some country and must follow the laws of that country. Almost all countries require companies to assist in some manner in criminal investigations, and Switzerland is no exception.

This is the reason why the choice of Switzerland matters. In Switzerland, we have intentionally picked a jurisdiction where we believe there is a strong cultural and institutional respect for privacy, which extends both to the laws and the behavior of the courts and law enforcement. This means that in the example that you bring up with a journalists or activist, it is rather difficult to get a Swiss court to consider such a person to be a criminal.

In all cases, our legal team also reviews all requests and will also fight certain requests that we believe may be improper. In the event that a court order does get approved, we are also quite limited in what we can provide given our policy of collecting as little user information as possible, and using zero access encryption for all emails stored on our servers. Full details about what we can provide can be found in our privacy policy: https://protonmail.com/privacy-policy

I like the app but I have a ‘paranoid’ question: can we trust the Android OS regarding privacy? Especially the Google keyboard.

This is a tough question. The base Android OS is open source, but most Android devices ship with quite a bit of proprietary software, and the software can also be changed via automatic updates. It really comes down to whether or not you trust the device vendor. I do use Android myself, and I wish I could trust it more than I currently do.

Do you use the stock OS or do you install a custom OS? If costom what do you use?

I'm using the stock OS, with as few customizations/add-ons as possible.

Hi Andy! Thanks for doing this. Eventually, using a VPN comes down to “how much do you trust the VPN provider”. And a lot of this trust is directly tied to the people running the company today. But people will inevitably change or find a new job and leave the company and after a while the core ideas behind the company might get lost or could become compromised. So - first question - how are you planning to ensure that your line of thought will be consistent and coherent throughout the years as well as with future boards of directors and management and when should we become alarmed in case things go wrong? Second question - looking at what happened to /r/CopperheadOS how can we be sure that there won’t be any hostile takeovers from third parties? I realise that from a legal point of view Switzerland is not the US so someone taking over the company is rather unlikely, but it’s also worth remembering that ProtonVPN is, in fact, a separate company . I imagine this was done for a number of reasons (subsidies, taxes, legal stuff, diversifying risks…) but nonetheless we have to trust a separate entity that is legally not the same as “ProtonMail” and the software ProtonVPN is running is not directly verifiable like for Open Source software, hence my question.

This is a good question, and one that we have thought about quite a bit. I believe that the best way to create alignment between a company and its users is the long term alignment of incentives.

Facebook and Google are two classical examples where this alignment doesn't quite exist. Google users are not Google's main customer, but rather, the "product" they are selling to their real customers, which are advertisers.

Proton's configuration is different, in that the only reason we exist is because we have a focus on privacy that Google cannot easily replicate because of differences in business model. Violating user privacy would therefore also destroy the company's core business. While this is not a 100% guarantee for the future, I think it creates a strong financial incentive for future management to retain the core values even if the founding team were somehow to out of the picture (and no, we're not planning on going anywhere).

Hi Andy,

Do you ever have regrets about leaving CERN and being involved in science research? What was the reaction of your colleagues when you announced you were leaving to go into technology?

Cheers.

Back in 2014, it was rather surprising to a lot of people. Compared to today, the idea of doing a startup (particularly in Europe), or going into tech, wasn't as "cool" as it is today. The funny thing though is that a lot of the physicists I knew who looked at it as an odd career choice back in 2014 have since then ended up going into tech themselves, so in that way, we were ahead of the curve.

I do sometimes miss the more relaxed environment of scientific research, where deadlines are more flexible. After all, the laws of physics aren't going to change if you are a day late in running your experiment.

What are the future plans for protondrive and proton key? Any estimate of when it will be available?

To be honest, we are not great with estimates. In general, our philosophy is to release things when they are ready, and when they are up to our standards. I can say that ProtonDrive development is already underway, so there is a team based in our Zurich office that is starting to work on it (and we're hiring also in Zurich!).

ProtonKey is a research project being done with ETH Zurich, and as such, it is still in the realm of research right now. Going from research to a marketable product is often quite a leap, and we still have to make the assessment about whether or not we want to get into this space right now or not, and if we can substantially improve upon the current state of the art.

Did you support Mr. Robot using protonmail/did they approach you about it?

