Hacker News new | comments | show | ask | jobs | submit login
Why did ProtonMail vanish from Google search results for months? (techcrunch.com)
345 points by based2 on Nov 11, 2016 | hide | past | web | favorite | 199 comments

Anecdata: At a conference a couple of years ago I was talking on-stage about my product. It's a direct competitor to Google in an area that they don't do very well (quite often, comically badly), and my customers are people who care about getting really good results in this area. I made a couple of joking quips about the poor quality of the Google product during this presentation and moved on.

Two days later my product completely vanished from the Google rankings. No cause that I could think of; I wasn't doing any questionable SEO or other manipulation at the time. I later found out there were Google people at the conference, though I don't know whether they were at the talk or not.

Correlation != causation so I'm hesitant to definitively call shenanigans on this. But it does make me believe ProtonMail's story a little more.

If you could communicate to a google employee the name of your site, they could investigate internally and identify any wrongdoing here. Whether they'd be able to show you the results after the fact I don't know though.

This must be related. Don't believe in coincidence of this level.

Never blame on stupidity what can be blamed on malice when power centres are involved.

Listen to this TED talk. They are Google's competitor ...


Well that was a waste of time. Poor talk, no technical information, nothing innovative.

That's not the point. You know why Google removed them from the search results.

If this is happening, I hope we get someone who recognizes how wrong it is and becomes a whistleblower.

Do you have proof or even just evidence of this? You could just be someone that wants to get the jab in at Google.

How could you prove how a black box algo ranks you?

You can't prove that. The parent can however make the decision to not hide behind a throwaway account, give their company name, suggest how they found out Google employees were in the audience, document the dates they were ranked highly vs low, tell us what area Google is comically bad in, detail what if any SEO practises they were using at the time. Link the site if nothing else so we can all have a look into back links dodgy practises, archive.org copies.

You can't prove how a black box algo ranks you, but you can do a damn sight more than a throwaway comment accusing Google of cooking their algorithm out of spite.

> The parent can however make the decision to not hide behind a throwaway account

I think you have a reasonable point, but given their prior experience with publicly criticizing Google, they also have a reasonable desire to remain anonymous.

The best way to remain anonymous in this situation to say nothing.

I mean if Google is going to penalise them and risk their search integrity for a quip what's to stop them asking a bud over at HN to see if this account's IP is associated with another?

Infeasible of course but around the same likelyhood of happening

> the same likelyhood of happening

I disagree. It's much easier to identify me by my real name than by asking a third party to analyze server logs to find an IP and match it to users (many of which may be using the same public IP).

Identifying a user by asking a third party vs penalising company for a quip.

Those are the two things I was comparing, not how easy it is to identify someone.

I had this happen to me in a different way. I overmarketed an online traffic school for traffic tickets website and Google sent through webmaster tools an email "this website is harmful to the google index" and actually removed the website from Google's organic index and removed listings from links to the site from other sites (like from court websites, etc). The site completely 100% disappeared. I tried to get them to re-list it but they never did so I had to use a different domain. This was a site that had 6+ years behind it. Google does de-list sites.

What was the old domain?

It was 2014; impressions dropped by over 96% overnight (essentially, you could find it by searching for the site name, nothing else); the dates didn't correlate with an observed algorithm update; no 'Manual Actions' were showing in GWT; the attendee list at the conference was public.

I'm not comfortable with saying any more because, as hackuser says, I'm not risking the last two years of work (we've finally got back up to that level of Google traffic, though fortunately other traffic has grown immensely). I can simply offer this up and let people disregard it to the extent that they're willing to trust a throwaway account. You don't trust it at all, and that's fine.

Exactly - I call BS. Google won't artificially boost search rankings for their own products - in some cases the search folks have told other groups that need to do SEO if their rankings are too low.

(Disclaimer: I work for an Alphabet company)

I don't buy that everyone at Google is too honest to abuse their power. They are human beings, and there are many of them.

Search is their primary business though. I can't see them jeopardizing that by blacklisting a random competitor that poked fun at them in a presentation. It makes no sense.

However, they're the only ones that know their ranking algorithm. This means they can tailor their sites for the best possible ranking. It also means they can rewrite the algorithm in ways that better rewards Google (Let's give a boost to sites with the highest traffic, and exponentially drop off the boost as traffic decreases. Oh look, it turns out our own Google.com is quite popular, all of our services are under that domain, and they'll all see higher rankings).

Let's not forget protonmail.com was previously protonmail.ch. Moving domains can make a tremendously negative impact on search engine rankings. The "fixed" comment could have been properly assigning protonmail.com with the ranking data for protonmail.ch. This detail was in the previous HN post, but looks to be left out of this one for some reason...

Disclaimer: This is speculation. Take both this article and my post with a grain of salt.

They have not exactly moved domain, as both are still operational. As a user, you can choose which one to use.

The .ch is a 301er to the .com.

But it showed in other search engines' results during the time.

Search engines unsurprisingly have different bugs.

It goes to show that what we really need from regulators is an enforcement of transparancy. Companies must explain their actions if they have a material impact on users/customers.

We see so many different cases here on hacker news that have one thing in common: Bad things happen and those affected have no idea why these things have happened.

It doesn't mean that companies need huge support organisations. I'm sure 99.9% of these questions can be answered by an automated system. Support can dig into the more exceptional cases and doesn't necessarily have to be free.

The biggest problem here is not the support cost, but that offering this kind of information gives people insight into how the algorithm works so they can better game it.

