Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Cambridge Analytica Used ProtonMail to Hide Email Paper Trails

Cambridge Analytica faces more accusations following a third expose by Channel 4 News, which filmed recently-suspended CEO, Alexander Nix, discussing the company’s role in the 2016 US Presidential election. The report also featured the CEO talking about how the company used a “secure, secret email system” to cover up correspondence between the company and third parties. 

The email system, ProtonMail, is a Swiss company that provides encrypted email services not accessible by anyone other than the mail sender and the mail recipient. According to the company’s website: “Data is encrypted on the client side using an encryption key that [we] do not have access to. This means [we] don't have the technical ability to decrypt [your] messages, and as a result, [we] are unable to hand your data over to third parties.”

Furthermore, ProtonMail’s website said: “All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO), which offers some of the strongest privacy protection in the world for both individuals and corporations. As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

In the report aired by Channel 4 News last night, CA’s Nix explained to the undercover reporter, posing as a political consultant, how the company covers its tracks: “I’d like you to set up a ProtonMail account please because now these are getting quite sensitive.”

When asked whether the consultant should hand over the ProtonMail account, Nix replied: “Well, nobody knows we have it… and secondly, we set out ProtonMail emails with a self-destruct timer. So you send them, and after they’ve been read, two hours later they disappear.

“So then there’s no evidence, there’s no paper trail, there’s nothing.”  

Comparing itself to SnapChat, ProtonMail says that communication with non-ProtonMail users can be secure, saying that encrypted messages can be sent to Gmail, Yahoo, Outlook, and others. The company stopped publishing its transparency reports in February 2017 – the latest update showed that only five user data access requests were granted out of 54. 

ProtonMail responded to Infosecurity's request for comment this afternoon with the following statement:

"The real story is that the mass collection of data is dangerous. As was clearly demonstrated by Facebook, if your core business is building a massive surveillance system, the data will eventually be misused. Whether it is breached, hacked, misappropriated, or sold is irrelevant.

"Given that ProtonMail is one of the most secure email services in the world, it is not altogether surprising that Cambridge Analytica chose to use ProtonMail. However, it is important to note that ProtonMail users also include journalists, dissidents, doctors, lawyers, NGOs, and even regular people who rightfully won't want their data sold and resold without their consent through platforms like Facebook and Google.

"While we may not always agree with the people who use ProtonMail, we must nevertheless continue to protect their privacy rights, because the essence of democracy is respecting the rights of even the people we disagree with. However, as a society, we must act against the mass collection of data perpetrated by big tech companies because that does pose a threat to democracy. When it comes to protecting against bulk data collection though, encryption is not the problem, but actually part of the solution."

A spokesperson also confirmed that: "[ProtonMail] has a sizeable anti-abuse team within the company that works 24 hour a day, seven days a week to prevent abuse of our platform, so we are making constant efforts to prevent the misuse of our technology. As to whether CA's usage of ProtonMail was lawful, we would need a Swiss court to weigh in on the matter before we can express an opinion about it."

What’s Hot on Infosecurity Magazine?