Encryption of all metadata
If Protonmail is to be serious about privacy, I don't understand why all metadata isn't kept solely in encrypted form. I just signed up for Scryptmail and any data is kept in encrypted form, unreadable for any third party.
I don't see why it would be necessary to keep for instance the senders or subject titles in encrypted form when Protonmail doesn't support POP3 or IMAP.
The problem is that otherwise e-mail is inherently insecure, because if for instance a governmental entity wants to see your account, while they won't have access to the content of your e-mails, they can see what you're talking about (through the subjects), and most of all who you are talking to. So they can just go to the providers of the people you're talking to, and obtain all your info via proxy.
I think if Protonmail doesn't become a true zero knowledge service then it provides more or less a false sense of security.
We have given this quite a bit of thought, but at the present moment, it is not clear the advantages would outweigh the disadvantages.
The biggest problem is search. Encrypting all metadata would break metadata search entirely on the web client as there is still no efficient way to handle search of encrypted data within a browser.
Secondly, metadata encryption’s value from a privacy standpoint is also somewhat dubious. Because we ultimately must deliver the message to the recipient, we must know who the recipient is. At the current time, there still isn’t any proven and viable way to work around this.
Metadata encryption is an area of continued research for us, and when the opportunity arises and the technology for doing this matures, we will definitely implement it in ProtonMail.
Farid Hajji commented
"Encrypting all metadata would break metadata search entirely on the web client as there is still no efficient way to handle search of encrypted data within a browser."
To people reading here, they are probably talking about FHE (fully homomorphic encryption) performance. Basically, they would need to search in encrypted data without decrypting it first, because if they could decrypt it, there would be no point in encrypting it in the first place.
Performing operations (such as searching) on encrypted data without decrypting it first may seem paradoxical, but is indeed possible, if you use something called fully homomorphic encryption (FHE).
Mid 2017, FHE was still pretty slow, and running search on encrypted data was still way out of reach, especially for mobile devices (think: even a fully charged battery won't be enough to perform the required calculations for even a single search). That's why seach in encrypted data was impractical at this point.
However, two years later in mid 2019, FHE performance improved significantly and is really starting to become practial. Check out the talk by Daniele Micciancio at EUROCRYPT 2019 a few days ago:
As FHE matures, we may hope to see affordable search in encrypted data in the years to come.
I just subscribed to ProtonMail Plus since I'm pleased to support your cryptography research. Your company has brought awareness to the general public that unencrypted email is not secure, and made PGP encryption accessible to a non-technical audience (sending from ProtonMail to ProtonMail addresses) - and for this I will be forever grateful.
However I was a little bit disappointed that metadata such as email subject lines is not encrypted, since the subject lines, sender, and recipient were readable in plain-text after I recovered my password using a backup email address, despite the loss of the original encryption key. Metadata reveals more about one's communications than one might initially realize, and is the underpinning of most "dragnet" bulk surveillance programs.
Please consider implementing client-side encryption/decryption of metadata going forward into the future. With the growing computing power of most client devices nowadays (including mobile devices), decryption of metadata on-the-fly to facilitate features such as full-text search should be achievable. The small degradation in performance is a small price to pay for more complete privacy.
Thank you in advance for the consideration, from a ProtonMail Plus user!
Why not put the search on us, with a note that it is resource-consuming? I think Tutanota guys pretty much got the right idea, they have the search turned of by default, and when you want to search, they show a pop-up saying that the search is consuming device resources; something like "Use at your own risk" x)
Another approach might be to leave it as an option, thus leave the current implementation as default, and also have some checkbox in the settings saying "Encrypt metadata (ALERT: resource-consuming e-mail search will be done on client-side)"
I very strongly agree with Oliver (June 12, 2015) who wrote that without encrypting metadata a mail service is not effectively private. I used to be a premium (paying) member of Protonmail because I wrongly assumed that both mail body & metadata were encrypted. Once I learned otherwise, I started treating my PM account like my Gmail account, assuming that if someone wanted badly enough to read my correspondences with my legal clients they could. Sadly (for my relationship with PM), now I have a paid subscription with another email provider that guarantees metadata encryption (also). If PM enhances its product, I'd happily subscribe once more.
Wheres the fox hat? I log into Tutanota and see just the same old interface. Nothing like that blog post, which also mentions nothing on when this will all be available.
@SinCabeza Tutanota does have search: https://tutanota.com/blog/posts/first-search-encrypted-data
Yes search is the problem. The sole(?) reason why Tutanota doesn't have search where protonmail does; in that case Tutanota encrypts everything and so searches nothing.
BUT but but, I hear something coming out of research from some academics in India; news of the possibility of searching over encrypted data *without* having to first decrypt. All theory once but now proven? Now if that becomes possible what an interesting world that will be; Will protonmail become redundant? Will Google go bankrupt?
K. Lindstrom commented
If metadata is a privacy issue,would it not be much better to load a Veracrypt file onto an OwnCloud server in Switzerland or Norway and share the access link and encryption keys with the intended correspondent? That way no metadata is even generated or needed. You just append your new message to your shared correspondence file and let the recipient know to look at the file via Protonmail or an anonymous riseup.net email. I think Protonmail should offer cloud file storage with Veracrypt functionality built in. That would be a major contribution towards security and anonymity
Consider making encrypted metadata opt-in, and advise people if they opt-in they will lose the search funtions.
Search is already NOT working - if you can't find anything than ... privacy must be a balanced thing, unless you are a super terrorist or something.
As we speak, I have only an account for testing with a few mails, and I can't search the body for something so having hundred of payments without the ability to search for specific words and such is a no way for me.
I have to say that since Protonmail has taken this stance on metadata and since they recently came out in favor of Net Neutrality I am seriously thinking that they me be a form of controlled opposition. They lull clients into thinking they are using a secure medium only to be blatantly supporting the spying government agencies through passively continuing to provide them with metadata and acting as a megaphone for invasive government control over the internet. I, for one, am going to start using Scryptmail as they encrypt everything and Sergie doesn't seem to be a USGOV shill.
Yeah, this is serious issue if you care about privacy.
It's the elephant in the room right now.
Why isn't metadata being encrypted?
Is protonmail working on things like calendar integration and a dozen other features while ignoring this major privacy issue?
Here is a suggestion I put forwards in regards to metadata. Phil Zimmermann, creator of PGP, is working with a group of people to create a new protocol that will encrypt metadata too:
Why are you NOT encrypting subject lines -Tutanota does.
Why does Protonmail not encrypt meta data? It should and quickly.
Here is a related suggestion posted by the ProtonMail Team themselves, that looks like it would do the job of hiding all metadata and deserves support: https://protonmail.uservoice.com/forums/284483-feedback/suggestions/7158454-implement-http-www-techopedia-com-definition-169
Encrypted metadata is THE thing that ProtonMail is lacking.
Along with a way to ensure that the client hasn't been tampered with. (Having it be loaded from the server every time, all the time, is not ideal)
Agree with this too