Why End-to-End Encryption Matters—and How to Start (Full Transcript)

[00:00:00] Speaker 1: Welcome back to Terms of Service. I'm CNN tech reporter Claire Duffy. Often when I reach out to sources who work in tech, they'll contact me from a ProtonMail email address. That's because ProtonMail, a private end-to-end encrypted email service, is widely considered to be a more secure way of communicating online. Proton is a Switzerland-based company that emphasizes privacy in all of its products, which also include cloud storage, a password manager, and a VPN. They say they wanna create a new model for the internet that doesn't depend on selling users personal information to advertisers. Today, I'm talking to Patricia Egger, Proton's head of security. She's talking to me from Switzerland, and she's going to share some practical tips for keeping your online communications secure, and also explain why we should care about doing that in the first place. Hi, Patricia, thank you so much for being here. Hi, thanks for having me. So you studied mathematics and then have been in this cybersecurity, cyber risk space in much of your career. Talk to me about why this field appealed to you.

[00:01:04] Speaker 2: Yeah, so as you said, I'm a mathematician by training, which I really enjoyed, but I wanted to do work that in my eyes mattered. And so I was kind of trying to figure out what I wanted to do, what I could do. And this was already 10 or so years ago. You could read about breaches and hacks and all these things in the news. So it seemed to be a current topic. And the more I read about it, the more I thought this is not going anywhere. This is happening. This is a place where you'd have some sort of job security. And it's also, what I think is particularly interesting about this field is it's very sciency on one hand, but it's also very human on the other. And it's that interaction between the two that I find really interesting. And that's, I think, what kept me here.

[00:01:57] Speaker 1: Very cool. So how do you explain what Proton is in layman's terms to someone who might not be super online?

[00:02:04] Speaker 2: So Proton is basically, you can see it as an alternative to some of the tech companies that most people are used to using. And so it's an ecosystem of products, of online software as a service solution. So as you said, mail, VPN, pass, lots of different things. The whole point of what Proton does is it protects our users' data.

[00:02:27] Speaker 1: Proton was founded in 2014, intended to be an alternative to some of the other internet services that people use like Google. What problems in the internet landscape is Proton trying to solve?

[00:02:40] Speaker 2: So there's, I think, mainly two. The first is that until Proton Mail came into existence in 2014, you had to choose between usability or convenience and privacy or data protection. What Proton is trying to do is to bring that privacy to the masses, to people who don't necessarily want or need to know the details of how the encryption or how the tech works in the background. So that's bringing it to everybody. And then there's the whole business model, showing the world that there is a different business model that makes sense and that works, where indeed you don't pay with your data, you pay with your money to protect the data. And so it's kind of just a paradigm shift in the business model of tech companies.

[00:03:31] Speaker 1: And as Proton's head of security, what kinds of issues are you managing on a daily basis? Talk to me a little bit about the work that you do.

[00:03:39] Speaker 2: Yeah, so it's probably not as sexy as maybe one would want it to be, or maybe I could portray it to be sexier than it is, but the reality is, I mean, mainly what I try to do on a daily basis is make sure that we, so the company as a whole, is working on the right problems, the right things. And so how do we determine what the problems are? Who is working on what? Do we need to buy something to solve a problem? Do we need to build something to solve a problem? And then within the team, does everyone have what they need in order to solve those problems? So it's a lot of all of these things on a daily basis.

[00:04:17] Speaker 1: And when you talk about those problems, is that bad actors trying to get into the system? What kinds of problems are you trying to fix?

[00:04:25] Speaker 2: So that's the interesting part. It can be lots of different things, and we try to categorize them kind of into groups, because there's some similarities in how you handle these groups of threat actors, as we call them. It could be bad actors. It could be nation states. It could be potentially competitors. It could be just hackers for whatever reason. But we also consider things like human error, so people making mistakes, and those could have, say, consequences on security. Things like natural disasters, power outages, floods, fires, like all of this is something that winds up on my desk.

[00:05:10] Speaker 1: Why is this work so important to you?

