‘20/11/2019 05:00 – UPDATED: 20/11/2019 09:41
If five years ago Taiwanese Andy Yen, PhD in particle physics from Harvard and researcher at CERN in Geneva, Switzerland, would have been told that he would now be doing an express course in Catalan independence to answer interview questions like this, would have burst with laughter. In 2014, Yen, at just 26, decided to leave his promising scientific career at CERN to set up his own company: ProtonMail, an encrypted and secure ‘e-mail’ service that no one can. Something like Gmail, but without selling your soul and data to advertisers and governments who ask for it. He never thought he’d be so successful either. “We started with 100,000 users, now we’re 20 million,” he explains in an interview with Teknautas. And among them are some that are causing you an unexpected headache: the army of Tsunami Democratic.
The platform for Catalan independence, investigated by the National Audience for possible terrorism offences, uses ProtonMail to communicate and organize its movements. They know that if they use Gmail, or private messages on Twitter, Instagram, Facebook, Messenger, WhatsApp or any of the US-based services, they would be lost. A court order from Spain would be sufficient for these companies to close the accounts to Tsunami members and hand over their data to the authorities. With Andy Yen, Spanish Justice has it much more complicated.
Located in Switzerland, ProtonMail responds only to the country’s court requests. Nothing else. “Here they have a lot of history and tradition of respect for privacy,” Yen says. With 150 employees, his company has become a kind of refuge for activism around the world, from Catalonia to Hong Kong to Iran, which lives these days the largest internet court to its population by a government. However, what is considered activism on one side of the ocean, the other is labeled terrorism. And the dilemmas come. What to do if they receive a request to close accounts they consider unfair? Obey? Fight? Become a judge and part?
Question. How does a CERN particle physicist move into building his own tech startup?
Answer: The ‘world wide web’ was created at CERN in the early 1990s. When Snowden published his files in 2013, we looked at them in detail and said: the internet is not at all going in the direction it was initially designed. Instead of being a tool for freedom, it is sometimes used as a tool for espionage and oppression. That’s why we set up ProtonMail, as an attempt to change the direction things were going.
Q. Have things improved since then?
A. Since 2014, we’ve seen things like Cambridge Analytica, massive data breaches… All of this has begun to be discovered in recent years, so I really believe that things have started to change for the better. In 2010, Zuckerberg said in an interview that privacy was no longer a social norm. If you look at the way he talks now, it’s clear that they’ve realized that it’s something that people have started to worry about it.
Q. ProtonMail is headquartered and supported in Geneva. What is the difference between Swiss and EU privacy law?
A. The law is not exactly the most effective to protect users. The laws of mathematics, encryption, which is what we are based on, are constant, while national laws can always be changed. That said, there are several benefits of being in Switzerland. One of them is that there is a very strong tradition of respect for privacy since the beginning of the twentieth century. The banking sector was developed here thanks to this tradition. You can trust that the Swiss judicial system will respect and protect privacy in the courts.
Q. The Swiss Government approved in 2016 a law allowing it to track internet traffic between countries…
A. Yes, it is normal, there are laws that help the police conduct these investigations. But the level of demand is very high. For example, you have to go to federal court to do espionage or listening. And it’s a court that scrutinizes the process of beginning at last, not just approving or denying it.
Q. Why doesn’t the EU take privacy as seriously as Switzerland?
Q. ProtonMail boasts a legal team that “reviews all court requests and opposes those they believe are not appropriate.” However, he has also assured that “when protesters use their ‘e-mail’ service, you do not take sides for or against protest, you only support peaceful activism.” Isn’t that take sides? What is peaceful and what is not?
A. The reason we only support peaceful protests is that that is the law. It’s not a personal opinion, it’s a legal requirement. In Switzerland, as in other countries, a violent protest and destruction of property are against the law. There’s no ambiguity. As a company, we are not the ones who decide or make value judgments on cases like these. It’s not our job and we don’t have all the information or evidence. All we can do is trust the value judgment of the legal system. If a Swiss judge finds that the use of an account does not comply with Swiss law, then unless we have a reason to doubt that judgment, we will accept it and close that account.
Q. How do these requests work? Does a government ask the Swiss authorities to close certain accounts and does that letter come to you?
A. Yes, governments, in fact, do not usually ask us for anything directly. They usually have international agreements between them for these requests. For example, if there is criminal action in a country where a ProtonMail account has been used, that country will contact the Swiss authorities and may even seek assistance from the Swiss Ministry of Justice. At the end of that process, a judge gives judgment and that’s when we decide whether or not to abide.
Q. Do you think that what the demonstrators in Hong Kong or Tsunami Democrime in Catalonia do are peaceful protests?
A. Let’s take Hong Kong. We have many users, some of those protesters will be violent, others will not. We don’t know who’s who and we have no way of knowing. We can’t position ourselves, we don’t have all the information. We can only wait for the judges to make a decision.