They actually approached us which was really awesome :)

Was it a paid product placement and if so how much did it run you? Just curious how these things work. That's where I first heard of you, so I'm sure a lot of people did and that it was a great investment (if it was paid -- and we know producers need to finance).

Congrats on your great product and thanks for making it

Actually we didn't have to pay them. The thing about Mr. Robot was that they were really obsessed with technical accuracy, so for them it was really natural to use ProtonMail as that is naturally the service that somebody like Eliot would use.

Good morning,

I am wondering if there is a timeline for the calendar feature yet? I desperately want to get off Google but am waiting for this to take the leap. Thank you!

[removed]

We want calendar very badly ourselves, and this is actively being developed right now :)

I'm really glad you are doing this today, because I have a comment concerning your service. I had hoped to transition to ProtonMail as a safer, more viable alternative to gmail. After sending myself a lot of emails and nearly completing the transition from gmail, my account was unilaterally closed because someone, somewhere had flagged it as spam. I messaged your support team and was told (over the course of five days) that my account had been flagged as sending spam and that I couldn't do anything about it. I had only ever sent myself or my girlfriend emails, and I know for a fact that neither of us reported me. My account used my real life first and last name.

Your support team informed me that I was welcome to open a new account, but that is most definitely not the point. My personal information on your servers is irrevocably lost, with no warning whatsoever, due to third party users. This seems like a gigantic security vulnerability. Basically, if I know your ProtonMail address, I can report you enough times that your email is automatically deleted and your information lost. Let's say, for example, that Glenn Greenwald was using ProtonMail when he was communicating with Edward Snowden and someone who didn't want the information to get public reported him over and over again. You suspend the account, he contacts you but there's nothing you can do, so all the data is lost. Or let's say when PayPal froze your account due to suspicious activity, you didn't have a platform to complain and no way to get all your money back. Are you OK with user generated reports resulting in the permanent and irrevocable loss of your money or data?

I'm sorry that you had this experience. If you haven't already, please email [[email protected]](mailto:[email protected]) so we can look into this.

To handle anti-abuse, we have a number of automated systems, and as with all automated systems, they are not 100% accurate, and although rare, there are false positives. This is the case with nearly any automated system even though we continually work to improve this.

Thank you, truly(!) for your response. I hate complaining about things that are beyond someone’s control but if I had gotten an answer like that originally from your support staff or the folks who monitor the abuse email inbox, I don’t think I would’ve been bothered enough to type that out anywhere. I just really appreciate someone acknowledging that it was possibly just a false positive instead of making me feel like I was automatically guilty. Thank you again!

Can you please post the solution? Going for a new provider with the risk of losing all emails is a big red flag.

You don't lose all emails. Generally, when there is a false positive in the automated systems, once it is reported, somebody will manually unlock the account after we have been notified about the issue. Usually, the fact that you are taking the time to complain about it makes it pretty clear that you are not a spam bot.

Being Open Source is commendable, but how can we be sure that the ProtonMail code being sent to the users is not being compromised? I think this issue was brought up several times, and someone mentioned something like to create an open source browser extension which would constantly verify the integrity of the code. Is this actually planned?

We are considering this but the implementation is tricky because the threat model includes ProtonMail itself. Just checking a package signature is insufficient, because presumably we could sign anything we wanted to.

Ideally we would build this such that we could guarantee both the authenticity of the package and that every user is seeing the same code, but this is a difficult problem to solve. We are also watching initiatives like https://tools.ietf.org/html/draft-yasskin-webpackage-use-cases-01.

So, what supernatural shit have you been up to in CERN?

Creating a black hole to destroy the world.

Have you ever watched the anime Steins;Gate? But here is a more serious question, what is your thoughts on VPNs? Is it a service worth getting for online security/privacy?

I of course recommend checking out ProtonVPN :)

But more importantly, I recommend understanding what a VPN can or can't defend you against. As with any tool, understanding the threat model is the most important part: https://protonvpn.com/blog/threat-model/

Hi Andy, are we anywhere near the point where we have to worry about quantum computers breaking modern encryption? How will this affect current email encryption? Thanks for your time!

