Here’s Why Protonmail Is Better for Your Privacy Than Gmail
*Note: This article was originally published by the author on December 7, 2020.
When it comes to email options there are plenty to choose from. But not all email providers are created equally and their services vary in terms of privacy, security, or convenience. If a technology service is not convenient for users, it’s all but guaranteed they will move elsewhere to something that is. After all, life is complicated enough without the increased burdens of exorbitant security. But privacy and security are of paramount importance for many internet users, so is there an in-between option?
There is but let me add that it is beneficial to have more than one email address. Perhaps you might use Protonmail as your primary email and Gmail or something else intending for that email account you sign up for websites with that is sure to get a lot of spam. Both Protonmail and Gmail boast powerful spam detection services and both offer some level of encryption to protect messages, just not in the same way.
I see a lot of hot takes on Twitter when it comes to digital privacy and security and it’s not unsurprising because social media is a melting pot of people with various levels of education, life experiences, and perspectives from a variety of different cultural backgrounds. You really never know who’s going to pop up and say something incredibly profound or profoundly dumb. It’s a toss-up.
That said, the other day I stumbled upon a Twitter thread between a few Bitcoin enthusiasts. One guy said he ditched Gmail for Protonmail because it was encrypted and more private. He was excited to be improving his security and privacy and even wrote a letter with reasons why it was a better choice for his family. Then as usually happens on the internet, another dude chimes in, this due has nearly 30,000 followers, telling the first guy that Protonmail was still not private.
The dissenting commenter proceeded to tell the original tweeter that Protonmail won’t sell your info for ads but that it was an unencrypted email service and that Protonmail was using false advertising. He then proceeds to say that they should set up their own email domain instead but that no email is safe. That’s the point when I interjected that Protonmail does employ encrypted email protocols such as Open Pretty Good Privacy (PGP), or OpenPGP, which is a far cry better than having no encryption or having your emails read by third parties like Gmail allows.
I’ll admit that there is some measure of truth to what the dissenting commenter said. As an information security professional, I’d be remiss not to. For instance, email protocols are very old and weren’t initially designed with security in mind. But there are ways to harden and strengthen both privacy and security in email. Encouraging average internet users to establish their own email or Virtual Private Network (VPN) server is comical. It’s not happening, most are not tech-savvy enough nor do they care to. For the average user, it’s all about the convenience and perks of using a particular online service. That’s what they’re after.
Google Mail (Gmail)
First, let me say that Google has done great things with Gmail. It’s come a long way and is a very versatile email application. However, Google does not encrypt beyond the Transport Layer Security (TLS) encryption of data-in-transit. That means if the email recipient’s mail server does not support TLS, then they won’t receive your TLS-encrypted message.
TLS encryption also doesn’t ensure that the emails stay encrypted without installing a third-party extension such as Mailvelope or FlowCrypt to also use OpenPGP in your browser (Chrome or otherwise) that can further encrypt your emails so that no one can read them except those that have your public decryption key. Gmail also offers a Confidential Mode which not only restricts forwarding, copying, printing, or downloading the email, but also allows the sender to set an expiration date for the email to self-destruct.
I’ll talk more about how Pretty Good Privacy encryption works later in the ProtonMail section of the article. I should also mention that Gmail supports stronger email security protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME) but only for paid G-Suite customers. Once again, however, both the email sender and recipients have to be using an email service that supports S/MIME in order for it to function properly.
Gmail encryption: Everything you need to know
Encryption may sound like a subject best left to hackers and tinfoil hat wearers, but don’t be fooled: It’s a critical…
There are a lot of rumors surrounding what Google collects because it truly is massive the amount of data that Google collects all over the internet. It has been widely publicized that Google scans your private emails to better market advertisements to its users. Google has since stopped scanning emails as of 2017 but said that now the scanning is done by other entities. That doesn’t exactly instill confidence. However, Google also allows developers who build apps that use the Gmail Application Programming Interface (API) to read the contents of your private emails.
The trust issue with Google is in a deficit for me, at least. What many Gmail users may not know is that those developers Google shares access to through its Gmail API are also allowed to share your data with third parties. Former GOP lawmaker Susan Molinari, Google’s policy chief who used to be known as “Google’s Washington insider,” wrote in a letter to US senators detailing its privacy practices:
“Developers may share data with third parties so long as they are transparent with the users about how they are using the data.”
