I agree that providing it encrypted is better, which is what all of our APIs require. That said, you are mistaken that saving the cleartext for unencrypted mail benefits us at all. It most certainly doesn't--the incentives between the provider and users are well-aligned here.

You must certainly know that emails provide a lot of valuable data (in aggregate) that can be sold for purposes such as advertising. Also, it's entirely possible for governments to require keeping plain texts for their own use (like law enforcement investigations) and force providers to keep hush about it like the United States does. Not that I know if Switzerland does something like that, in the case of Protonmail.

I must say, it's surprising to see a comment like yours here on HN. Where've you been?

This would be blatantly illegal (especially with GDPR) and if exposed, would be the end of their company. (As security is their main focus)

I'm not using protonmail myself, but I'm sure they're not playing around with your data.

Switzerland is not part of the EU, though. Enforcement of GDPR on them depends on how well the EU can force their laws on non-EU nations, something which I hope cannot be done. Who wants to abide by the laws of others in their own home without even the chance to somehow vote or otherwise affect them?

The US isn't either. GDPR applies to all companies doing business in the EU and handling EU user data.

I'm not saying if it's good or not, but if they wouldn't abide, they'd be blocked from doing business in the EU.

They have a gdpr section on their webpage by the way.

> GDPR applies to all companies doing business in the EU and handling EU user data.

Only because the EU said it does. I don't think any country, the US included, agreed to abide by their laws. No one has such a treaty that somehow includes the GDPR, as far as I know. I can only imagine their only way of enforcing it is by using their economic strength as leverage and threatening to place tariffs on some export or import or such.

> I'm not saying if it's good or not, but if they wouldn't abide, they'd be blocked from doing business in the EU.

Is that the plan? Put up a giant firewall around the whole EU, heuristically blocking foreign businesses that didn't comply?

As far as I know, they "require" world internet businesses to have a company branch physically in the EU, but how are they going to enforce that? They put fines on violations, but are they really planning to go to any nation in the world and enforce payment, citing law that's foreign to the citizens of that land? It seems silly, or unjust and scary if it turns out doable.

EDIT: I'm not necessarily against the GDPR. I think it's a move in the right direction with respect to respecting user data, but I am concerned with the fact that it tries to assign obligations worldwide without being a worldwide treaty. Not that I'm saying that it would be practical (or even a practical possibility) to have a worldwide treaty, but the way this is forced also seems like a move in the wrong direction with respect to world internet unity or international respect for national sovereignty.

They can probably do the firewall thing and/or block any payments from EU accounts to the company.

We'll see for sure if and when it happens in practice. Though I suppose it won't, any company sizeable enough would lose too big a market this way. And I don't think they'll go after the smaller ones, at least for a while.

I don't like the methods they can try to enforce gdpr with, though I literally love the law itself.

This.

"It most certainly doesn't--the incentives between the provider and users are well-aligned here."

This might be true but we dont know that. Offering fake security or selling people out for money are a recurring theme in markets for "private" services. You're expecting us to believe nobody on your team would take a payout from or be coerced by US LEO's or spooks. That's crazy. It's better to not put you in that position of us having to trust you like that.

To drive it home, Crypto AG in Switzerland backdoored stuff in the past, RSA was paid $30 million IIRC, and US ISP's got in $100 million range. The NSA was spending several hundred million a year with FBI helping on domestic coercion and CIA using tradecraft against foreign targets. Even Swiss have Onyx system now. There's a real, even if slim,chance people in the company get paid off, legally coerced, or hacked at some point in future. So, it's better if those of us that might be affected push for as little 3rd-party access to secrets and closed implementations as possible plus maximum rigour and review in design/implementation.

> You're expecting us to believe nobody on your team would take a payout from or be coerced by US LEO's or spooks. That's crazy.

No, we're saying that we don't store the data partly so that such a scenario isn't available because historical data simply doesn't exist.

> It's better to not put you in that position of us having to trust you like that.

Look, we freely admit that you can't verify that we do this. If we are part of your threat model, you probably shouldn't rely on us doing it. If we aren't, then it's an additional layer of security relative to other providers who explicitly don't. If you receive unencrypted email, which is virtually everyone, those are your two options. Regardless of whether you believe us, we're still going to do it, because it's better for us and its better for users. There is no 'third way' that allows us or anyone else to receive unencrypted mail on your behalf and verifiably not save a copy. The only solution is to not have unencrypted mail, which is part of the reason we spent a year developing easy-to-use PGP interoperability.

Protonmail takes a big financial and legal risk if it's not encrypting the email immediately when it comes in.

They get steady stream of law enforcement inquiries. The best way for them to operate is to do just what they say. Encrypt incoming encrypted mail with users's public key and throw unencrypted mail away.