Quantum computing is like cold fusion, it's always 10 years in the future ;-)

Jokes aside, yes, quantum computers can potentially pose a problem in the near future, but post-quantum crypto is also becoming a more and more active area of research around the world, so the odds are good that new techniques will be in place before this becomes a problem.

Hi Andy,

Are there any books (or any literary piece of work) you read that contributed to your perception of online privacy concerning everybody today?

I hope he will answer to your question too. May I suggest you a book on a similar theme (for everybody)? Jaron Lanier - Ten arguments for deleting your social account.

Since we are in the digital age now, I do recommend Glenn Greenwald's TED talk that puts everything into perspective in a very clear and concise way: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters?language=en

His book, No Place to Hide is also a good overview on the subject.

How do you explain to others, particularly laymen, the importance of privacy? And how do you respond to the "if you have nothing to hide, you have nothing to fear" argument?

Thanks for the AMA!

I could answer this in a few sentences, but I would never be able to put it as well as Glenn Greenwald did at TED Global in 2014:

https://www.ted.com/talks/glenn_greenwald_why_privacy_matters?language=en

​

Incidentally, I remember the talk well because I was scheduled to take the stage right after Glenn spoke at the event. It was without a doubt a hard act to follow :)

Do you also work as a programmer for ProtonMail or do you just work as an entrepreneur? ProtonMail was founded a few years ago. Back then, did you have to work a lot while getting only 4-6 hours sleep per day and how is the workload today?

I still write a bit of code from time to time, but it far less now compared to when I was a physicist. There's often the misconception that as a team gets larger, then you will have more and more free time, but actually it's the opposite, at least initially. As we are still in the process of growing and scaling the team, I'm actually today busier than several years ago when ProtonMail was far smaller. I've been told by people who know more about these things that this does eventually get better, but working in a startup is definitely very intense and requires an immense amount of dedication and focus, over a long period of time.

Hello Andy! Why did you choose Switzerland for Proton's headquarters when they have just recently (2016) weakened privacy laws through a referendum? In particular, the Swiss government can now monitor all cross border traffic without a warrant which greatly expands surveillance powers within the country.

Actually, we have been exempted from the new law, you can find details here: https://protonmail.com/blog/swiss-surveillance-law/

To answer your question, let's say you live in the US. Our traffic would first pass through Swiss networks, then German networks, before going through US networks, and to your home. The German and US networks are being tapped and monitored by the NSA (which is why we encrypt everything before it hits the network). Now, Switzerland's tiny surveillance agency is possibly tapping the traffic between Switzerland and Germany. Is this concerning? Yes, definitely. But in the grand scheme of things, the NSA tapping is the more problematic one, which is why, from this perspective, we are not too concerned about what the Swiss government may be doing.

Hi Andy! How would you convince the lay person that entrusting ProtonMail with his/her data privacy is stronger than simply trusting ProtonMail's word? That is to say: how can he/she feel confident that ProtonMail really does 'what it says on the label' and isn't misbehaving behind the scenes?

This is actually a rather complex question with a rather complex answer, so I will refer you to my previous answer here:

https://old.reddit.com/r/privacy/comments/5jlcoe/what_makes_you_trust_protonmail/dbi39cy/

Another factor is the alignment of incentives which defines the relationship between us and our users, which is discussed at a bit more length earlier in the AMA:

https://www.reddit.com/r/IAmA/comments/9j35ry/i_am_dr_andy_yen_a_particle_physicist_who_left/e6oauvm/

What do you think about the EU Upload filter? What's your opinion on GDPR? Also, what do you see as chances and risks for the internet as we know it today and it's future?

I'm not familiar with the EU Upload filter, so I can't comment on that, but I do have some thoughts on GDPR. I think it's a positive step, because it adds teeth to privacy regulations and brings out greater transparency. For example, in the past, if your privacy policy had some omissions, or you didn't follow it, there generally were not repercussions. Under GDPR however, there are potential fines for up to 20 million euros, so in a way, it makes it easier for everybody to trust what privacy policies state since they are now backed by laws and fines.

​

Hi.

As a standard Internet user who uses the internet mostly for games, email, social media and online shopping. What should be my biggest worry about data leaks considering I'm not at all interesting?

Thanks!

