CERN, MIT scientists launch Swiss-based secure webmail

Last week marked the beta release of yet another encrypted, secure email service, and interest for it was so overwhelming that its developers had to temporarily close the signups.

The name of the service is ProtonMail, and the creators are CERN researcher Andy Yen (the service’s system administrator), designer Jason Stockman (the front-end developer), and MIT graduate / CERN software developer / resident cryptography expert Wei Sun, who tackled the development of the service’s back-end.

“ProtonMail was founded in summer 2013 at CERN by scientists who were drawn together by a shared vision of a more secure and private Internet,” it is explained on the project’s official website. “ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland. We were semifinalists in 2014 MIT 100K startup launch competition and are advised by the MIT Venture Mentoring Service.”

The service offers end-to-end encryption, which means that the data is encrypted on the users’ computer before being sent to the company servers. “We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties,” the creators noted.

The company does not log IP addresses or require any personal information to sign up, and accepts bitcoin and cash payments for paid accounts to ensure user anonymity. There are also free accounts to be had – the company only charges for extra storage.

It also must be noted that ProtonMail is Incorporated in Switzerland and its servers are located in the country.

“All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and entities,” they pointed out. “Only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

The service apparently checks another box that is crucial for a successful encrypted email offering: it’s easy to use. Users will only have to remember/store two passwords: one to authenticate themselves, and another to decrypt the user’s data in the browser. The latter is never shared with the company, so if you forget or lose it, you cannot recover the data stored in your account.

The service uses secure implementations of AES, RSA, along with OpenPGP, and open source cryptographic libraries in order to guarantee that there are no hidden backdoors. It’s also interesting to note that even non-ProtonMail users can receive the encrypted messages sent by a user – they will receive the decryption passphrase along with the message.

The beta version of the service was launched on Friday, and less than three days later they reached full server capacity.

“Over the next couple days, we will work on expanding our server capacity, and further improving our security. Since our launch, we have had several offers to help us with a full security audit and as those results come in, we will also be taking steps to further improve the security of ProtonMail,” Yen stated on the official blog. “Because of the overwhelming demand for ProtonMail, we are also looking for additional developers to help us build ProtonMail.”

While waiting for them to reopen the gates, users can reserve their ProtonMail username.