In search, email, etc there's continual competition between people trying to trick the span detection algorithm and people trying to extend the algorithm to counter them. Secrecy is a critical tool on both sides of this fight. Force transparency on the algorithm maintainers and it's output will get much worse.

Keeping the algorithm secret has downsides, but is worth it (for society at large) on balance.

(Disclosure: I work for Google, on unrelated things, and don't know anything Google-specific here.)

That's not the level of detail I'm asking for. I'm not talking about publishing the algorithm.

But if there is a dramatic change in ranking or my site is removed entirely, it should be possible to ask Google to investigate (possibly automated) and tell me if something out of the ordinary has happened.

Secrecy shouldn't mean to hide simple mistakes on either side. That makes search results worse not better, as it was clearly the case with protonmail.com

True transparency comes at a huge cost too though. Someone like google probably makes hundreds of changes to their algorithms every single day from thousands of engineers. Thats a change every few minutes. Who could even keep up with reading and understanding that much documentation about changes to the algorithm, let alone the base way it works in the first place?

And those are just the manual changes. There are fully automated systems that crawl the web and use information from millions of web pages simply to rank your website. Any of those web pages changes, and your ranking might change with it. For true transparency, you should be able to verify that you got the right ranking as documented, yet merely calculating that is going to require you to get a copy of every other webpage in the world. No simple task.

There is certainly a limit to the level of detail that can be provided in any explanation. But that can't be an excuse for not responding at all when someone's livelihood is at stake.

There is a more general issue here. As we use more machine learning and AI, the problem of having to explain why a particular decision was taken will come up more often, especially if the decision has grave consequences.

All "AI-first" companies would be well advised to work on this problem. This is like computer security in the 1990s. It's going to be absolutely central to many applications of AI and it will be a key legal issue in future.

> Who could even keep up with reading and understanding that much documentation about changes to the algorithm, let alone the base way it works in the first place?

Someone at Google, hopefully. At least I wouldn't want to work at/be customer of a company where no one knows how their core product actually works.

If Google employees are able to keep track, so are regulators. If not, then the "cost" of requiring it may actually be a benefit.

I don't understand how regulation could even work. Companies such as google are increasingly using machine learning. So even to the company the results seem to be coming out of a black box, and they don't really know why. This can lead to bad results such as black people being labeled as gorillas[1]. But on average some sort of metric is being optimized.

[1] http://www.usatoday.com/story/tech/2015/07/01/google-apologi...

Go switch to another search engine then.

If people wanted transparency they'd switch to companies which are transparent.

As others have commented this is not possible because it's not my choice to make the switch.

But more generally I see it like this: Without the law, Google would not exist as a legal entity. Incorporation is what allows Google to become a legal entity and it is also what protects Google's owners from having their personal possessions seized in case of insolvency.

So Google's owners have asked society for protection beyond what is provided solely based on market principles. In other words, they wanted rights, not just incentives.

I'm asking for the same thing. Rights that are independent of my ability to pay and are difficult to emulate through market mechanisms.

What protection is provided solely based on market principles?

I think corporations are part of market principles.

Your analogy is incorrect because the rights are different.

How do I do that? I'm trying to switch but I can't find the option that makes my customers use Bing to find my site. No matter what I do, most of them use Google.


In other words, the people who need more transparency aren't the ones who can choose what search engine is being used.

How is Bing more transparent than Google?

What are my options BTW?

I am not you have any idea of how long it takes for General populace to realize that they are being screwed.

Ordinary people don't yet know because they trust Google - A trust which was build by constant "Don't be evil" rhetoric for over a decade. This trust also helped them acquire a monopolistic position so when they break that promise they need to be investigated.

Search is now a public utility and Google should be treated as utility provider.

Transparency should be a must, not a feature.

No private company is required to give transparency. The ones that claim to can be lying about it. Email is way more important than people realize and yet nobody gives a shit.

There is no monopoly in e-mail though. That's an important distinction.

The move from .ch to .com was done in an attempt to deal with the poor search ranking. It was done because the best guess was that Google was "geocoding" ProtonMail as a Swiss-only relevant website and there for ranking it poorly in google.com results. ProtonMail actually did not want to move domains. There was an significant internal struggle over the decision. Up until the change, ProtonMail had actually been promoting the .ch domain as an advantage since the US Gov't/FBI would need to go through the Swiss authorities to seize DNS control of the domain (unlike .com). That is the reason that .ch remains available for customer e-mails.

> Moving domains can make a tremendously negative impact on search engine rankings.

Only if you do it wrong. If you do it write, there should be negligible impact.

We don't actually know what happened which is the hard part. They could have done it wrong, or they could have done it right but a bug caused it to be filtered in google search. Maybe some automated process deemed the new side as fraudulent. Last thing anyone wants is a new site with a similar domain stealing SEO.

Moving domains always comes with its risks.

I think that Google removed it from their results intentionally. Google has the ability to restrict results, and for it to be weighted so highly after they "fixed" it, and because they gave no indication of what was wrong, I think the "fix" was to remove it from the blacklist.

However, it doesn't change that I use Gmail and will continue to use it. It's still the better product for the money (free).

The removal and fix need not have been so blatant - a breaking change for some sites might have been prioritized, and the fix to that break may have had other work pushed ahead of it. There doesn't need to be an explicit blocklist or clearlist in play to make some customers more important.

Not exactly free, you pay with your data

Google products have one connecting line in them. They make it easy to adopt and are used to collect data. Whether it is user data or users helping in training a system (captcha, Google voice, ...)

You will usually see a dampening of rankings when moving domains. Redirects do not transfer 100% of authority.