Members of tsunami democratic block the AP-7 road on November 13. (Reuters)
Q. Some accuse them of wanting to play on both sides. On the one hand, they claim to support activism, but only peaceful protests. They say support the protesters in Hong Kong and Catalonia, but Tsunami Democrime is being investigated in Spain for possible terrorism offences.
A. Yes, we support activism, but activism must be based on the law, and in our case, Swiss law. This is where we are located, we are a Swiss, neutral company. We do not make value judgments, the only value judgment we will obey is that of a Swiss judge.
Q. Have you received a court petition to close the accounts to Tsunami Democratic?
A. As of today, we have not received any notification. It may be ready in the system and about to be shipped, but so far, we haven’t received anything.
Q. Let’s imagine that the Spanish Government finally asks Swiss authorities to intervene accounts associated with Tsunami Democrime. If a Swiss judge ordered the closure of these accounts, what would they do?
A. We would abide by the Swiss judge’s sentence. We’d only appeal if we thought he was wrong. There are very obvious cases. For example, there was a leaker who was arrested in an Eastern European country. We know he’s a leaker and he’s been arrested for leaking government documents. It was a case in which the Swiss judges did not have all the information and decided to approve the closure of their accounts. We said, wait, this guy is not who they say he is, he’s innocent. Cases like this are obvious, but in the case of protesters engaged in acts of violence, if the evidence is clear, if we believe that all the information was taken into account, we would not call into question the judge’s decision.
Q. But in the case of the filterer, they did make value judgments, when they say they never do. Where do they draw the border?
A. The case of the filterer and the case of Spain are very different and we treat them with different levels of suspicion. We know that things in Russia or in some Eastern European country are done differently than in Spain. Until we have the case on the table with all the information, it is very difficult to say what we will do, but if we believe that the suspect has been subjected to an appropriate legal process, and we see that it has happened in both Spain and Switzerland, there would be no reason to contest the sentence.
Q. Recently, there were many comparisons between Spain and Turkey or Russia by a royal decree-law that gives the Government complete freedom to intervene online…
A. Restricting the free exchange of information is contrary to the principles of democracy. It’s a step in the wrong direction. There’s a very recent case right now in Iran: the government has cut off internet access for 95% of the population. It’s been three days. It is the largest network outage ever carried out in the world. You don’t solve the problems with these measures. It’s like trying to cure a symptom without curing the disease.
Q. Do you think that investigating a movement like Tsunami Democratic for possible terrorism offences is on the same path: a measure that doesn’t solve anything? Is it comparable?
A. I do not have enough information to speak out, but it is true that in this case it does not help that it is an anonymous platform. It’s hard to accuse someone you don’t even know who he is. It’s easier to defend someone if you know who that person is and their motivations.
Q. From a technical point of view, where is Gmail ProtonMail better or different?
A. The difference is that Gmail can all access the contents of your inbox and can be sgreased to third parties. We do not, it is not possible to decrypt users’ inboxes. It’s the main difference for minds or movements like tsunami. Another important difference is that we don’t track IP addresses, we’re not in the advertising business, so we don’t need it. Also, being s in the Swiss venue, your case is to be taken by a Swiss judge, which for many people is a fair system and more likely to defend your privacy.
Q. But they depend on Android, which is controlled by Google. Isn’t that a risk?
A. Yes and no. Encryption occurs within our application. We encrypt content in a way that Google can’t intervene. It’s true that Google’s operating system could, for example, record your clicks when you enter certain services, like ours, and that’s a risk. But if you ever hunted Google by doing that, it would destroy your Android business, you have no incentive to do so.
Q. Many people argue that privacy no longer exists on the internet and that in fact we shouldn’t worry: big techers don’t want your personal data, they just want to add it to other data. If you’re not a celebrity, a politician or a criminal, you don’t care to the governments.
A. To people who think like this, I invite you to take a look at China and see how things are out there. The fact that a government is not yet using your data to punish, categorize you or profile you without permission is not in your hands. You can be alone in an election for a government to abuse your data. You may think that your data and your life are not interesting, but in reality they are already being used against you. The best example is the 2016 US election. Many people’s data was used to convince them to vote in a specific way without even realizing it. This is very worrying and affects democracy.
Q. Now it’s not just technology guys who want to negotiate with our data, but also the operators. In Spain, they have been doing this for the past two years, selling aggregated and anonymized data, but many people have now noticed that they are selling them to the National Statistical Institute (NSI/INE) and a stir has been set.
A. Operators should not be able to decide what to do with our data. Citizens should be asked if they agree to the added of their data and anonymisming them for sale to third parties. If they are not asked, and more and more consumers are concerned about these things, they will start deciding with their wallets and leave with companies that don’t do these things.
Q. Operators say they don’t have to ask their customers because there is no personal data involved. From the beginning they are anonymous and aggregated data. As there is no personal data, the law does not require them to ask permission.
A. (Laughter) From a legal point of view, I’m sure they’re right. But consumers often don’t care if you’re legally right or not. They care if you’re being ethical and moral and if you’re aligned with their idea of how they want to be treated. These issues will not be decided in the court of law, they will be decided in the court of public opinion.