Defending Privacy: An Interview with Andy Yen of ProtonMail
“If you have no privacy you can’t have a democracy” -Andy Yen
In the era of high-profile data fiascos like the Facebook and Equifax incidents, it’s easy to think that perhaps privacy is a dying ideal. Indeed, if Zuck had it his way, we would all just move beyond the outdated notion of privacy altogether and resign the notion of privacy rights as a relic of the past.
Luckily, while those with a vested interest in getting us to share more and more private data online have been slowly trying to chip away at social privacy norms, there are others who are fighting to defend privacy and to give us the tools necessary to take back control of our data. One of those people is Andy Yen, who’s not only raising the alarm on privacy issues but also created an invaluable tool for those looking to hold back the tide of privacy erosion: ProtonMail, an email client with advanced end-to-end encryption.
For Yen, a concern for privacy is not merely some quaint ideal of an outdated social era, it is a fundamental prerequisite for democracy. A society without privacy, he explains, is a society where people are afraid to speak their mind, and without free speech, democracy is just a hollow farce.
Watch our interview with Yen below, or scroll down for the TL;DR and full transcript:
To busy to watch or read the full interview? Here are the highlights:
- He contrasts the open, sharing nature of the early internet to today, when all of our sensitive data is online, making security more important than ever.
- He explains why security and privacy are complimentary rather than opposing ideals.
- He talks about alarming trends in privacy in places like China.
- He argues that email is in many ways our online identity and thus ProtonMail needed to come up with a new business model not based on leveraging personal data.
- He weighs in on blockchain, saying that there are only a limited set of use cases and that we need to focus on those.
- He explains why privacy is a fundamental prerequisite for democracy.
Read the full transcript of our interview below:
How have the privacy ideals of the internet turned out for us today?
Well, the internet, when it was first created, was actually the World Wide Web. It was made in CERN back in 1991. At that point, the web was really a tool that was used for science; it was being used to transfer documents, data, and share scientific results. Science, by nature, is very open. If you publish a paper, you actually want the world to see it. So the internet was really created around the idea of openness in sharing data, sharing information. Then, three decades later, we have a completely different situation where the internet is not just used to share publications, it’s also used for online banking, and it’s also used for some of our most sensitive private data. That’s a massive context shift from when the internet was originally designed. So today, online privacy is more important than any other point in the internet’s history because the context in which we use the internet has changed so massively in the last three decades.
Is there a conflict between privacy and security?
Well, a lot of people think that privacy and security are opposing ideas. That’s actually not correct. In fact, privacy and security are complimentary ideas, in the sense that, if you have something that is built in a secure way, it’s also inherently private. And if you think about government needs, human needs, the human rights need for privacy, in fact these two ideas are in alignment. So I’ll give you an example. We think a lot about future attacks — terrorism, crime — these things are actually going to go online more and more. A future cyber attack could in fact be more devastating, in terms of loss of life, than, say, an attack in the physical world today. And if you want to protect data and information in computer systems in the cyber domain, you need technologies that are secure. And these technologies that are secure are by their nature also very private. So the ideas are actually not in opposition, they’re actually two parts of the same puzzle. This is why, I think, in the future, you will see more convergence of security and privacy, because in fact they have the same end-goals.
What are the worst and best case scenarios for the future?
I think the worst case scenario for privacy is actually already playing out in parts of the world today. An example of this would be in a country like China. They recently introduced new a system in China which collects all your data, and your social data also to give you a citizen score. So they’re scoring you using your public information to see if you’re a so-called responsible citizen. So if we don’t pay attention to privacy, the end state of the current trend is a world where all your data and all your actions at any time in your life is used to build a profile of you and that profile then determines your future prospects in life. That’s a scary place to get into. In China, the government has a monopoly on that. In many western countries, we’ve effectively outsourced that to tech companies like Google and Facebook. This is, in many ways, the worst case scenario. The better scenario would be a world where people become more aware of the situation and at the end it’s consumers and people who are the ones that have control over the situation, because who you give your data to, at the end of the day, that’s your decision. So whether you use something like Gmail or Facebook, or maybe you use a more private alternative like ProtonMail, that’s something that you can decide. So a big challenge that we have to do is we have to work on educating the public to let them understand what the risks are. It’s only by letting people assess the risks that they can make their own decisions. The issue we have today is there are many people who are giving up their data and their privacy with no knowledge of the implications of what’s going on. So the best case scenario would be, we find a way to educate the world. We get the word out, and then society can then make changes.
Why email? How is ProtonMail guided by these ideas?