Thank you for showing me this!

Not sure how I missed it.

I wouldn't risk my business only because a google employee tweeted "30x redirects don't lose PageRank anymore.". Because there is a lot room for different interpretations and open questions.

I would have said this too some years ago, a competitor moved his domain last year with practically no impact. Moving domains today seems much much safer than some years ago.

PS: Same goes for http to https, some years ago you've got a huge huge drop in rankings while today it's a no brainer.

It shouldn't disappear entirely though. A completely new site shows up faster than this was unavailable.

But nobody outside google, yahoo or bing knows exactly what is the 100% correct way.

Moving a domain is always a high risk operation for your search results position.

Start there and then read hundreds of other snakeoil tutorials and in the end you still wont know what the correct way is.

Any relatively experience Technical SEO will know how to do this its not rocket science you just have to pay detail attention to the site.

Unfortunately a lot of ecommerce sites are of low quality and coded by the finance directors golfing mates "friends" company.

> ProtonMail tracked this situation through Spring 2016, trying to get in touch with Google to query why it had vanished from search results — and initially having no luck getting a response. It only eventually got an acknowledgment of the complaint in August after it had tweeted at Google staff.

Why is it that large companies like Apple and Google are so hard to reach? Remember the story of the Dash iOS app developer that got kicked out of the store. He also practically was unable to reach anyone.

To be fair what that guy originally said and what happened were two different things. Apple contacted him before they shut down his account. At least that's what Apple said...


Treat people based on their actions.

Paying user of dash here and I've been very impressed by how the developer has allowed the Windows and Linux app zeal to use his document sets and format for free. Only condition was that they don't release a competing version for OS X.

I think he deserves the benefit of the doubt.

Whatever the case may be. I think there are plenty examples where situations escalated simply because the company ignored an urgent and justified request. I remember calling AppleCare and the poor guy on the phone admitted that there was a bug in OSX but had no means to escalate my problem further.

Another example is the recent Spotify bug, which did not receive any attention until the story made it to the top of HN. I think companies actually cause damages to themselves by not reacting sooner.

As an engineer for a related company, I sometimes go and look at the support forums or tickets for my software.

I find hundreds or thousands of complaints. Many are legitimate bugs, and some are user stupidity ("I need to check my mums email but she won't give me her password, can you let me in anyway").

For those which are legitimate bugs, I know, through user metrics, that they only affect a tiny fraction <0.1% of the users. I, and the rest of the engineering team have to prioritize our team between fixing these bugs for the 0.1%, and making the product better for the 99.9%.

It can be a tough choice, but when you've decided that it's time to move on and develop new features, hearing about individual instances of rare bugs is no longer useful. We just aggregate how many users are impacted by each significant bug, and from time to time quash the top ones.

Manually editing a database entry for a single user is no longer privacy-justifiable, so basically the only fix we can do is to fix the bug for all users at once. And if the bug is only affecting 15 out of 300,000,000 users on a product that makes 1 cent per user per year, I can't afford to spend more than 30 seconds on it really, yet most bugfixes are at least a days work.

Thank you for taking the time for writing this and being so open.

However, I think this approach should be criticized. It's a very concrete improvement for the 0.1% of users dropped in favor of a very vague improvement for an unknown subset of the 99%. Also, the bugs have severe consequences for the users (as in the OP or the Dash case) it would be downright irresponsible to be customer of a company that acts like this.

That is great insight in how many software corporations prioritize tasks. However, rare bugs are often indicators of bigger problems, so it pays to at least investigate them. Not because of 0.1% of affected users, but because it might make things better for 99.9% as a consequence. Not all bugs are like that, of course, but some are.

Thanks for the insight. Makes me understand what is going on "on the other side". Although the message is a bit sad. If you don't scream loud enough it doesn't get fixed.

Steve Jobs seemed to have an ear or the 0.1% :) I am pretty certain one (rare) OSX bug got fixed because I emailed him.

1 cent per user per year sounds very small when most online business gets valued at 1 usd / month per user times 3 years.

The author says that's not true. He has phone call recording proving he is right: https://blog.kapeli.com/dash-and-apple-my-side-of-the-story

He has a phone recording of how he screws himself, by recording a phone call and trying to escalate a situation that Apple was trying to fix.

He's not in the App Store today, because just posting that call without consent shows he can't be trusted.

They may have tried to contact him at the address of the second account, which was spamming the store and may or may not have been him.

Is the developer from Dash based in the USA? Does two party consent cross international lines? He may not have the concept of not posting a phone conversation because it's a legally allowed thing and he didn't think to check what was the legal norm in Palo Alto.

He's not in the US and it may have been legal. It's still astonishingly stupid. Apple was trying to defuse the situation and asked him to call of the pitchfork-wielding mob by communicating their point of view (an account he paid for was spamming reviews). They were willing to accept his somewhat dubious assertion ("I paid for someone's account, and gave them hardware, and sometimes borrowed that hardware again, but it's not me and I'm in no way responsible").

But instead of accepting this resolution allowing everyone to safe face he seemed to be drunk with the power of the solidarity he had gotten initially, or he just wanted to really win the argument. I don't know the motivation, but anyone could have told him that trying to blackmail Apple was not going to end well,

> or he just wanted to really win the argument. I don't know the motivation, but anyone could have told him that trying to blackmail Apple was not going to end well,

So you’d also say someone should never sue Apple for doing something bad, because they might abuse their monopoly power against you if you try to win?

Sue them in a court of law, if it's bad enough, though be prepared for a long and hard fight. But never try to fight them in the court of public opinion.

