
Proton Technologies awarded €2M from the EU - dotcoma
https://protonmail.com/blog/eu-funding/
======
ajvs
Why is the EU investing in closed-source software? The server, mobile apps and
ProtonMail Bridge are all proprietary. It's not as bad as investing in
Microsoft Office but this decision doesn't make sense when they could just as
easily fund fully open-source email solutions like Mail-in-a-box, iRedMail,
Mailcow etc. I don't think they researched ProtonMail as thoroughly as they
did the other open-source software they've invested in like 7-Zip, Apache
Tomcat, Drupal, Filezilla, VLC, KeePass, Notepad++.

~~~
fxfan
Microsoft office is far and ahead the best document system- you probably use
open source and standards compliant gdocs?

Bringing it up in comparison for no reason and just general being hostile to
MS is the reason MS doesn't listen to non-enterprise feedback. They have their
faults but people like you are the ones who don't let them improve. For you,
it's not about technology- its about your personal grudges.

~~~
DyslexicAtheist
I've been using libreoffice since +10 years exclusively. Despite using
protonmail myself if you look at it critically through a FOSS (libre)
perspective it's one of the worst email platforms around which mainly benefits
from the (incorrect) assumption that hosting in Switzerland is somehow safer
than hosting anywhere else. They will happily comply with any court order even
(or especially) from the US.

And it's not that the founders chose a Swiss structure because they were
themselves Swiss. Even the product were hypothetically bug-free and fully FOSS
... the marketing (with its mountains in the background and _" Secure Email
Based in Switzerland"_ tagline) plays to the sentiment that a Swiss
jurisdiction makes Protonmail a safer bet than other location is itself
"snakeoil" ... if I think about this for too long I might even wonder about
their much more relevant claims regarding security & actual code
implementation.

~~~
chmars
Switzerland is NOT a more secure location for data hosting / processing than
many other countries.

Switzerland's data protection laws are way behind the GDPR. Switzerland is
struggling to adapt its data protection laws to keep its adequacy status with
the EU. It has still not signed Convention 108.

Switzerland's surveillance system is growing and growing. The latest revision
of the relevant law was targeted at services like ProtonMail and ProtonVPN
(Federal Act on the Surveillance of Post and Telecommunications).
Switzerland's federal secret service has got almost unlimited power without
any meaningful control and is known as a close partner of the US (thanks to
Snowden leaks). Every communication in Switzerland is under mass surveillance
24/7, the metadata is stored for at least six months (civil security
authorities) or longer (secret services). Switzerland's armed forces work in
close cooperation with NATO.

I am actually wondering whether Proton is a honeypot.

~~~
protonmail
Actually, almost everything you wrote is untrue. If you actually read the text
of the Federal Act on the Surveillance of Post and Telecommunications (which
is publicly available in French and German), you will see that instead of
targeting ProtonMail and ProtonVPN, the legislation actually does the
opposite, and explicitly exempts all but the largest telcos.

You don't have to take our word for this, it's actually in the text of the
law.

Also, if you read the actual text of the US/Switzerland MLAT (mutual lateral
assistance treaty), or the text of the Swiss Data Protection Act, you will see
that "unlimited power without any meaningful control" is also patently untrue,
and there are many layers of control and an explicit need to satisfy the
requirements of Swiss privacy laws, even on cases originating from the US.

------
conradk
As soon as Proton paid a Bitcoin ransom [0] to try and avoid a DDoS attack, I
lost all hope for this company.

