Bridge the gap

When I joined Proton, I did not know a lot about the challenges of building privacy-first products. After a little bit more than a year working here, it is a good time to reflect on what I have learned so far, and why I think the application my team works on, Proton Bridge, is an essential element of this domain.

I will not talk about Proton but about any company that calls itself a privacy first; let’s call this company The Privacy First Company (TPFC).

The Privacy First Company (TPFC)

When you decide if you trust TPFC, there are a few things that you need to pay attention to.

Unless TPFC operates on international waters it must respect local laws, in other words, it will go out of business if it refuses to work with the court of the country they are in. The good thing is that privacy laws are different in different countries, and not all countries have the same agreements with others (e.g., Five Eyes, Nine Eyes, or Fourteen Eyes). That is why the legal environment of the country in which a company operates is very important.

You also need to find out the intent of the company. Unfortunately, there is no easy way for this. In the end, you can rely only on two things: your personal feeling about it (e.g., its mission, stability, communication, etc.), and you can follow the money. If the company’s main income is from directly paying users, you can expect that this company does not want to fail its users otherwise the whole company will also fail. The company and the user goals are aligned. On the other hand, if a company’s main revenue is not from its users but for example investors, advertisements (i.e. other companies advertising on the platform), or insurance, regardless of what they say, they cannot afford to go against these stakeholders to serve their users.

There is one other way to lose some of your privacy even if TPFC is in a privacy-friendly country and its intentions are good: data leak. In these highly complex systems, with time, it is always possible for a bad actor to get access to data that the company would never give out otherwise. Nothing is perfect, and you have to plan with that. Luckily, there is a solution for this problem, and it is called end-to-end encryption, E2EE in short.

End-to-end encryption

E2EE means that your data is encrypted on your device with a key that only you know, and only the encrypted data is shared with TPFC. That way the company cannot decrypt your data, so it is only responsible for storing, backing it up, and sharing this encrypted data among your devices where it will be decrypted again i.e. will be transformed into a consumable form.

The good thing about E2EE is that it does not just solve the data leak problem, but it also improves your protection from legal queries; TPFC will hand over the data for a request, but only in its obfuscated form. Might be worth it to note that the legal environment is still important as some countries can request a company to silently not encrypt data. That is why the home country of a company is still important.

E2EE is great, and nowadays you will hear this term from many companies. Unfortunately, not all of these companies E2EE your data. How can you guess if that is the case? A good rule of thumb is to ask the question: Does the program that encrypts my data run on my machine or their machines? If the answer is not the former, you need to be highly suspicious.

But requiring the encryption/decryption to happen on your devices further implies a unique problem of the privacy domain that makes Proton Bridge a must-have LEGO piece: interoperability.

Interoperability

When the internet was born the main problem the world faced was to find out how different computers on the internet can share data. Many open standards were created, for example, to share files (WebDAV), to send/read emails (SMTP/IMAP), to chat (IRC), or to read websites (HTTP). These protocols were an important and big step towards making the Internet a great place to be. Services of different companies could use these protocols to share data when the user wanted these services to work together.

By the way, some companies created their own, closed standards. If a company is big enough, it can get away with it, but the future where you are vendor-locked into systems is not bright because it eliminates competition.

Back to the topic, do you already see the problem of interoperability in the privacy domain? Yes, TPFC does not have access to your data, so it cannot share it with anyone else.

Being privacy-first is a noble goal, and our future badly needs it, but these services also need to serve their users, up to today’s expectations.

TPFC can do two things to solve this problem and the best is if they do both:

  1. Create a privacy service ecosystem where the Privacy First Company provides many privacy-first services. The communication between these services is mainly done by linking the E2EE data from your machine. The data is still E2EE, but the user experience this way is usually very smooth.
  2. Serving the data that you store on TPFC servers from your machine with open standards.

Proton does the first, which is why the service portfolio is so wide (e.g., Mail, Calendar, Drive, Password Manager, VPN, etc.), but as far as I know uniquely on the market, it also provides the second in email through Proton Bridge.

Proton Bridge

Proton Bridge is an application that runs on your machine, gets your emails from the Proton servers, decrypts them, and makes them available through the email reading (IMAP) open standard to other applications unencrypted. These applications are usually email clients (like Outlook, Apple Mail, or Thunderbird), but they can also be backup software or services that help you clean up your inbox.

It also provides an email-sending (SMTP) interface locally, so other services can send unencrypted emails to Bridge, which then encrypts the email on your machine, and sends only the encrypted version to Proton.

Without a Bridge-like application running on your machine, The Privacy First Company is not really privacy-first.

I am really happy that I can work on Proton Bridge, such an important application in this domain.

Closing words

There are a few things that are worth mentioning before I finish. Practically speaking, TPFC’s mobile clients are a Proton Bridge-like application but instead of making the data available through an open standard, it provides a graphical user interface to make that data consumable for you. Similarly, when you access your data from a web browser (i.e. opening the website in Firefox, Microsoft Edge, or Safari on Mac), you download a Proton Bridge-like application that temporarily runs in your browser, and makes your data available locally in your web browser.

While the cryptography behind encryption is usually similar in all services, it differs enough so that the code that encrypts and decrypts your data is usually provided by TPFC. It is also done that way to provide you with a smooth user experience; properly balancing security, privacy, and usability is important to create loveable tools that also do the right thing. However, this also means that you want TPFC to be transparent on the code that runs on your machine and to regularly audit their services with reputable 3rd party security companies.

While in the end you always need to trust someone, there are many indicators mentioned above that can help you decide who deserves you.