That's an interesting use of the word 'abuse'. I think that with a power balance as unequal as it is Apple needs to show a ton of compassion and restraint in its dealings but I don't think you could say that they were abusing their power.

That's the effect of a (quasi) monopoly.

It's like a DC politician who's above the law - you have so much power that you can literally do what you want.

The solution? Stop using products of the biggest players and start looking for alternatives.

Or possibly the effect of having a user base in the billions. How do you adequately support that?

The amount of tweets @adsense are not bigger than the tweets @klm. Still, KLM has a (terrific) webcare team, while @adsense never replies. Adsense revenue is slightly lower than Airfrance/KLM, but margins are propably 100x higher.

They don't support users because of arrogance. There is no viable alternative, they know that. And even if it costs them more revenue than the total costs of a support team, Google's culture is so accustomed to lavish spending that even 1B in lost revenue is just a blip on the radar.

Stop tweeting at them and use the proper channel.

If your account is worth more than a few cents, they'll gladly speak to you.

KLM doesn't have flights for 3 cents, so doesn't have such a support-timewaster problem.

KLM almost certainly has hundreds of passengers a day whose gross margin is in the pennies.

True, but Google has Billions of customers per day whose margin is in the pennies, and a few hundred thousand significant account holders.

An account holder chosen at random is most likely to be in the former category, unlike klm where a customer chosen at random is likely to have a much higher margin worthy of a few dollars of support costs.

Some might argue a company should support a customer well even if doing so puts that customer as a lifetime lossmaker though.

They don't have billions of Adsense users, hence the comparison with KLM. And even a small publisher can grow into something big.

It's probably not arrogance so much as a lack of perceived necessity.

> Or possibly the effect of having a user base in the billions. How do you adequately support that?

The same way Amazon does? How about banks, airlines and other similar.

I understand that there's little motivation for some online services to improve their customer service experience but Google is especially bad. Even when making a purchase from them (an area where both Apple and Microsoft do much better), you're dealing with a bot with absolutely no other contact point.

Though, hypothetically speaking, if they did deliberately place ProtonMail on their blacklist trying to kill a competing business, then keeping quiet about it for as long as possible would make sense to them.

They're extremely easy to reach if you're paying them money (ie: buying advertising space rather than selling it).

Even with a paid e-mail they are impossible to reach when that mail has problems.

If this post weren't full of vague legal risks for Google, you would likley get a (private) explanation of the cause. As it is now, no employee would risk such communication for fear of it being used against them in an anti trust case, even if it were well meaning. Anti trust cases are worth billions, and a single email saying "we messed up because your URL contained an apostrophe and that caused a bug in our crawler" might well tip the case against Google to a non technical judge or jury.

If they say nothing, it’s even more likely to be used against them.

And I personally think that’s actually good. Open all the antitrust cases against Google at once, so it can be broken up.

Google has had many chances to privately communicate with ProtonMail before they wrote this blog.

Direct link to Protonmail's blog post: https://protonmail.com/blog/search-risk-google/

A little suspicious, but lacking hard evidence of trying to hurt competition, I choose to give Google the benefit of the doubt here.

I have had a ProtonMail account for a few years and the system keeps getting better. The one feature lacking, and keeping me from using it as a primary email service, is not being able to backup my emails locally. I think that is on their TODO list.

They also don't have 2-factor authentication yet.

2fa is being tested on the internal development site, now.

Code allowing external access (IMAP etc) to mailboxes that would allow you to download all your mail is in development now. Some IMAP clients (cough Microsoft cough) have "interesting" ways of interpreting/implementing the RFCs. So, it is taking somewhat longer than expected.

Google often-times makes severe algorithm changes. There is an SEO company called MOZ that keeps track of these. If you see right around the same time that ProtonMail suffered a disruption of rankings they were in the middle of a huge update (https://moz.com/google-algorithm-change). This was May 10th of this year.

I am referencing the official ProtonMail blog post (https://protonmail.com/blog/search-risk-google/) linked by another commenter in this thread.

I also want to say I'm not a Google employee and have no vested interest in the authenticity in their algorithm.

It is very fishy that according to PM they contacted a Google rep via twitter and got a "we fixed something" response from them.

As an SEO person, my opinion is this:

As an encrypted email service ProtonMail probably gets a lot of foreign and otherwise "undesirable" (or deplorable ;) ) links in the eyes of Google. Google lately has been doing a lot of algorithmic changes to actively sift these types of links out of consideration when ranking sites or dampening them severely.

My guess is that Google was basically penalizing PM for the links they were getting without notifying them via Webmaster Tools. Whether or not there was a manual penalty involved that they weren't notified about also adds a little bit of shadiness. Maybe Google thought PM was trying to game the algorithm or at the very least many of the links they were getting were of a spammy nature and they ran a penalty on them.

The redirect from them changing a domain in the past can also compound issues with Google. Sometimes they consider redirects spammy depending on what kind of redirect is in place.

Without more info it does seem weird that they would "fix" something not only without warning them in the first place but not explaining it afterwards? Most web admins have to use what's called a "disavow" list to remove the penalized links but apparently their rep seemed to do this for them. Probably due to the anti-trusty viral nature of the complaint?

I don't know what SERP tracker PM is using for these stats. Barring there were no errors in that system, they can trace the lack of rankings to a lack of organic traffic, and they were given no reasoning to the penalty or what was going on...

They may want to hire a lawyer and start an anti-trust suit on Google. This is very fishy without any official information from Google.