[https://www.theguardian.com/technology/2015/nov/05/protonmai...](https://www.theguardian.com/technology/2015/nov/05/protonmail-
service-held-ransom-by-hackers)

~~~
krn
Well, as if that wasn't enough:

Vid shows how to easily hack 'anti-spy' webmail (sorry, ProtonMail) (2014)

[https://www.theregister.co.uk/2014/07/07/protonmail_fail_jav...](https://www.theregister.co.uk/2014/07/07/protonmail_fail_javascript/)

Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back (2017)

[https://motherboard.vice.com/en_us/article/qvvke7/email-
prov...](https://motherboard.vice.com/en_us/article/qvvke7/email-provider-
protonmail-says-it-hacked-back-then-walks-claim-back)

And it turns out, that Mozilla had never been to the office where ProtonVPN
was actually being developed, before agreeing to integrate it into Firefox:

[https://news.ycombinator.com/item?id=18612296](https://news.ycombinator.com/item?id=18612296)

~~~
protonmail
This seems a bit disingenuous.

The first article is concerning an XSS flaw that was discovered in a pre-
release beta version of ProtonMail 5 years ago, prior to public launch.

As for the second one, everybody can agree that criminals are bad, and we do
work with law enforcement to bring them to justice, for example here:
[https://protonmail.com/blog/apophis-squad-
arrest/](https://protonmail.com/blog/apophis-squad-arrest/)

The third allegation has also been proven false time and time again. Mozilla
checked ProtonVPN by meeting with the team in Geneva. The EU also checked
Proton Technologies extensively before granting 2 million euros. The state of
Geneva also checked before granting tax breaks.

On the other hand, there is ample evidence that there are shady VPN companies
engaged in a large scale disinformation campaign against ProtonVPN. Just have
a look at the 500 Twitter bots used to spread false info:
[https://twitter.com/conspirator0/status/1036353291662360577](https://twitter.com/conspirator0/status/1036353291662360577)

Who is more likely to be telling the truth? 500 anonymous bots on Twitter, or
Mozilla, the EU, and the state of Geneva who have all verified the company?

~~~
krn
> The first article is concerning an XSS flaw that was discovered in a pre-
> release beta version of ProtonMail 5 years ago, prior to public launch.

It's not about the vulnerabilities themselves, but the fact, that the existing
users were not informed about them at all when they were discovered:

 _" The reason I posted the video was because they did not communicate the
security problems to their users – and did not even notify me when the bugs
were patched," Roth told The Register.

"I believe that for a service that is used for 'secure communication' trust is
very important – and if they hide vulnerabilities from their users I can not
trust them."

The researcher said he had reported five vulnerabilities including a cross-
site request forgery bug that apparently allowed an attacker to change
victims' email signatures, further opening them to malicious cross-site
scripts._

> As for the second one, everybody can agree that criminals are bad, and we do
> work with law enforcement to bring them to justice

Your company publicly bragged about engaging in a criminal activity, and then
claimed that the journalist's report was based on "unsubstantiated rumors".

> The third allegation has also been proven false time and time again. Mozilla
> checked ProtonVPN by meeting with the team in Geneva.

As far as I am aware, Mozilla did nothing to visit the office in Vilnius,
Lithuania, where ProtonVPN was actually being developed.

> On the other hand, there is ample evidence that there are shady VPN
> companies engaged in a large scale disinformation campaign against
> ProtonVPN.

I am not sure if any of it was really "disinformation", but it doesn't
surprise me, that some of your competitors might have used it as an
opportunity to enrich themselves, given how shady the industry of VPN
providers is.

Actually, I wouldn't be surprised if Luminati Networks was behind this attack,
since they compete with Tesonet directly as both, a free VPN provider, and as
a data mining company.

> Who is more likely to be telling the truth? 500 anonymous bots on Twitter,
> or Mozilla, the EU, and the state of Geneva who have all verified the
> company?

I see you again and again trying to attach the "Proton" brand to the entities
that people consider of high trust and integrity – such as "Switzerland",
"Geneva", "EU", "Mozilla" – when, in fact, the real values of your company
seem to be very far away from that.

~~~
protonmail
You clearly have a grudge against us, so this is not going to be a meaningful
discussion, but we do want to point out that this is entirely unsubstantiated:

> As far as I am aware, Mozilla did nothing to visit the office in Vilnius,
> Lithuania, where ProtonVPN was actually being developed.