[00:05:13] Speaker 2: Well, Proton cannot protect our users' privacy if we don't have our security under control. So I see it as a fundamental building block of Proton and what it offers to its users. It's not a nice-to-have, it's not an add-on, it's a fundamental, it's a must. Just like we have developers who are building the products, we need a security team to make sure that the products are safe, that the organization is safe, that people know what they can and cannot do, that we block certain things. It's just part of a whole.

[00:05:44] Speaker 1: I'm curious what you think people need to know about why this kind of privacy is so important. Why should people care about the fact that their data is not getting sold to advertisers if they use Proton?

[00:05:57] Speaker 2: Unfortunately, still today, you hear a lot about, I have nothing to hide, so I don't care about privacy. Or people have just given up. They're like, well, everybody has my information anyways. That's the, people have absolutely given up and think, well, everyone has it already, so why bother, I want the convenience or I want this thing to be free, and so it's fine. There's so many things wrong, like with just saying that you have nothing to hide, that's not what privacy is about. I'm sure that these people still have curtains on their windows or they have blinds or they still close the door when they go to the bathroom. I mean, these are all things, you have nothing to hide, like why would you do this? That's not what it's about. It's about having control of what your data is used for by who it's used, and if you wanna just know and have some control over that, that's what we're trying to do here. That's the privacy discussion, but then of course, there's a strong link between privacy and security, also for individuals. So being part of a data breach probably has happened to everyone, or at least I would guess the vast majority of your listeners. It's a pretty uncomfortable situation to be in. I mean, I've been there, I wasn't happy about it. And I think, unfortunately, a lot of people stop at that. They're like, I was in a data breach, I got an email from provider XYZ and they said that my data was leaked and okay, oh well. But what I see on the other side is okay, well, what's gonna happen with that data? There's a reason why it was leaked and there's someone out there who's gonna try to do something with it. So they're gonna try to fish you, they're gonna try to impersonate you, they're gonna try to do something with it so the data breach is often just the beginning of problems.

[00:07:37] Speaker 1: Yeah, I'm curious too, when you think about the current political landscape where in the US and elsewhere, you have governments partnering with private companies to collect and compile data on people living in their countries, does that raise the stakes for people to protect their private communications as well, you think?

[00:07:56] Speaker 2: Yeah, absolutely. We see that we have users across the globe but we also see an uptick in users when something happens or when governments start to clamp down or start to look into data that they perhaps weren't looking into before. So we see that there's a direct correlation between what governments are doing and what alternatives people look for.

[00:08:24] Speaker 1: Yeah, I'm curious too, in some cases we've seen law enforcement push back on tech security and privacy efforts saying that it'll make it harder to catch and prosecute criminals. What do you make of that argument?

[00:08:37] Speaker 2: It's a really dangerous one, I think. And I still sometimes I'm surprised that we hear it because you could say that about anything, any piece of tech, in particular, any piece of privacy tech that could be used for anything bad. So it doesn't seem to be a good argument that if you scratch the surface, there's much behind there. I mean, if you take the physical world comparison, right? Like your physical mail, your snail mail, it would be like, okay, what if we started opening everybody's envelopes and just reading all of their mail at scale, like in an automated fashion? Sure, you might find people who are writing about their terrorist plots and whatever, but you would also catch people who are getting their medical reports or news about their family members and what's going on in their lives. And I don't think anyone would find that particularly like to be a good idea. And so I'm not sure why we think it's a good idea in the digital space.

[00:09:42] Speaker 1: Yeah, that's such a good comparison, the physical mail to digital mail. Like that would seem really invasive if law enforcement were coming and looking through your mailbox every day. Talk to me about how ProtonMail works on the backend and sort of what makes it different from other types of platforms.