Thats interesting it would be interesting to look at there link profile - getting out of a link penalty is hard it took me over a year to get on client out of one.

The Swiss recently passed this pro-surveillance referendum:


In the blog post, proton says they aren't impacted by the new law. Do any third party analyses agree?

In case anyone interested, here are my field test results for "encrypted email", obtained today:

                 Google  DuckDuckGo   Yahoo
    Proton Mail     1       16          -
    Tutanota        7       20          -
    Gmail           -       10          1 (G Suite)
"-" means no appearance up to and including second page. Ranking excludes sponsored links.

Google has plausible webmail competitors. "ProtonMail" is not one of them. Can someone provide an explanation of why they think Google would elevate this particular random email provider in the media by penalizing their search results?

You are not unaware of ProtonMail [1]. Why are you putting its name in sneer quotes to imply unfamiliarity and insignificance?

[1]: https://news.ycombinator.com/item?id=11305228

I'm not sure what this is supposed to demonstrate. This is a thread that seems mostly to consist of me debating with the Cyph people.

It shows that ProtonMail should be familiar to you, since that's what the thread is about. Please don't answer with a question or we'll be caught in an infinite loop.

I answered your question: it shows no such thing. I am not, nor am I likely to be a week after this thread, which is about ProtonMail.

ProtonMail focus on security and paid services, free tier is almost useless. Gmail is free service that make money on pushing adds and selling your privacy but provide excellent service. There is no conflict of interest.

SEO it is hard to say. They want to compete on "email" and "secure email" keywords it is not going be easy.

Can you elaborate how free tier is almost useless? I'm using ProtonMail as my secondary e-mail and I'm on free tier, and it is pretty useful. Much more useful than FastMail which pretty much forced me to switch to paid plan right away or else I will be unable to send e-mail - all this to combat spammers.

> Gmail is free service that make money on pushing adds and selling your privacy but provide excellent service.

G Suite Email is a paid service that doesn't sell your privacy, doesn't serve ads, and has extremely good service.

> G Suite Email is a paid service that doesn't sell your privacy

G Suite is an american service and will give away your privacy without a proper/open court case when receiving a gag order. This is very much in contrary to PM.

When you talk about search, you have to talk about search keywords to put things in context. "How high do you rank on Google?" is a meaningless question, for instance.

ProtonMail said they weren't ranking for "encrypted email" and "secure email" [1] for a year, not just "email". How many "much more popular" than ProtonMail "encrypted email" services do you know?

And no, using StartTLS doesn't count. I'm talking about email services that have promoted themselves and in the media as encrypted or end-to-end encrypted email services, and would therefore get the ranking for those search queries.

ProtonMail wasn't talking about ranking high for the word "email". Obviously that would be quite difficult to impossible for a year old company.

[1] https://protonmail.com/blog/search-risk-google/

They are now the top result for [encrypted email]. That seems to say that google does indeed think they are more than just a random provider.

Assuming the blog isn't blatantly lying about their position being lower just recently, it's proven that google did penalize them for a while.

As to the reasons, I tend to assume bugs or coincidences. I just can't see Google doing something like that on purpose, when they'd gain a minor edge in the webmail business at a huge risk to their reputation, a smoking gun for all those regulators poised to hit them with charges of anticompetitive behavior at the first opportunity.

Google results are not like, hand-curated. Why would the google ranking of a site on a given search term be reflective of whether or not they consider ProtonMail a serious competitor?

Wouldn't it be simpler explanation that they just rank down everything with mail in the name?

The even simpler explanation is that Google's Algo changed and that there's a lot of websites about encrypted email.

This is the likely result.

Google probably dampened the authority of many of the sites linking to ProtonMail, for one reason or another.

This most likely brought Protons rank down without them doing anything wrong.

As a person that's actually running a hobby search engine: It's simpler to apply a coefficient on a hostname string than process associated data; may it be during a fetch, a processing or a search phase.

Is that happening to FastMail?

Nah, we come up number 2 for a search for "reliable email" when I'm logged in and number 5 when I'm logged out - which sounds bad, but the stuff about it is all questions about how reliable email delivery is. Fair enough.

We don't even rate a mention for "professional email" because it's all about how to not come across like a n00b when writing emails.

(interestingly, bing search for professional email has an ad for Google's email above the search results)

FastMail, unlike ProtonMail, actually has traction. Why is Google supposedly penalizing ProtonMail, but not FastMail?

Eh, we are entering an area of speculation. The right answer is 'only google knows', but since you are asking twice this question, let me try to take a wild guess:

- Google, an advertising company, benefits from having access to the plaintext of people's messages. They can advertise this as 'secure' but only for the comm channel. - Proton mail, advertises itself as: "ProtonMail is the world's largest secure email service, developed by CERN and MIT scientists. We are open source and protected by Swiss privacy law.", featuring end to end encryption, anonymous email, mobile clients etc. - Fastmail: "Secure, reliable email hosting for businesses, families and professionals. Premium email with no ads, excellent spam protection and rapid personal support."

If I'm a product manager of GMail, I'd be more scared from Proton mail than FastMail. In fact, anything featuring end-to-end encryption will be approached with negativity, because then GMail can't target ads, which are the main cash cow for google.

Protonmail is another crappy provider filling the void left by Lavabit.

It doesn't have any additional security benefits beyond regular webmail providers that provide TLS:

- Encryption is performed inside the browser. By delivering a modified JavaScript payload, it can steal encryption keys.

- No support for POP, IMAP, or SMTP. If you want to use GPG, you can't.

To see it being compared to Fastmail and Gmail, which don't engage in parlor tricks, is a travesty.