Now, I don’t know about you but I can’t remember a time when any developer shared information with Gmail users about sharing or using their data? I’ve had a Gmail account for a number of years and that has never happened once. Therefore, I think it’s safe to conclude that Google doesn’t enforce or monitor this particular developer requirement at all, or at least, not very well.
Designed by Swiss CERN computer scientists, ProtonMail and ProtonVPN are affordable options for privacy-concerned internet users. Not even ProtonMail has the ability to read your email because it is end-to-end encrypted (E2EE) using open-source code. Since encryption explanations can get confusing for many, non-tech types real quick-like, I’ll spare you the technical mumbo jumbo and instead provide a nifty graphic explanation I lifted off the Web and provide you with a brief explanation of what the graphic says (below).
Essentially, OpenPGP or any type of email encryption like Public Key Infrastructure (PKI) relies on a public and private key certificate system. Your public key is stored on a server (i.e., Certificate Authority) and when someone attempts to email you at your ProtonMail email address, it reaches the CA key server which provides the sender’s mail server with your public (OpenPGP) encryption key. Now, the email gets to your inbox and only you can open it. E2EE is also known as encrypted messaging and ProtonMail isn’t exclusive in using it. Moxie Marlinspike’s Signal app uses an E2EE protocol and Facebook’s WhatsApp uses the Signal E2EE protocol.
ProtonMail was engineered so that even ProtonMail cannot access your private email. Only you, the user, have the key (your password) to access your inbox and thereby decrypt the messages you received. Whenever you email another ProtonMail recipient, the built-in OpenPGP encryption works automatically. But, if you’re emailing a non-ProtonMail recipient, you can also password-protected email for which the recipient must have the key (password) to unlock as depicted in the images at the top of the article.
Why ProtonMail Is More Secure Than Gmail — ProtonMail Blog
In 2014, ProtonMail became the world’s first email service to protect data with end-to-end encryption, and today is the…
ProtonMail also does not track, log, or monitor actions by users which is the exact opposite of Gmail. ProtonMail, like Gmail, relies on TLS for data (email) in transit. However, ProtonMail is more secure than Gmail in that it provides E2EE by encrypting messages on the sender’s device and can only be decrypted by the recipient on their device, nowhere in-between. So, you don’t have to worry about the NSA snooping on your ProtonMail-sent emails.
ProtonMail, since it is based in Switzerland, is not subject to US laws such as the USA PATRIOT Act or the Foreign Intelligence Surveillance Act (FISA). ProtonMail falls under the jurisdiction of the European Union (EU) and the General Data Protection Regulation (GDPR). Any complaint by the U.S. brought to a Swiss court has to meet high requirements for data disclosure, and since ProtonMail is end-to-end encrypted, they can only provide encrypted data to authorities which is mostly useless without the decryption key.
In the end, you the user, have to decide what is more important to you. I encourage you to choose wisely. Is privacy more important to you or are you more concerned with the convenience of the Google apps world? Both ProtonMail and Gmail offer a calendar and contacts. Google offers many other services but if you’re concerned with privacy, you may want to go with ProtonMail. Either way, whether you use ProtonMail or Gmail, go the extra mile and take a few minutes to set up two-factor authentication (2FA) for your account using an authentication app on your smartphone or a universal two factor (U2F) security key. Try to avoid SMS (text)-based 2FA if possible. If I am being fair, which I try to be objective in my research, I should also applaud Google for adding E2EE to its Android Messages app.
*The author is an independent security researcher and is not affiliated with either ProtonMail or Google.
Web Anonymization Techniques 101
*Note: This article was originally published by the author on September 24, 2020.
Transport Layer Security Is Not A Substitute For Virtual Private Networks
*Note: This article was originally published by the author on July 24, 2019.
The Steg Chronicles: How to Easily Send Secret Messages Using Steganography
*Note: This article was originally published by the author on
Here’s Why Using the DuckDuckGo Search Engine Is Better for Your Privacy
*Note: This article was originally published by the author on February 14, 2021.