[00:09:58] Speaker 2: So the fundamental difference with how Proton works is that it's end-to-end encryption. That's the selling point. And I know that a lot of companies will throw that word around and sometimes it's not exactly true. But so basically what it means, what it should mean and what it means at Proton is that the encryption happens on our user's device. So that's your laptop, your phone, your tablet, whatever it is that you're using, if you're logged into mail, for instance, and your emails, you write them on your app, on your laptop and it gets encrypted on your laptop and then it gets sent to basically our servers to then be sent to whoever it is that you're writing to. But the important thing is that when they're sent to our servers, they're encrypted and they're encrypted with a key that we don't have. So we are not able to decrypt that information. So it's really like this envelope analogy, right? You put it in the envelope and we don't have the ability to open that envelope. And that's the main difference. And a lot of other, basically all email providers will say, well, the data there is also encrypted at rest, as they say, but they have the key. And so it's a very different situation, right? If we are breached, if our servers get attacked, they could access encrypted emails, but they wouldn't be able to read them. And that's the fundamental difference with the others out there.

[00:11:28] Speaker 1: Got it. That's, I think, a helpful clarification. Like if a hacker, they could see that there were emails there, but they couldn't see what they said. And same for Proton, right? Like you could, you see that there's emails, but you can't read them. I was gonna ask you about that. Gmail says that it encrypts emails in transit. What's the difference there?

[00:11:46] Speaker 2: Yeah, so I think nowadays, all internet is encrypted in transit. So it means, yeah, if you are able to intercept the communication, going through the air, the wires, you wouldn't be able to decrypt it. But it doesn't mean that, if you gave the example of Gmail, it doesn't mean that Google is not able to decrypt it because then they're on the receiving side of it. So encryption in transit, it's a complete basic baseline that should be everywhere.

[00:12:14] Speaker 1: I wanted to ask you too, because I guess it was last year now, happy 2026, we heard about this instance where U.S. government officials were using another end-to-end encrypted platform, Signal, and yet somebody who wasn't meant to be in the conversation ended up in the conversation. Are there best practices for people using end-to-end encrypted services to make sure that they're doing that securely?

[00:12:40] Speaker 2: Sure, so I mean, other than not inviting people who shouldn't be in the conversation to be there. Pay attention to who's in your conversation. But I mean, say you're doing emails, right, and you add another person in the to field, then that person's gonna get your email, right? And I mean, there's not much that we can do against that. Right. So just be careful about that. But in general, one thing that's also really important, I think, to understand when you're using end-to-end encryption is that there's other, encryption is great and it does lots of great things, but it's not a silver bullet. There's a lot of other things that you need to take into consideration. So there's the credentials. So can someone get into your account? Do you have a password for your account? Is your password 1234 or four zeros or something as bad? And if so, and if you don't have, for instance, multi-factor authentication, if it's that easy to get into your account, then of course, whoever does that can read all your emails because that's like as if it were you who are logging in. So protecting your credentials, having this multi-factor authentication, I think is also crucial for people to maintain. The other thing that I think we talk about a bit less is the device itself. The device is compromised. If an attacker is able to install whatever malware on the device, which would make it so that they control the device, it's as if they were you or they had all the same rights on the devices you have, in which case they can also open your email and read through them and all these things. So you have to be careful about kind of all of these different layers.

[00:14:19] Speaker 1: That sort of brings me to my next question, which is how do Proton's other products build on this vision of privacy and security? Tell the listeners a little bit about what else the company has available.

[00:14:31] Speaker 2: Yeah, so it's all based on end-to-end encryption or the premise that we don't want to be able to access our users' stuff, whatever that stuff is. So if it's an email, it's the content of the emails, the attachments, that kind of stuff. We have a password manager, and in that case, it's the passwords that we don't want to have access to. So we don't want to be able to log in as the 100 million users that we have. A calendar, same thing. We don't want to have access to the contents of your calendars. So all of that is encrypted. So basically, we try to just maintain whatever the minimum amount of data it is that we need in order to provide the service. So again, email is who's sending to who, because we obviously need to know where to route stuff. VPN is slightly different because there's not really much content to speak of. It's just network traffic. But there, we don't follow our users, like see what websites they're going to and when and how and all these things. So that's kind of the no-logs policy that we have. So it's slightly different, but the ethos is the same. Basically, we don't want to stalk our users.