May be unpopular opinion, but I think that's the correct criticism here. When I decided to move off Gmail,I had the paranoia hat on, and looked for something rock-solid. ProtonMail sounding so good on paper, fails to live up to sone common sense questions. If the encrypting infrastructure is closed and under their control, it boils down to trusting them on their pinky promise. False pretense of privacy and security is worse than being paranoid and defensive.

I chose Fastmail. I pay for my email service and don't expect them to sell me out. Get to use a functional email system that lets me search my emails(ProtonMail lacks this ability).[0]

Being aware that my emails could be snooped on by some government somewhere.. so nothing sensitive goes in there. That's what OTR or other personal encryption systems are for. [0] - https://protonmail.com/support/knowledge-base/search/

I can see all sorts of criticism leveled at ProtonMail, but this seems a bit disingenuous. They're trying something different than GPG, which had 20 years to prove itself and failed to gain any traction.

Sure, you have to trust their software, but is that fundamentally different than trusting the GPG software, or did you do a full audit of that?

GPG, when used correctly, is theoretically secure. Protonmail, like Lavabit, is insecure by design. They make no mention of this; they claim the inability to read your messages, which is trivially false.

GPG has a track record of being secure against many adversaries, including the NSA. It's used by most Linux distributions for package signing, so you probably already depend on it -- even if indirectly.

I don't expect GPG to be completely secure. But it's not based on deception.

The trivial attack is based on them sending you compromised code, right? Because that seems to comparable to an attack on GPG where their downloads are compromised.

I get that there's a difference in degree, i. e. GPG binaries being checked against hashes and having a long track record as an organization, but is that fundamentally different?

I could see ProtonMail evolving to, for example, using a browser extension that allows you to use a known-good version of the crypto library, and informing you of changes.

Point being: it isn't perfect and I'd prefer something based on standards. But e-mail encryption has failed, even though it is often more personal than websites where TLS has been successful. ProtonMail is a legitimate attempt in a space that seems to need a new approach.

I think it's different, because Protonmail can target you, individually, at any time. Like, for example, upon receipt of a NSL.

GPG is used asynchronously. In many cases, everyone would need to be compromised to go after one person. That raises the chance of discovery.

A browser extension is a fantastically better idea. Google previously prototyped most of the work for this: https://github.com/google/end-to-end

The difference is that, any time you check your email, a basic TLS MitM could exfiltrate your entire inbox without your or ProtonMail's knowledge — exactly the same threat model as Gmail or any other webmail provider.

Further to that, I'd trust Google's infrastructure to withstand compromise much more than I'd trust a datacenter run by a small company that I know much less about. (Tinfoil hat: sure, I have to assume that the NSA has a copy of my Gmail inbox, but god knows who else may have owned ProtonMail.)

When's the last time you downloaded GPG? For me: years ago.

How often do you download ProtonMail's Javascript code? Several times per second, as long as you're using it.

And a product manager for Gmail can affect ranking of a random website exactly how?

They just pop over to the search fixer dashboard and drag protonmail into the penalty box. Two clicks, boom, boom.


Most likely it isn't targeted against ProtonMail but all or most mail providers.

I would suggest that Gmail has little to gain by silencing Yahoo Mail or Outlook.com (that many have heard of anyways), but has a lot of reason to silence companies which are pointing out the privacy issues with using Gmail.

I'm not talking about Yahoo or Outlook.

Ok sure, let's play "guess the name of the competitor that tptacek is referring to" because he wants to be as vague as possible so as to not be rebutted

Wow, that was an aggressive response. As I've mentioned elsewhere in the thread, I'm talking about independent providers like FastMail.

Which brings us to ocdtrekkie's point. FastMail a great niche product, but as paid product and one that doesn't sell itself on the privacy improvements over something like gmail, Google has absolutely nothing to worry about.

ProtonMail on the other hand, while not at the moment a threat to gmail does do a lot of brand damage to it, as it highlights the privacy problems people have with it.

The article does not provide an answer and simply poses the question. The fact that Google does not disclose any useful information makes it difficult to figure out what really happened.

I wouldn't consider ProtonMail a competitor of Google. I would assume they got penalized in search rankings like everyone else.

The fact that they went through Matt Cutts to get this resolved is telling - since he's the public face of Google for anti-web-spam/anti-blackhat-seo.

> @mattcutts We know Google is intentionally hiding ProtonMail from search results. Interested in talking before our data goes public?

Apparently threats help get you attention.

They have been caught tweaking the algorithm to their advantage in the past:

"One example from the FTC report shows how hazy the line can be. When testing changes to its ranking algorithm, Google has “raters” manually assess different sets of search results for the same query and rate which one is better. In one such experiment, Google tried demoting “comparison shopping websites” like NexTag to see if its raters liked the results better. When they didn’t, Google tweaked the demotion algorithm until they did."[1]


Matt Cutts isn't the public face for the webspam team anymore, for months if not years now. I think since 2014.

He even left google and works for the US Digital Service since this summer.

And on the topic: Nope, no penalty. At least no ordinary / known version of typical penalization.

Just found out right now that the "famous" Googleguy user that was posting stuff on Websmasterworld around 2002-2004 has been confirmed as having been Matt Cutts (the article is a little older, from 2011, https://www.seroundtable.com/cutts-googleguy-intheplex-13291...). Those were interesting times, when Google was still playing the "good guy" card trying to get most of the websites' data. I'm pretty sure nothing of that facade has remained in place now.

I'm old...

I have every sympathy with ProtonMail. Google's behaviour in this certainly looks highly suspect.