The reason we started with email is because email, in many ways, is also your online persona. It’s in fact, in many ways, your identity. If you think about my ID, ok it’s my social security number, it’s my passport number, but more and more, your digital identity, your online identity, and even who you are is increasingly tied to your email address. And that’s why we feel like protecting that is in fact one of the most important things that you can do. Because you need to have safe, secure, private email to form the core of your digital existence. That was why it was interesting for us to begin there. It was also interesting because it’s a problem, email privacy is a problem that is technically solvable. In fact, PGP has been around for over 20 years. So it’s not a problem that cannot be solved. It’s a problem that wasn’t solved for business model reasons. If you look at the email industry, it began in the early 90s as a paid service, then it became a race to the bottom: who could provide the most storage space for the cheapest price. Eventually it became free, and then ad-based. That’s why today, why doesn’t a company like Google implement end-to-end encryption? Well, it’s probably not a good fit for their business model, because their business model is knowing as much as they can about you and mining your data. So for us it was a combination of: A. It’s very important for identity, B. It’s technically feasible, and as long as you can adapt to a different business model, it’s in fact very doable.
What’s been a bigger challenge, physics or business?
I think those are two very different types of challenges. When you’re a physicist it’s obviously very hard problems in terms of mathematics, in terms of programming, and just in terms of logical reasoning. Whereas business is a slightly different environment. In business, the relationships with people, the relationships with customers, the relationships with the community that uses your product become much more important. It’s actually two very different skill sets, but at the same time there’s also some overlap, because business in many ways is logic driven. So I would say the challenges are quite different. I cannot really say which one is harder, but they’ve both been very interesting challenges in very different ways.
What are the most promising developments for privacy?
I actually don’t know the answer to this question, and maybe that is the answer. In many ways, when it comes to privacy, security, and encryption, and also the cryptocurrency space, we’re really going off into the unknown. And I don’t think there’s anybody that can really predict what’s going to happen next. People have tried to predict in the past and most of them have actually been wrong. I think that’s probably the excitement of our space, you don’t know what the next big trend is. You know there’s a core technology, there’s a lot of innovation going on, but what’s actually going to work, what’s actually going to stick, what’s going to revolutionize the space is still largely unknown. That’s why for me it’s very hard to give an answer and even make a guess, because it’s kind of a mystery and that’s also part of the excitement.
Why did you decide to focus on the issue of privacy?
The main motivation that got us interested in privacy was the realization of how much personal data is online today. Your online data includes your Facebook profile, your emails, your online banking records, and in fact, the entire catalog of your life. The amount of information that’s out there and what can be done with that information is actually very scary. Up until recently, you didn’t have any choice. If you want to live life in the modern age, you had to give up your data. You had to get an email, and your email was going to be readable by your email provider. If you were going to be social you had to have a Facebook account, and as a result trade your data to Facebook. Our feeling was that this is the wrong direction for the world. This takes us to a very very scary place. So it’s very important to start building the technologies which will allow us to actually maintain privacy even in the digital era.
What do you think about the blockchain space?
I think blockchain is a revolutionary technology in many ways but I think currently it is misused in many ways. A lot of people get the impression that the solution to any problem is blockchain. That’s actually not true. Blockchain is a solution to a very specific number of problems, and the sooner the ecosystem realizes that, and figures it out, and focuses on those specific problems, I think the better. We run a really big risk right now of turning the public off to blockchain, because there have been and there are going to be some very very massive failures from the misuse of blockchain. So I think it’s important for the ecosystem as a whole to begin focusing on the problems that blockchain actually solves and not trying to do everything with blockchain.
How do you define privacy?
When people think about the question of privacy it’s very tempting to think ‘I have nothing to hide. Why do I need to worry about privacy?’ In fact privacy is not really about what you have to hide or if you have anything to hide at all. Privacy is actually something much more fundamental. It’s about maintaining certain freedoms that allow us to have the society that we have today. If you think about privacy, if you go to a world that doesn’t have privacy, that’s also a world that doesn’t have freedom of speech. You’re not willing to say what you’re actually thinking if you’re afraid that this information will be recorded and possibly used against you in the future. So a society that has freedom of speech must by necessity also have privacy. And by extension, it means that if you have no privacy you also can’t have a democracy, because democracy relies to a large extent on freedom of speech. So in fact, the concept of privacy is actually a core pillar of a modern Western democracy, and without this you don’t have the society and the freedoms that we have today. This is something that you can already see in many countries that have gone in the opposite direction. In any society, if they want to take away democracy, take away your freedom, the first thing they attack is actually privacy. So in China, with online censorship and the monitoring of the internet, that’s what they have done, and that stifles freedom of speech. That leads to a society where you don’t have freedom anymore. We have the same situation today in Turkey. Last week, ProtonMail actually was banned in Turkey. It was blocked by the government, and again, if you’re a government that is seeking to oppress freedom and remove the ability for people to express their feelings and their true thoughts, then the first thing you attack is privacy. This is why, if we want to preserve democracy and preserve freedom, preserving privacy is a fundamental part of that fight.