It is not the data leaks that you need to be worried about, but the data that you are giving up willingly without realising what you have actually consented to.

For example, not many people who used Facebook could have realised that their data would be used by political campaigns to win an election.

The real danger is never the leaks, but rather, what can be done with the data you have already given up, especially with new technologies such as machine learning.

Andy, how are you able to operate protonmail within mainland China without blocking from censors? Every single encrypted email service like tutanota is blocked in China but Protonmail works! Even ProtonVPN is blocked, but mail.protonmail.com works like a charm. (Hopefully not a CCP sponsored charm.)

Do you have mainland Chinese servers that handle protonmail email and do you cooperate with Chinese authorities in any way?

We do not have any contact with Chinese authorities. Our guess is that we are still too small to be on their radar. It is really impossible to speculate on how the Great Firewall (GFW) of China works. We have been temporarily blocked in the past, and there are no guarantees that we won't be blocked again in the future.

In terms of techniques for circumventing the GFW, it is very much an arms race, and one that privacy tool developer are unfortunately losing right now, and unlikely to win given how the Internet works.

Hello Andy,

I am not “that“ interested in the privacy feature , I am just looking for an email service (for custom domains) that is not Google, and that I can trust (not based in the Five Eyes). Protonmail is all I am looking for but having to use Bridge for IMAP is a real pain.

Do you plan to have an offer/option to disable the encryption features, to just use Protonmail as a mail service, so we can use it on any platform without using Bridge?

I'm curious, would a native desktop app fix this for you? That is the direction we are considering to go for the people who find ProtonMail Bridge to be too cumbersome.

Whats the biggest misconception people have on online privacy?

People often assume that privacy is free, but it really isn't. Services like Google and Facebook which appear "free" on the surface are actually "charging" you by violating your privacy.

In order for something to be truly private, you actually have to pay for it, because that's the only way the service can be provided without selling your data to cover the costs.

Hello Andy,

I have a handful of questions for you.

• 1) What do you like to do in your free time?

• 2) How did you and everyone else involved at the time react when your IndieGoGo campaign pulled in 5 times more than what you were asking? Did you ever expect to get that far, and that much community support?

• 3) What does your day to day look like at ProtonMail?

• 4) What upcoming feature for ProtonMail are you most excited for?

• 5) If you could snap your fingers (Thanos style) and instantly finish any single upcoming feature for ProtonMail, which one would you finish first and why?

• 6) What's Geneva like?

• 7) Do you ever miss your old work/job at CERN? Any regrets about leaving?

• 8) Do you think if you and ProtonMail hadn't done it, do you think anyone else would have stepped up to the plate to create a private and secure email service?

Thanks for doing this AMA, and building creating ProtonMail with your friends at CERN. Very glad to have a trustworthy email and VPN provider out there, and the service you guys provide is awesome. Very excited to see whats coming next for ProtonMail.

That's a lot of questions :) Here are the answers to some of them. Thanks for your support!

Whenever I get a free weekend, I try to go skiing, and I'm looking forward to the new season.

The Indiegogo was a huge surprise. First we were very excited that ProtonMail was going to be able to get off the ground. Immediately after that, we also realised the huge responsibility that we now had and quickly got to work making ProtonMail our full time jobs.

Day to day, I spend a lot of time now in meetings, either interviewing potential team members, or talking to different teams about various challenges that come up (and a lot of challenges come up).

I'm most excited for ProtonMail 4.0, an updated webapp that we are going to start working on soon.

ProtonDrive I want finished ASAP, and ProtonCalendar as well :)

Geneva is rather well organized, as you would expect for Switzerland, but not so immovably rigid like Zurich or anywhere else on the Swiss-german side. So I find it has a nice balance.

I do sometimes miss scientific research, but so far no regrets about leaving :)

I think there is a real need for what ProtonMail is building, and if we aren't doing it, somebody else would have done it as the market economy always sorts these things out.

What do you think of the new Code of Conduct in the Linux kernel and the controversy behind it?

I think the intentions were good, but as with many things, actual implementation and enforcement will be a minefield.

Given Protonmail's CERN and MIT roots what can you say to reassure everyone that Protonmail is not a honeypot for intelligence agencies?