Check on Linkedin. Proton devs are distributed across all our offices (Geneva,
Zurich, Skopje, Prague, Vilnius, remote). Proton management is in Geneva,
where we met Mozilla.

~~~
krn
> Proton management is in Geneva, where we met Mozilla.

I have pointed this out, because a picture with Mozilla representatives in
Geneva office was used as a proof that ProtonMail didn't outsource its free
VPN service to a data mining company in Eastern Europe – and only used that
company as "an office space provider" – when, in fact, Mozilla representatives
never went there to verify it themselves.

------
skrebbel
Wow, as an EU citizen I can't figure out whether I think it's good or bad that
we're now funding foreign companies.

Sure, Switzerland is very much European, but they're not in the EU. Romanian
taxpayers are now contributing more to ProtonMail than Swiss taxpayers are.

This would be very much like the US government subsidizing a Canadian software
company, on the grounds that 40% of their users are American plus some of
their developers live in Vermont and Kentucky.

But, well, at least it goes to the good guys! So yay ProtonMail, I guess!

EDIT: I stand corrected, please do read some of the very insightful replies
people posted. Thanks everyone!

~~~
waplot
And now you understand brexit..

~~~
markvdb
In terms of EU R&D budgets, the UK is a net receiver by 63%. It contributes
5.4 _10^9€, and receives 8.8_ 10^9€, says the Royal Society [0].

To find a stick to beat a dog in the EU budget is easy.

After looking closely at UK financial contributions to the EU, the conclusion
of a London School of Economics study[1] summarises things quite more
eloquently: "In assessing the UK contributions to the EU’s finances, there are
interpretations which are reasonable and those which are ‘spun’ to make
political points, even though they are – bluntly – an abuse of statistics. A
normative judgement about whether what the UK’s contributes (however measured)
to the EU budget could be better spent on other public projects or whether the
‘membership fee’ yields sufficient benefits to be justified is beyond the
scope of this paper. But the evidence is clear that, although it is a net
contributor to an extent comparable with several other Member States of a
similar level of prosperity, the UK does not face an unfair share of the
burden of the gross costs of paying for Europe."

[0] [https://royalsociety.org/~/media/policy/projects/eu-uk-
fundi...](https://royalsociety.org/~/media/policy/projects/eu-uk-funding/uk-
membership-of-eu.pdf) (page 12)

[1]
[https://eprints.lse.ac.uk/67030/1/Begg_EU%20budget.pdf](https://eprints.lse.ac.uk/67030/1/Begg_EU%20budget.pdf)

~~~
nbevans
Analyses of only the R&D budget is surely a biased interpretation of the
statistics. To spell it out: If XYZ nation contributes 100bn and receives 10bn
back to spend on R&D (because it has loads of high skilled workers / industry
perhaps) and 20bn back to spend on everything else - that still makes it a net
contributor to the tune of 70bn.

------
lukeqsee
I really want to like ProtonMail. I do like them, in fact.

Unfortunately, their business email offering only has one advantage: the
encryption. Every other feature that's important for running a business (IMAP,
shared inboxes, automatic forwarding capability, etc.) is severely lacking. My
company just switched because we simply couldn't deliver quality customer
support inside the confines of Proton's system. After switching, I realized
how much I was missing from "normal" email systems. A polished business email
offering really does make a major difference.

That being said, I really like their stance on privacy and their determination
to make secure email a default, so I'm considering moving my personal email to
them (ironically from the same company we just switched the business to).

I hope they can use some of this €2m to address shortcomings in their email
platform so we can eventually switch back.

~~~
arosier
Protonmail employee here. Appreciate the feedback, would you be willing to
have a call to discuss? Business feature development is high priority for us
and we’d love to hear your problems first hand to ensure they are all
addressed in the coming releases.