However, in general, I am not a fan of regulation. I wonder if this problem could not be better fixed by an open source search engine "assistant" that simply polls several existing (competing) search engines? Perhaps implemented as a browser plugin?

I base this suggestion on the assumption that not all the usual search engine providers will have the same conflicts of interest. More specifically, in this case, they are not all email providers themselves. For the same reason I trust more the search engine providers who have not added to it all kinds of other business interests.

Any thoughts on that? Has anyone tried it?

Yes, it has been done.[1] The searx metasearch engine[2] is exactly what you are describing; one of the public instances you can use is https://searx.me/. It can be run locally, though unless Tor is used that negates the privacy benefits.

[1]: https://en.wikipedia.org/wiki/List_of_search_engines#Metasea... [2]: https://github.com/asciimoo/searx

There were a good many of those in the early '00s before Google rose to dominance. Either integrated into the browser or "meta-search engines" which simply merged the results from a number of other search engines.

What search engines are not email providers?

Qwant does its own crawling and does not provide email.[1]

[1]: https://en.wikipedia.org/wiki/Qwant


DDG mostly relies on the APIs of other search vendors, who do have email services.

Over the past year or two, I'm becoming convinced Google's "Don't be evil" days are over.

Does anybody have any recommendations for alternatives to Google Drive?

I use Sandstorm.io, which you can either self-host or use as a managed service.

I can't imaging they would do that intentionally and on their own will. It's too obvious and just provides more arguments for the anti-trust complaint.

Google has already been getting away with giving unfair priority and treatment to their own properties for years. Why not take the next step and just start outright hiding competitors?

Google is not required to provide you search results. And they should be expected to market their own products.

To expect otherwise is foolish.

It's a different story when they're the most popular search engine. They have the power to control what others see and unfairly prioritizing their services disadvantages competitors, a big no-no for such a big company like Google. Also, to many people, Google is the internet. Everyone I know just types stuff into the search bar to get where they want to go, not foo.com. If you don't show up in the first page of the Google search results, you don't exist.

> Google is not required to provide you search results.

Yes, they are, if they want to access the market at all, they have to provide results to everyone, and can’t discriminate.

> And they should be expected to market their own products.

No. They have > 90% of the market, which is used by > 50% of the population, meaning they’re automatically a public utility, and can not provide any positive or negative discrimination to their own or other services.

Any treatment has to be completely fair and equal, and if their own services can get integration, so any competitors have to be able to do. (For a fair price, of course).

>they’re automatically a public utility //

Is that your assertion or is that through legislation where you are (which is where?)? Thanks.

The laws do not directly express the definition "public utility", but the very same restrictions and regulations, and their creators specified that this was the intent.

US antitrust law has some things to say about using a dominant position in one market to forcibly create a dominant position in another market, y'know.

This is why we need good whistle blower protections. If Google does that intentionally, there must be quite a few people in the know at Google.

Even without, it just takes to open a throw away account here, and say something.

It looks like a net win for PM. If you look at the graph, before disappearing they had struggled for position and after the fix they are #1. Plus they get publicity like this TC article.

Does Google make money from its relationship with government agencies that perform surveillance?

Cultivating government agencies comes in handy especially for global business ops and legal snafus. And I think Google's general 'stalkiness' and getting people used to being stalked ties right in with surveillance culture.

Has ProtonMail become a really secure? Since when I last time checked web client I noticed that PGP keys are being passed over the internet when you do login (private key), which doesn't look like a true end-to-end encryption since private key should be kept locally and never be passed over the internet. Please correct me if I'm wrong, I'm note very well versed in the encryption matters.

The private key is encrypted using your mailbox password (a 2nd password, not the login password) and that is not stored on their servers. So they only store and pass the private key encrypted.

So it should be secure enough but for sure, the implementation is still not perfect at all, especially if you want to communicate with non-protonmail users.

> So they only store and pass the private key encrypted.

I remember I was able to get key passed through the network in the not encrypted form, I was looking into the network tab of the browser's dev console. When you do login look at the response of the https://mail.protonmail.com/api/auth POST query.

Got suspicious about the name Proton, started reading the website, saw that it's based in Switzerland.. and yup, they're Ex-CERNies. :)

The domain move which protonmail did looks quite risky: Country TLD to generic domain, new domain parked at Godaddy before and the first owner of this domain run an email server which maybe did unexpectedly closed shop. The domain move happened at the same time when protonmail vanished from the search results.

Instead of publicly looking for a scapegoat for their mistake they should tell readers of their blog the one lesson to be learned from this story: Never use a country TLD for something targeting more then this country!

On one hand I'm a major advocate of trustbusting and encouraging government regulation of large, potentially competition-squandering companies. But I'm also an advocate of a free and open Internet, entirely unregulated. To me, this case walks the line between the two and I don't think any more can be done with regards to making the "right" judgement without additional, definitive information.

What a coincident; I was just wondering when will Proton popup on HN to share my experience.

I must say I don't think they even have customer support. I emailed them and opened tickets multitude times with serious questions (looking into moving entire enterprise with 100+ email addresses) but I guess I was neither their type of client nor they simply don't have customer support at all!

This issue turned me off and against them entirely; sorry.

I have had good support from them. Maybe it's because I'm a paying customer?

What they are doing, both from the backend side and the multiple clients side, is a lot. Chances are they are just really busy with the number of employees they have.

