The popular email encryption service ProtonMail is under attack from hackers, the company told Fifth Domain, a test to see if the fast-growing platform is able to continue its normal service amid what appears to be a days-long onslaught of digital strikes.
Due to shared infrastructure, the company said over the weekend it was “under heavy” distributed denial-of-service attack and “there may be intermittent connection problems.”
“The attacks are continuing,” Proton Technologies CEO Andy Yen told Fifth Domain July 2. He said the company did not expect to have “significant” disruptions because the attacks “are being well mitigated.”
“We understand through back-channel communications with the attackers that somebody has paid them to launch the attacks, but we do not know who is bankrolling the attacks,” Yen said. He added the attackers are using U.S. platforms Twitter, Reddit and Tor.
Yen said the company is in communication with the Swiss Federal Police, the United States Department of Justice and the Federal Bureau of Investigation.
User data would be secure even if there was a breach, the company said in a June 30 update. “Despite the intermittent connection problems, no emails were lost, no data was lost, and no data was breached.”
ProtonMail says it is the largest end-to-end email encryption service. The company says that its data is encrypted and it does not have access to user data. The company’s website boasts “privacy isn’t just a promise, it is mathematically ensured.”
The company has been surprisingly forthcoming with information about the attack, a stark contrast with other companies who have chosen to hide vulnerabilities. ProtonMail posted continuous updates to the website Reddit, at times adding new information after 9 minutes.
The service has been hailed by privacy advocates as a promising approach for internet companies because it does not have access to its users information. ProtonMail argues that ad-based services like Google and Facebook are not a viable business model because users are not in control of their own information.
“Google and Facebook will lose, unless they can adapt to the new reality,” Yen wrote in a June 28 Hill editorial.
But at the same time, the company has been criticized as being a haven for criminal and terrorist communication.
Internet companies “who aspire to be neutral conduits of data” have become the “command-and-control networks of choice for terrorists and criminals,” then head of the British signals service Robert Hannigan wrote in 2014.
Still, it has not stopped at least some members of the Trump administration from using the encrypted service.
White House staffer Ryan McAvoy reportedly wrote down his ProtonMail password on a piece of paper and left it at a bus stop, according to the Intercept.
“Don’t be a password idiot. Do not write your password down on a piece of paper and then lose that piece of paper” ProtonMail wrote in a blog post. “Without good password practices, no amount of encryption will keep your data secure.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.