[00:15:40] Speaker 1: Yeah, well, and that feels like an important point, too, because that's often the thing that ends up feeling so creepy when you use other internet services. It's like, oh, a week ago, I was shopping for this bag, and here I am getting an ad for it five days later. You've touched on this, but just to sort of hammer it home for people, how does Proton make money if the business isn't based on tracking users and selling their data?

[00:16:03] Speaker 2: Yeah, so we sell services. People pay for the services. They buy a subscription to mail or the bundle of the whole ecosystem, depending on what they want to use. And all the products, they exist also in free versions with limitations on storage or features or things like that. But basically, you can use all of the products for free. But yeah, our users pay for everyone, basically, and all the services.

[00:16:32] Speaker 1: Okay, so we always like to sort of wrap up the show by giving people some practical takeaways. If somebody wants to start making their information, their communications more secure, what do you think is the best first step? Is it a password manager? Is it moving to a more secure email system? What is your advice?

[00:16:51] Speaker 2: I think people should first think about what do they want to protect and why and from who? Like, just kind of take a step back and assess your priorities and say, okay, what data do I care about? What do I not really care about? And I really feel strongly that if everything is important, then nothing is important. So if you're gonna start, start somewhere. Start somewhere that makes sense to you. For a generic answer, I think starting with email is pretty good. Email is a method of communication, obviously, but it's also, it's kind of our digital identity. It's what you use to log into everything, pretty much. It's how you reset a password. It's how you reset something. It's sometimes how you prove that you own this, that, or the other. So if you can control that in a way that you know that nobody else is accessing that email, I think that's already a pretty good start. If that's like a comfortable place, I think a password manager is probably my next recommendation. They're the best invention, I think, in a long time. You have to get into a habit of using it, but it's so much more convenient than if you're remembering passwords or recycling passwords, all very dangerous things.

[00:18:05] Speaker 1: I'm curious, too, if people are game to switch to a new email system, do you have practical tips for how to transfer important contacts and information? I can imagine that feeling sort of daunting to start your whole email life over somewhere else.

[00:18:20] Speaker 2: Yeah, so I've converted a few people. My recommendation is usually to keep things going in parallel, at least for a certain time, until you feel comfortable. So what you can do, for instance, if you're going to switch to Proton, there is something we have called Easy Switch, which will basically import your entire inbox into Proton, so it makes it pretty easy. It takes some time, but you click, click, and then you can go and have coffee or lunch or whatever and come back later, and it should be all transferred. So the people that I did convert, what we did is we set up automatic forwarding from their old email provider to Proton for a few months so that everything would, you know, if you forgot that you're using your other provider for whatever authentication to something, you'll still receive it in your inbox, and then you can switch it or whatever, but you don't have this stress of like, oh, maybe I forgot something or something's gonna be abandoned or stranded. Just forward everything, and then once you feel like you have everything cleaned up and everything that you needed is transferred, then you can stop using the other one, but I don't think you need to go cold turkey. Like, there's no benefit in that other than stressing you out.

[00:19:34] Speaker 1: As someone who is following this space all the time, I'm curious what are some ways that people's data might be at risk right now that they might not be thinking about? Like, what are the sort of breaches or threats that you're seeing right now that people should be aware of?

[00:19:50] Speaker 2: I think people don't think much about the ways in which their data is at risk in general. I think if they did, they would be using a lot less apps. I like to think of it also of like the analogy of how you do things at home. Like, the less stuff you have, the less work you need to put into keeping that stuff like clean and tidy and whatever, and it's the same thing in the digital space. Like, if you have a thousand different apps that you're sometimes using or sometimes not or whatever, it's really hard to keep things under control. So less stuff, less work. That's just in general. But data breaches, they just happen all the time, all the time. There's been recently some really bad data breaches in France, so French government services that have had millions of users affected. And I think that's also something that's really troublesome because that's not a choice. Users don't choose to use these things. This is because they live in said country or use said public service, but it's not this or that social media platform. And I think that's really problematic because when it's not your choice anymore, then you can't really be expected to do much.

[00:21:03] Speaker 1: Yeah, such a good point. Well, Patricia, thank you so much for doing this. I really appreciate your time, and I think a lot of people are gonna find this really helpful. Sure, thank you.