~~~
lukeqsee
Absolutely! Feel free to email me directly at my work email:
luke@stadiamaps.com.

~~~
arosier
Thanks, reaching out!

------
nitrohorse
> This funding will without a doubt accelerate our ProtonDrive efforts...

Looks like there’s a somewhat working site to learn more:
[http://protondrive.com](http://protondrive.com)

~~~
adsadadsad
Comical. No-https

~~~
ChrisGranger
The site is incomplete. I wouldn't worry about the lack of HTTPS yet...

~~~
mnbvkhgvmj
It takes very little effort to provide a cert these days. Even a landing page
should have a cert. Especially from a company with a reputation for security
and privacy like protonmail's.

------
pergadad
It's disappointing they don't specify which funding call this was. This would
give us an insight into what really is behind this.

Having been deeply involved in EU funding I am 95% certain they are
overstating the "checks". Yes you have to provide financials, but it's not
like the EU staff are auditing the company, they do a few basic checks based
on the documents provided by the company to check that they are not in debt or
going bankrupt soon.

Horizon 2020 has various angles but principally is about research so they must
have requested funds for that, not directly for product development.

Even with closed source, still a nice thing to see this kind of company
supported.

~~~
ghego1
I can confirm it's from the call SME instruments Phase II

------
morrbo
ProtonMail is fantastic. I'd recommend (and do myself) using it for a small
start up. Hopefully this funding will allow development of some of the
features which make it effectively impossible to use for an enterprise (or
group > 20 people IMO). It's currently missing things such as:

Enforcing 2FA on anyone inside your organization.

Setting company-wide signatures.

Using HTML as your signature.

Setting company-wide/user details (ie. Allowing appending "Regards,
%%Position%% %%LandLine%%" on an outgoing email).

Mail-flow rules (though admittedly, this is basically the same as the previous
point).

Tagging of external emails ("This email was received outside of the
organization at the start/end/subject of an email).

These are a few QOL suggestions i can think of off the top of my head.
However, the enforcing 2FA on users, and being able to tag external emails are
outright security issues which should genuinely be implemented as ProtonMail
is both security and privacy focused. I did raise a ticket with all of this in
a few months ago, but hope this gives the devs some visibility so they can use
that sweet EU funding to improve on these. These basic features would make a
world of difference to all users.

The use of HTML as your signature (last time I checked anyway) is silly, as
this actually works absolutely fine. We ended up manually pasting the HTML
into the page using right click -> inspect element, and hitting save... this
works fine if anyone else is having the same problem.

TL;DR: Highly recommend ProtonMail but only for small orgs at this point.

~~~
badpun
Protonmail Bridge, required for IMAP, is so buggy as to be unusable. This
means you’re effectively left with the bare bones web client. This may be ok
for lots of people/businesses, but not for others.

~~~
gvand
Serious question, unusable on which platform?

Yes, sometime it crashes, but is good enough from my point of view, used to be
way worse.

~~~
badpun
Windows 10. Esp. after latest update, emails keep disappearing and reappearing
in the mailbox. And even before that, the bridge was timeouting all the time.

~~~
arosier
Thank you for the feedback. Bridge is receiving a lot of internal priority
right now. If you have time, we’d appreciate your direct feedback:
[https://protonmail.com/support-form](https://protonmail.com/support-form)

------
bb100
The censors that previously flagged an outsourcing comment in
[https://news.ycombinator.com/item?id=18612296](https://news.ycombinator.com/item?id=18612296)
are active again.

~~~
protonmail
Because it has been proven false time and time again. Mozilla checked
ProtonVPN by meeting with the team in Geneva. The EU also checked Proton
Technologies extensively before granting 2 million euros.

Proton Technologies does not outsource. It has offices outside of Switzerland
in Czechia, Macedonia, and Lithuania, but the bulk of the staff is in
Switzerland. There are team photos online
([https://www.instagram.com/p/BuWTJlaHPOf/](https://www.instagram.com/p/BuWTJlaHPOf/)),
and if you visit the address on the website, you will see it is indeed that
building.

On the other hand, there is ample evidence that there are shady VPN companies
engaged in a large scale disinformation campaign against ProtonVPN. Just have
a look at the 500 Twitter bots used to spread the rumors:
[https://twitter.com/conspirator0/status/1036353291662360577](https://twitter.com/conspirator0/status/1036353291662360577)

So who do you want to believe? 500 bots on Twitter, or Mozilla, the EU, and
the state of Geneva who have all come out and verified the company?

~~~
ak180
Then the EU probably overlooked this:

[https://protonmail.com/blog/diversity-in-tech-why-it-
matters...](https://protonmail.com/blog/diversity-in-tech-why-it-matters/)

 _If ProtonMail had grown like a typical Swiss company, only hiring candidates
from Switzerland, we never would have been able to find enough talent to drive
our growth. By hiring globally, and disregarding which country a candidate is
from, we increased our potential hiring pool from 8 million to 7 billion. A
diverse workplace also helps to attract applicants. More applicants means we
can hire more candidates, while simultaneously being more selective._

But I'm glad that EU money is spent for hiring globally.

------
amrrs
Along with this and the previous GDPR, Does it mean that EU is more concerned
about the Privacy of its citizens than any other Nation ?

Because everywhere else we see a pattern of Privacy invasion but EU has always
been the front runner in setting up benchmark of how PII data should be
handld.

~~~
jaabe
Yes and no, the EU is more concerned with intrusion into citizen privacy from
the private sector than any other large player.

As far as the public sector goes, however, the GDPR is mainly meant to
increase security surrounding citizen privacy. You can’t demand to have your
criminal record deleted for instance, and there is a range of privacy data
like that which serves a purpose within the public sector. The EU is fine with
that, and possibly more so than the US, but the EU does want to keep it safer
than has previously been the case. Mostly because the European public sector
didn’t meet really take these security requirements seriously enough on its
own. The GDPR didn’t really change the rules for the public sector, it rather
increased the penalty for not following them.

There is an old saying that in the US people trust their corporations and not
their governments. It’s the opposite in Europe.

~~~
omeid2
It is interesting though, because even at least in theory, you vote for your
government but not the corporations.

~~~
TomMarius
You vote with your money

~~~
omeid2
Yes, in capitalism theory, where individuals are rational entities that can
comprehend, afford, and consider the consequences of their choices without
being swayed by advertisement or their economic situation.

In practice, people buy the best value thing for now without giving much
thought or as a general rule being able to comprehend the long term impact of
it on their own, let alone the society as whole.

This is why we you need and have anti-trust, consumer protection, and various
other laws and systems to protect consumers.

~~~
TomMarius
You're arguing as if I was suggesting we should abolish the government. I
simply said that in case of corporations, you vote with your money, which is
absolutely true (basically the first law of economics - supply/demand) - I
said and meant _nothing_ about government or its abolishment _nor_ any change
of laws (I'm European). I replied to a comment saying that corporations are
not voted for, not to a comment saying that antitrust laws are important.

~~~
omeid2
I understood, my argument is against the very premise of said law, the notion
that consumers are rationale entitles that make conscious choices, specially
concerning society and long term issues.

Now, if you do agree with my idea that as a general rule, consumers are
irrational individuals that don't ponder or simply comprehend the consequences
of their choices (not least because they're fools but because of the
complexity of markets and supply chains) , specially on a social level, or are
forced to make choices as a result of their economic standing; then the idea
of consumers voting for companies becomes some kind of a caricature mocking
the notion of voting and choice.

~~~
ttoinou
It would also mock what you're saying about governments. Why would people
working for gvt be better than us at making those kind of choices ?

    
    
      consumers are rationale 
    

You don't need to suppose that for supply and demand

------
chappi42
Good! And now the EU should invest €50M into Jolla...

~~~
supermatt
have jolla approached the EU for funding?

~~~
chappi42
Don't know. Rostelecom has invested. Seems wise to try to better protect
government employees from leaking data from their phones. E.g. not so nice
when my Bundeskanzlers (Merkel) phone get spied upon by friends.

~~~
gdy
Friends don't spy on friends

