Andy Yen: Is Privacy Supporting Cybercrime?

"Inner security and privacy really is what we call a moving target. You do something, the other side will do something in response, and it's about staying one step ahead of the other side."

Video abspielen
Zu Youtube

Each and every online service can be hacked including ours, says Andy Yen, co-founder and CEO of ProtonMail. However, there’s one essential thing you can do against cybercrime and that will not only help in case the bad guys are at the door. Keeping privacy is also a question of values our democratic society needs to defend. But isn‘t the IT security industry about to lose the fight to protect user’s data?

Jeder, wirklich jeder Online-Dienst kann gehackt werden, meint Andy Yen, Mitgründer und CEO des E-Mail-Dienstleisters ProtonMail. Aber man könne schon etwas gegen Cyberkriminalität ausrichten, und das würde nicht nur nützlich sein, wenn böse Burschen versuchen, Daten zu entwenden. Privatsphäre zu bewahren, ist auch eine Frage von Werten, die eine demokratische Gesellschaft verteidigen müsse. Aber steht die IT-Sicherheitsindustrie im Kampf, Nutzerdaten zu schützen, nicht auf verlorenem Posten?

Das Gespräch wurde am Rande der Tech Open Air 2017 in Berlin aufgezeichnet.

Jede Woche neu beim Stifterverband: 
Die Zukunftsmacher und ihre Visionen für Bildung und Ausbildung, Forschung und Technik

Autor: Timur Diehn
Produktion: Webclip Medien Berlin
für den YouTube-Kanal des Stifterverbandes


Transkript des Videos

Our assumption is that any service can be hacked including ProtonMail.

The previous security model of the internet was "Let's build very, very big walls to keep the bad guys out!" I think we have seen from Sony, we have seen from Yahoo and all these other big companies that that security model is one that is destined to fail. So the alternative security model, the one that ProtonMail uses, is "We assume that data breach is going to happen" and then we build the system such that in the event of a breach we still have maximum protection of user data. And that is what end-to-end encryption manages to achieve. Because there is no way that I or anybody else can guarantee to you that we're never going to get hacked. The better we can do is have defences in place so that when you are hacked the data is still safe. And that's why we encrypt.

There are certain countries that we just no longer travel to. Especially some key people cannot go to certain countries. But what we do is to try from our technology and from our organisation standpoint to really isolate these risks. So the way ProtonMail works is that it actually encrypts data on client devices before it even reaches the servers. So that means that on our servers we actually do not have the ability ourselves to decrypt the messages. And if you don't have the technical ability to decrypt messages, there is no way anybody can force you to do it. And this is a way of using technology to ensure security. Because it doesn't matter what country I go to, the laws of mathematics that, you know, provide encryption, that stays the same. So that's why it is important ro rely on mathematical law instead of legal frameworks.

Inner security and privacy really is what we call a moving target. It's constantly evolving. You do something, the other side will do something in response, and it's about staying one step ahead of the other side. And it is very much back and forth, right? But we think that for the internet and the way things are being built, it's possible to innovate very, very quickly. So because that we can always stay one step ahead. Nowadays people talk about quantum computers, right? And quantum computers perhaps rendering encryption, you know, are useless. But at the same time there's also new encrpytion algorithms that are quantum-safe are being developed. So I think I'm pretty confident that the security industry will always have the means to stay ahead because it's something that there's a lot of resources, a lot of smart people working on it. And we've always been one step ahead for the past 30, 40 years.

If you look at what ProtonMail provides, you know, what we do, there's a lot of social goodfullness. Because it ensures democracy, it allows dissident activists to stay safe. It allows protection against cybercrime, right? On the other side, yes, it is true that once in a while you have some bad people using ProtonMail. But if you look at the overall social good that this service provides to the world, I would say, you know, that is a cost that is worth paying. And that's a track that we have to make between our freedoms and our need to prevent terrorism. I think it's something that society as a whole needs to decide over the next couple of years but for my opinion, if we were to give up our freedoms and our rights to combat terrorism, more or less we give a victory to the terrorists who try to take away this freedom from us in the first place. So we must stand our ground and we must say: These are our values, these are European values, and this is what we are going to defend.

In order to finance a service like this you need to have income, and the way that we make most of our income is in fact through public sector, private sector and businesses who are using the security and privacy that ProtonMail provides. So that is in fact, that money that we take in allows us to provide for consumers the free version. And this is a model that is different than the advertising model because in this case our interests are actually aligned with our customers, right? If you look at Google, Google's customer is not you, the user. Google's customer is actually the advertisers. So there is a misalignment of incentives there. But in our model the people that pay us are also our users. They are paying us because we provide their privacy, so we actually have a financial incentive to ensure good privacy and good security. And I think this alignment, you know, of incentives between users and corporations is very, very important to build good products.