Encryption of all metadata
If Protonmail is to be serious about privacy, I don't understand why all metadata isn't kept solely in encrypted form. I just signed up for Scryptmail and any data is kept in encrypted form, unreadable for any third party.
I don't see why it would be necessary to keep for instance the senders or subject titles in encrypted form when Protonmail doesn't support POP3 or IMAP.
The problem is that otherwise e-mail is inherently insecure, because if for instance a governmental entity wants to see your account, while they won't have access to the content of your e-mails, they can see what you're talking about (through the subjects), and most of all who you are talking to. So they can just go to the providers of the people you're talking to, and obtain all your info via proxy.
I think if Protonmail doesn't become a true zero knowledge service then it provides more or less a false sense of security.
We have given this quite a bit of thought, but at the present moment, it is not clear the advantages would outweigh the disadvantages.
The biggest problem is search. Encrypting all metadata would break metadata search entirely on the web client as there is still no efficient way to handle search of encrypted data within a browser.
Secondly, metadata encryption’s value from a privacy standpoint is also somewhat dubious. Because we ultimately must deliver the message to the recipient, we must know who the recipient is. At the current time, there still isn’t any proven and viable way to work around this.
Metadata encryption is an area of continued research for us, and when the opportunity arises and the technology for doing this matures, we will definitely implement it in ProtonMail.
Mail is inherently unsecure, mainly due to the ecosystem. As answered by Proton, I'm not sure adding extra lyers will help that much, because of the disadvantages (compatibility with the ecosystem, security of the recipient address, ...)
If you need a true secure mail, write only to other Proton users (isolate the ecosystem), it fixes most of your concerns.
But for true secure communications, other more recent protocols exist (Signal, etc...).
Romuald R. commented
I though I've read somewhere that you couldn't do the "automatic forward email" because you couldn't see any informations about the emails ?!
And here it looks like you need this for search ? Am I missing something here ?
This should be moved under ProtonMail Feedback
6 years and counting. Tutanota already has this, and their search is working and their web client is faster than PM's. Not as nice looking though.
E-mails could be indexed locally and search limited to local search. That's the way Tutanota does it.
In fact, Tutanota encrypts all metadata except email addresses and timestamps. From their blog (https://tutanota.com/blog/posts/differences-email-encryption/):
"Tutanota does not rely on PGP to ensure that your data is kept secure. This way Tutanota can also encrypt much more data: body, attachments, subject lines, and sender names. The only remaining data in Tutanota that is not yet encrypted are email addresses and times of emails."
Most importantly, Tutanota also encrypts a user's whole address book, including e-mail addresses and names — the most important info in a contact list. In comparison, Protonmail's contact encryption is rather feeble, given that it doesn't encrypt these two key components.
Meanwhile, a "notice" underlining that the subject field is unencrypted might help the less savvy user.
Please make the subject line encrypted for all PGP emails and for the Non-Protonmail users encrypted emails.
people will forget and therefore the subject which can give away lots of the email details will be send in a insecure way. This will fix this.
would like the subject to be encrypted also
Please use a generic subject name such as "Encrypted email from ProtonMail". Right now encrypted emails will leak the subject which is considered metadata.
Jon Par commented
As far back as 2018, Enigmail/Kleopatra/Thunderbird/GnuPG has been using the Memory Hole standard to include the subject line in the encrypted portion of the PGP message. ProtonMail has maintained that the use of PGP is what holds them back from encrypting the subject line, but that's not true. Enigmail puts a fake, filler subject line in the header and puts the real subject line text encrypted within the body. What's worse is ProtonMail arbitrarily blocks using Enigmail to encrypt an email with a different PGP key underneath the "normal" ProtonMail key. So not only does Proton not include this subject line feature, they go out of their way to prevent you from using it. I can literally encrypt more in Thunderbird with my Gmail account than I can with ProtonMail's Bridge. That's ridiculous. There is no reason for ProtonMail to dictate to me what I put in my emails. If I want to send a PGP-encrypted email to someone outside of ProtonMail using Thunderbird, that should be allowed. I thought the whole reason Proton gave for using PGP instead of something like Tutanota was to be more compatible with others' PGP encryption. Now they're really doing the exact opposite - worst of all worlds.
When will ProtonMail allow PGP/MIME encryption of the subject line in the same way as Enigmail? It's a huge difference between Proton and and competitors. Proton can do what Tutanota does without leaving PGP. Will ProtonMail at LEAST allow using Enigmail PGP encryption and then add Proton's encryption on top of it, if necessary, so that I can encrypt my subject line if I want? I want to stay with ProtonMail, but being four years behind on this and other things, like full encrypted search, calendar, fully encrypted contacts, etc. that Tutanota offers for a lower price makes it hard to justify. Can we at least get this part fixed? I know calendar is coming, even if the other things aren't.
Thanks for all you have done. I hope to see Proton continuing to grow - happy to be a paid supporter.
Jon Par commented
As far back as 2018, Enigmail/Kleopatra/Thunderbird/GnuPG has been using the Memory Hole standard to include the subject line in the encrypted portion of the PGP message. ProtonMail has maintained that the use of PGP is what holds them back from encrypting the subject line, but that's not true. Enigmail puts a fake, filler subject line in the header and puts the real subject line text encrypted within the body.
When will ProtonMail allow PGP/MIME encryption of the subject line in this way? It's a huge difference between Proton and Tutanota and other competitors. I want to stay with ProtonMail, but being four years behind on this and other things, like full encrypted search, calendar, fully encrypted contacts, etc. that Tutanota offers for a lower prices makes it hard to justify. Can we at least get encrypted subject with this PGP/MIME standardized feature?
Thanks for all you have done. I hope to see Proton continuing to grow - happy to be a paid supporter.
Why just offer searchless option and limited search with minimal metadata and normal search. For limited user just need to accept responsibility to manage emails without search or limited search.
Searchable metadata could be just SMTP envelope fields, recipient and sender fields and timestamp of send/receive. Everything in DATA segment should be stored only in encrypted if user wants. There can obviously be duplicate data between but that should be accepted.
Main usage for metadata is also sorting. This is why I see sent/received time usable addition.
Farid Hajji commented
"Encrypting all metadata would break metadata search entirely on the web client as there is still no efficient way to handle search of encrypted data within a browser."
To people reading here, they are probably talking about FHE (fully homomorphic encryption) performance. Basically, they would need to search in encrypted data without decrypting it first, because if they could decrypt it, there would be no point in encrypting it in the first place.
Performing operations (such as searching) on encrypted data without decrypting it first may seem paradoxical, but is indeed possible, if you use something called fully homomorphic encryption (FHE).
Mid 2017, FHE was still pretty slow, and running search on encrypted data was still way out of reach, especially for mobile devices (think: even a fully charged battery won't be enough to perform the required calculations for even a single search). That's why seach in encrypted data was impractical at this point.
However, two years later in mid 2019, FHE performance improved significantly and is really starting to become practial. Check out the talk by Daniele Micciancio at EUROCRYPT 2019 a few days ago:
As FHE matures, we may hope to see affordable search in encrypted data in the years to come.
Dark Horse commented
Protonmail should encrypt the whole format of the email not just the content, The contact, subject line and attachments should be encrypted as well as its implemented in the tuatanota encrypted email app. That way less Metadata is available and the email as a whole is encrypted more
I just subscribed to ProtonMail Plus since I'm pleased to support your cryptography research. Your company has brought awareness to the general public that unencrypted email is not secure, and made PGP encryption accessible to a non-technical audience (sending from ProtonMail to ProtonMail addresses) - and for this I will be forever grateful.
However I was a little bit disappointed that metadata such as email subject lines is not encrypted, since the subject lines, sender, and recipient were readable in plain-text after I recovered my password using a backup email address, despite the loss of the original encryption key. Metadata reveals more about one's communications than one might initially realize, and is the underpinning of most "dragnet" bulk surveillance programs.
Please consider implementing client-side encryption/decryption of metadata going forward into the future. With the growing computing power of most client devices nowadays (including mobile devices), decryption of metadata on-the-fly to facilitate features such as full-text search should be achievable. The small degradation in performance is a small price to pay for more complete privacy.
Thank you in advance for the consideration, from a ProtonMail Plus user!
The subject line cannot be encrypted. Perhaps a subject line can be included in the email body, and replaced with message number in the subject line. The recipient would receive a message number. Say for example 1542175246. On the Protonmail side, 1542175246 is translated to Financial Document.
Maybe the subject line can be hashed. Ideas? Comments?
Why not put the search on us, with a note that it is resource-consuming? I think Tutanota guys pretty much got the right idea, they have the search turned of by default, and when you want to search, they show a pop-up saying that the search is consuming device resources; something like "Use at your own risk" x)
Another approach might be to leave it as an option, thus leave the current implementation as default, and also have some checkbox in the settings saying "Encrypt metadata (ALERT: resource-consuming e-mail search will be done on client-side)"
I very strongly agree with Oliver (June 12, 2015) who wrote that without encrypting metadata a mail service is not effectively private. I used to be a premium (paying) member of Protonmail because I wrongly assumed that both mail body & metadata were encrypted. Once I learned otherwise, I started treating my PM account like my Gmail account, assuming that if someone wanted badly enough to read my correspondences with my legal clients they could. Sadly (for my relationship with PM), now I have a paid subscription with another email provider that guarantees metadata encryption (also). If PM enhances its product, I'd happily subscribe once more.