Does this have anything to do with what was, retrospectively, a disproportionately pro-Hillary, anti-Trump bias demonstrated in Google News results over the final arc of the election, and the resulting 'out of the blue shock' feeling experienced by so many in America after Trump's election? Or was that simply the result of an effective backlink brigade?

Can you square this view with Clinton winning the popular vote? You are looking in the wrong direction. Perhaps inaccurate polling (is polling actually helpful anyway?) and reforming a slightly troubled electoral system are the actual problems.

Perhaps part of the way to address Google's enormous market power is that they should provide remediation when it causes a problem, including transparency when Google's search results place a site significantly lower than it does in competitors' results.

Doesn't seem (from the tone of that post) that they had anyone on staff to handle the SEO Inbound marketing - where is the summary of what investigation they did.

There are ways to reach out to google and get an answer

Don't be evil, Google. This one has clear evidence. I doubt that it is a bug. It only affects Protonmail not others.

Runbox user here. Can anyone comment on how these two compare? Is it worth switching?

Runbox is more like a "normal, ordinary" e-mail service with high security & privacy precautions, but for example no integrated end-to-end, zero-knowledge encryption (option) for mails. You can of course use pgp/gpg like with any other service.

So in Protonmail, for mails inside the service, from protonmail user to protonmail user, they afaik use a pgp implementation and handle the key exchange.

To send secure messages from protonmail to another service, you can encrypt the message / conversation with a password and the recipient gets an email with an url, where he can, given he has the password, decrypt the message and reply securely.

Thanks! I guess I'll stick with Runbox.

Could you in theory sue Google for (intentionally or not) discriminating against you in the search results? Just in theory.

In theory, one can sue Google (or any other party) for any reason whatsoever -- no matter how absurd or "out there".

IANAL but I doubt they'd get very far. What would their actual argument even be? Google isn't obligated to include every web site in existence in their index.

> Google isn't obligated to include every web site in existence in their index.

No, but to have a competing product appear highly ranked at first, then drop off their search engine entirely and not return until there is a public outcry, screams of anti-competitive action on Google's part[1]. That said, I don't think a lawsuit would get very far either. I'm just saying the whole affair is fishy.

[1] Or, if you want to go tin-foil-hat with it, perhaps a certain government told Google it didn't want people to know about a secure email startup that resides in a country that is known for upholding privacy rights. I don't buy that one myself but I've seen it bandied about in the past in similar cases.

Seeing how Google have a near monopoly on Search, perhaps they should be required to... or at least be required not to remove search results of already-indexed legitimate websites.

How does one create such a list? How do you distinguish domains that have gone rogue (either ones that were legit then went bad. Or if the domain expired or was sold to a nefarious person)?

I believe in this case protonmail was hit by an algorithm based derank (not a manual action). What causes it is anyone's guess. But something series of events hurt their ranking. Its also important to note that PM was NOT delisted. They still were getting traffic from Google, they were just deranked.

Leave that to the EU Commission. They have been look for å case like this for years.

btw "EU commission" might soon not appear in Google search results anymore...

Google search results might not appear in the EU anymore, if Google keeps responding the way they have been.


Or Google might be broken up – there’s also antitrust cases against them in the US.

With more than half of the population using them, and them holding > 90% in multiple such markets, they fall into the category of monopoly that automatically becomes a public utility – they’re supposed to be just a dumb pipe.

I'm sure Google would be happy with that because as in all such cases where some blog claims that Google dropped them down the memory hole for absolutely no reason whatsoever, we don't ever hear Google's side of the story. Google has nothing to gain from commenting. But in court they would have a reason to respond, and then we'd find out exactly what kind of malware these guys were hosting, or whatever.

"Google has nothing to gain from commenting."

Defusing a court case would seem helpful. Explaining to those worried by this might be good.

Acknowledging you screwed up, fixing it and publicly stating you will do better (then doing better) can actually boost the way a company is seen.

Google censoring search results and acting more and more like microsoft in 90's.. time to skip google search engine and support another corporations..

Not condoning any shoddy move by google, but have you noticed how the ProtonMail UI is a shameless ripoff of gmail?

See these screenshots from ProtonMail:




First, there’s no copyright on a general style, or theme. Nor can it be patented or trademarked.

So, legally, this is already nothing.

Second, this is not something Google invented – Google started with webmail, but many other companies had designed stuff like the in-frame editor, or other concepts before Google.

So, even if ProtonMail outright copied Google, Google, because they copied together many other people’s ideas, wouldn’t have reached the Threshold of Originality.

They're called Design Patents. They exist. Apple vs Samsung was quite a famous case over them with hundreds of millions in damages on the line. I have no idea if Google is using Design Patents on their products but can if they choose.


ProtonMail is in Switzerland. Neither in Switzerland nor in the EU, Design Patents exist.

Your first sentence was broader than that. Far as EU, they're called registered designs. I don't know much about them past that they exist. They're also in Hague Agreement of WIPO which Switzerland is a party to. Apple's attack on Samsung in Germany was about them copying the interface and style. Situation isn't as clear cut to me given the above.

Even if nothing applied in Switzerland, the countries supporting such things might block their local presence there under grounds of violations. This risk actually is why some companies, esp Chinese, won't do business in the U.S.. If this played out, they'd be blocked from serving customers in U.S. or any nation that upholded the claim against them.

Resembles OWA and just about every other email web app. I don't follow your logic here.

In the same way that google Sheets is a shameless ripoff of MS excel.

You might not like it, but it is generally legal to create products that clone others.

edit: spelling

That actually looks quite different from Gmail to me, with the exception of the pop-out compose window. If anything the two-column layout reminds me more of Apple's Mail app.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact