The recent news that Protonmail was in 'partnership' talks with Huawei has sparked outrage in the infosec community and an ultimatum has been issued to Protonmail. They must publicly renounce their decision to partner with Huwaei by Tuesday, or the infosec community will delete their Protonmail accounts in protest.
Backdrop To The Drama
Recent US sanctions added Huawei to a blacklist forcing all US businesses to require a license in order to work with the company. These restrictions potentially mean that Huawei may shortly lose access to the Android operating system which powers all of its smartphones, as well as applications like Gmail. Huawei is now building their own Android alternative operating system and signing up app vendors to their new app store ecosystem in anticipation of losing access to the Android ecosystem.
Naturally, Huawei is looking for an alternative to Gmail to offer its users.
What is really strange is that they have chosen Protonmail instead of any number of domestic email services run by companies like Tencent QQ, Netease or Sina. Instead Huawei, a company with alleged ties to the Chinese government and Chinese intelligence apparatus, chose an email provider which is widely known to be used by NGO’s, dissidents, activists and privacy-minded citizens who would prefer that the Chinese government and its massive surveillance apparatus did not read their emails.
We know that Protonmail is a target and also that their users are not at all liked by authoritarian governments for the privacy they enjoy. Yet somehow, not only has Protonmail managed to continue to provide its email and VPN services to the Chinese market without being blocked like any other VPN or privacy provider, it is now doing deals with one of Chinas largest companies, one with alleged strong ties to Chinese intelligence services, military and government. Remember too that Protonmail is the email provider (according to Forbes) that the NSA cannot access.
Protonmail's founder, when discussing their partnership with Huwaei, commented that you never really know who you are working for when you do business in China, you can hardly blame the infosec space for being suspicious of this whole affair.
To me, this whole thing begs a question. What the hell is going on?
Infosec Loves Protonmail
The infosec space loves Protonmail, lots of us rely on their service and the real reason that I have a Protonmail account is because everyone I know in infosec has one, I figured that I should have a Protonmail account too. In my view, this means that we have to hold them up to a higher degree of scrutiny than we would other email providers, because of the collective trust we have placed in them and the fact that, over time, they have become the infosec email provider of choice.
The infosec space is also very aware of the Chinese cyber operations conducted by their military, intel community and proxies against the US and our allies for more than a decade. We are more aware of these operations than almost any other group of Protonmail users because cyber operations sit firmly within our domain.
Against this backdrop, Protonmail picked the worst possible partner in Huawei, a company that many in infosec believe to be in cahoots with the Chinese government. We were always going to question everything about this partnership, even if there wasn't anything particularly suspicious about the whole affair.
The Protonmail Ultimatum
This whole thing started with VikingSec, he was the first to publicly question them and he became increasingly frustrated with their responses to his questions. After being "led around in circles by Protonmail", an ultimatum was issued.
VikingSec is telling them that unless they reverse their decision to partner with Huwaei he will delete his Protonmail accounts and many of us stand with him.
If they do not publicly renounce their partnership with Huwaei by Tuesday, we too will be deleting our Protonmail accounts and revoke the trust we placed in them.
Before digging into this subject deeper, let's talk about VikingSec for a moment, he has published with Secjuice since our early days, specifically around the subject of the Chinese cyber threat and is our resident China watcher. He also lives in China, is married to a Chinese woman and he speaks Mandarin badly. He is a #FUZZYSNUGGLYDUCK which sounds delightfully absurd by design, but trust me when I tell you that it speaks highly of the infosec circles he moves in. When Mitch sounds the alarm and sticks his neck out to publicly question a company we all trust, we should listen.
Forget for a moment that we are questioning an email provider which we collectively trust and remember that all you can really trust is what others do, not what they say. Against that backdrop, we have to pay closer attention to what is happening here.
Have a listen to what he is saying in the video he just published, then let's break it down below in a little more detail with links to some of the sources he discusses.
Protonmail's response to the questions raised by VikingSec are driven by boilerplate responses that were annoyingly copypasted into every conversation thread and a series of disingenuous tweets from Protonmail, culminating in the word "absurd".
This is rather absurd...- @Protonmail
Their CEO pushed out a blog post to clarify their position on this issue, but on Twitter they said disinformation was everywhere and that concerns are 'absurd'.
In light of this, it is worth drilling down into this controversy and the key arguments on both sides. Keep an eye on this page and we will update it as the story progresses.
THIS ARTICLE WILL BE UPDATED SHORTLY
UPDATE - The word 'partnership' and the original quote from Protonmail's CEO mentioned in this article earlier has been removed from the original Protonmail blog. Waybackmachine reports six different changes made to this article over two days.
The word 'partnership' no longer exists in the original Bloomberg article.
UPDATE - I spoke to @SomeInfosecGuy and asked him for his views on this unfolding story and Protonmail's apparent capitulation to VikingSec's ultimatum.
Secjuice - Do you think Protonmail capitulated to the ultimatum in their Forbes article and by deleting the word partnership from their original blog post?
@SomeInfosecGuy - I don't think Protonmail has capitulated, they have clarified their position because based on their statement, they still intend to publish their application in the Huawei app store. Ultimately I believe that it was never really a partnership and that Protonmail CEO Andy Yen misspoke when he used the word partnership.
I still think China wants Protonmail's data, Protonmail is making a calculated decision based on risk and it's still to be seen if it's the right decision or not.
UPDATE - A response on Twitter from VikingSec.
THIS ARTICLE WILL BE UPDATED SHORTLY (Monday Sept 8th 2019)
UPDATE - The Twitter war continues and the ultimatum still stands.