I don't quite see the connection from CERN/MIT to intelligence agencies. CERN is very international and having special international organization status within Switzerland (like the UN), would actually be less susceptible to being unduly influence by any state intelligence agency. The question about trust however is a good one, and the short answer is that there is no way to be 100% sure, but there are some pretty good indications, and for that I prefer you to my previous answer here: https://old.reddit.com/r/privacy/comments/5jlcoe/what_makes_you_trust_protonmail/dbi39cy/

First off, love the option to encrypt email easily. Will you add an option to encrypt emails to other secure providers like Tutanota? Or is this out of the question as it's the main competitor?

We have full support for the OpenPGP standard, so we are fully interoperable with any email service that supports PGP. We feel strongly that encryption shouldn't be a walled garden, but should instead be part of a federated system. You can actually read more about our thoughts on this here: https://protonmail.com/blog/address-verification-pgp-support/

Email aliases using “+” are highly impractical, as many sign-in forms don’t allow the use of that character. There’s a request on uservoice to address the problem by using the hyphen (-) character instead, but from what I recall PM never publicly took a stance on the issue. Is there a reason why this is not being implemented? There’s no point in having aliases if you cannot consistently use them.

I actually hadn't seen this suggestion before. That's not a bad idea, but it would have to be analyzed for abuse. Because "+" is well recognized, there is no abuse problem. But if we support "-", it could potentially let a single user sign up for a service thousands of times using a single email address, which could lead to ProtonMail getting banned by other services, so we have to strike a careful balance here.

Is CERN a secret evil organization trying to invent time machines and take over the world?

Yes, definitely, that's exactly what we do.

Good morning. Any chance of teaming with Puri.sm and its privacy focused hardware offering(s)?

If they reach out to us, we would be happy to have a look. Generally speaking though, we are working now on sharpening our focus to avoid being stretched too thin and in too many places at once, and this is why we are now very hesitant to add new things to our already full plate of privacy projects.

Does your email service support Yubioco 2FA?

Not yet, but this is being worked on.

Hey Andy!

First of all, thank you for creating and leading such an amazing service and fighting for a better online world!

Here are a few questions for you:

1. Is there a benefit in being a particle physicist when providing an Email service? Was there ever a challenge where you noticed that your previous work and experience helped you solve it? If so, what was it?

2. What happened at the most stressful day at ProtonMail and how did you and your team manage to overcome it?

3. What was the biggest challenge (difficulty-wise) throughout the 4 years of ProtonMails existence, why in particular was it so hard and how did you solve the problem?

4. What was the hardest feature to implement and why was it more of a challenge than the other features?

5. Did you make a mistake in the early days of ProtonMail that you wish you would have done differently, because it took a long time to correct? If so, what was it?

6. What's the best/most motivating part of your job?

7. What is the biggest lesson you've learned throughout the years of creating ProtonMail?

Thank you for doing this IAmA and keep up the great work! :)

Best, Rafficer.

Hi Rafficer! Good to see you here =)

Interesting questions, and here are some answers:

1. I have to admit, my extensive education in Quantum Field Theory didn't come in very handy for building ProtonMail, but more broadly, being a physicist was helpful. Physics is about solving problems and answering hard (possibly unanswerable) questions. The problem solving skills you pick up as a physicist definitely do come in handy when dealing with the myriad of issues which can pop up when you run a service with millions of users.
2. The most stressful days were definitely during the 2015 DDoS attacks. There was a time during that week when it was not clear actually if ProtonMail would survive. But we attacked it like any other problem, by breaking it down into smaller, solvable chunks and working on those one by one to avoid getting overwhelmed.
3. While there were many specific hard problems, one specific hard problem that persisted is scaling. This means, growing the team, managing a bigger team, and building infrastructure and software that can still work well even when the number of users goes up by several orders of magnitude.
4. Full PGP support was definitely the hardest feature in terms of the amount of time that it took. This was a challenge because it impacted everything (all clients, crypto libraries, backend, etc).
5. There were not so many major technical mistakes (our short-lived adventure with MySQL NDB cluster might be one). The mistakes were actually more on the business/management side where we had far less experience (and still to some extent have not a lot of experience). It really took us some time to figure out how to run a company as opposed to a CERN research collaboration.
6. The best part is actually the community. Even on days when we just get lots of complaints from the community, it is still good to see that somebody cares about our work, even if that is expressed through complaints.
7. It is hard to distill things down to a single lesson, but in terms of learning, I would say that I learned about the importance of the human element in any project. A company is people at the end, and that matters more than anything else in determining whether something succeeds or fails.

​

Data encrypted nowadays can most probably be decrypted by anyone 20 years from now. Is this risk topic of discussions within protomail?

Yes, it is. The solution is that at some point in the future, we will allow users the possibility to re-encrypt your data with stronger crypto. This is not yet necessary today, but will likely become necessary sometime in the next 20 years.

It is evident that in order for us to expand on privacy many steps need to be taken. For the end user is usually a layman not really into any of it. Obviously, the product needs to be user friendly.

However, with so many user friendly products today, such as GMail, how would one sway the users to take the right choice of privacy instead?

I personally find that one of it is education of the masses on the importance of privacy, how would one go about that, in say, their local community?

And more importantly, how about going on it in the worldwide level?

I agree with this, education has to play a huge role, and on our blog, we are focusing on putting out more material to generally educate the population. In my opinion, I think schools actually need to teach computer skills, where concepts like privacy and cyber security are taught. Otherwise, our children are not properly prepared for the digital future that they are entering.

What are some of the milestones on your roadmap for the next year, 3 years, and beyond?

The short answer is that ProtonID, ProtonCalendar, ProtonDrive are the main focuses for now. If resources permit, we may take on a few other projects of interest to the team and our community. Largely, our roadmaps are driven by community feedback in our once a year annual surveys, and the community has been pretty clear about wanting Calendar and Drive so we have started allocating resources there this year.

Meyrinoise or Café de la Place?

Café de la Place ;-)

Hi Andy, PIA CEO Andrew Lee brought to light some links between ProtonVPN and tesonet on hackernews.

Can you tell us exactly what relationship ProtonVPN has with Tesonet?

Yes, we have previously detailed this here: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/

Do you have any plans for acalendar in protonmail? What is the timeline? You have been talking about it but you have not come with any additional information about a calendar in protonmail. Gmail and has a calendar and other like mailfence has a calendar.

What is the reason that you do not have more information about it? When will youmake a smooth transfer to protonmail from gmail?

We are hesitant to give precise time estimates because in software development, estimates are hard to make. Proton Calendar is definitely be worked on though, and we are optimistic that it can be released sometime in 2019.

Hi Andy, are you concerned as Protonmail becomes increasingly spread out with various projects like ProtonVPN and ProtonDrive that you as a CEO could become more disconnected with the reality of operations? How to you plan to protect user privacy when you really don't have control over these third party projects? For example, ProtonVPN is heavily managed by a Lithuanian company called Tesonet.

This is actually not true, as we have detailed here: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/

That being said, there is of course limited scalability for me as a single person, and one of our priorities is expanding our management team so we can more effectively operate all projects.

I've been aware of Proton for awhile now, and I've considered switching over. However, I admit to being slightly hesitant, even suspicious, about any "free" online service. I gather that there are no ads, correct? And there's no charge to use the service. So, . . . how are you guys paying the mortgage and buying groceries? With non-free corporate accounts?

Yes, the costs are covered by paying users. We actually have quite a few paying users and we're really appreciative of the support that we have received from the community.

Hey Andy, specifically what operations does ProtonVPN outsource to tesonet? I seen some evidence online and was hoping for a honest answer from the CEO.

This is a topic that was covered in depth on /r/ProtonVPN earlier this year, and has it's own dedicated thread where I actually personally responded: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/

There are rumors that your email transits products from Israeli and Mossad controlled companies that are used to prevent DDOS and read the email. Yet at that stage the email is not encrypted and can be read by them.

Can you comment on this?

Unfortunately this is another one of the false conspiracy theories going around about ProtonMail. We have previously discussed this here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/

The short answer is that we encrypt everything before it hits the network so how our traffic is routed actually is irrelevant. Furthermore, our traffic transits through Frankfurt and not Israel (as some have falsely claimed).

Hi Andy, what video games do you play?

Not so many these days, but previously, many FPS. In my university days, I really liked the S.T.A.L.K.E.R. series.

What crazy stuff you did or see at CERN?

A lot actually. I spent between the ages of 20-25 at CERN in some capacity, and those tend to be rather crazy years in one's life. What was exciting was that it was during that period that the Higgs particle was discovered. What was less exciting is that during the same period nothing else was discovered. Had something else, like supersymmetry been discovered, it's very likely ProtonMail wouldn't exist as all of us would have been fully focused on physics.

What is your take on elliptical curves, such as ED25519, for widespread adoption like ProtonMail? Are these ready (not just in terms of security, but also tools) for everyday apps like email and messaging?

Yes, we plan to make ECC keys (25519) the default keys for ProtonMail sometime soon, while still supporting RSA.

Hi, Andy ! Thank you for Protonmail and answering those questions !

When will the Linux port of the Bridge be released ?

We are trying to get it released before the end of this year.

Hey Andy, what is the single most important step you think anyone in today's world should take to protect his privacy ?

Thank you for ProtonMail, I've been a proud user for some years now

I think if people would actually read terms and conditions and privacy policies, we would be in a much different place today regarding privacy and security :)

That being said, the most important thing you can do to protect your privacy is actually to spread the word and tell others about why they should protect their privacy and how they can do it.

We live in a connected world and society, and it is not enough to protect your own privacy, because we don't live in isolation. We also need to communicate and work with others. So the best way to protect your own privacy is actually to make sure that others are also privacy conscious.

Hey Andy, protonmail was recently found to be in use by White House staff of the Trump Administration. In particular, to circumvent what seems to be Freedom of Information act requests and Presidential Records Act. It was a blip in the news because so much other shit was going on with our cluster fuck of a president.

What is your view of its use in this manor. Do you take a hands off view of it, like say a Swiss bank or do you think there is any sort of moral and ethical implications to it that weigh on you personally or any of your staff?

Also Andy what is your view of providing a platform for email which could very likely be used by people who could be using it for human trafficking, cartel level illegal and violent drug trade planning, and other dark web centric behaviors?

I do not mean to come off as attacking. I actually have a protonmail account myself, but I don't use it for anything. I hope I have not offended you at all in asking what your views are and does this cause any potential Cognitive Dissonance between your views, your views as a scientist by training, views on an open society?

Does anything potentially cause you to wake up in a cold sweat beyond the typical business issues?

Where do you see your self on a political compass as well?

Actually, using ProtonMail for White House work doesn't allow FOIA requests to be circumvented. We actually covered this in a blog post when the story first surfaced:

https://protonmail.com/blog/white-house-encryption-protonmail/

As to your other questions, it is of course possible for people to use ProtonMail for unlawful purposes. But in fact, a lot of things can be used for unlawful purposes (airplanes, Twitter, etc), and this does not mean that we should ban them all.

What is important is for society to balance the good versus potential negatives of any service. By providing better security and protecting freedom of speech, I believe that the good that ProtonMail provides does indeed outweigh some of the potential negatives, but things will never be fully black and white.

Is it true that CERN works directly with the CIA and many other surveillance agencies?

No

Hi Andy, fellow particle physicist here, doing a PhD in Geneva.

For many physicists, the choice between academia and industry is a tough one at the end of a thesis. What do you feel is the biggest upside of doing that startup, what would you have definitely missed if you stayed in Academia? Are you still connected to the world of fundamental research?

It is indeed a rough choice that over a dozen people on our team had to make. Some of us also had the tough choice of whether or not to even finish our PhD's in the first place (I was one of the ones who did finish, but there are others who didn't). Most of us try to stay up to date on the latest research and keep up with what is happening in physics/math.

My thoughts on this are roughly the following. In academia, there is often the impression that academia is where the world's most important and interesting problems are being solved. This is a rather insular worldview, and for example, the work that we do at Proton to try to keep privacy alive can also have far reaching impacts, for example in journalism. So there is interesting and impactful work outside of academia.

Secondly, perhaps 1 in 100 startups will succeed. While these odds sound terrible, it's actually not significantly worse than say, the odds for a PhD student to end up as a tenured professor.

Finally, I would say that if you are going to leave academia sooner or later, then it is always better to do it sooner rather than later.