Topics

From SUSY to the boardroom

3 September 2019

Beginning as a student discussion in the CERN cafeteria five years ago, ProtonMail has become the leading provider of secure e-mail and a challenger of online business models.

ProtonMail's CEO and CTO
Noble goals ProtonMail CEO Andy Yen (left) and CTO Bart Butler, photographed at the company’s head office in Geneva in March, want internet users to be more aware of how their personal data is being used. Credit: ProtonMail

Former particle physicist Andy Yen has set himself a modest goal: to transform the business model of the internet. In the summer of 2013, following the Snowden security leaks, he and some colleagues at CERN started to become concerned about the lack of data privacy and the growing inability of individuals to control their own data on the internet. It prompted him, at the time a PhD student from Harvard University working on supersymmetry searches in the ATLAS experiment, and two others, to invent “ProtonMail” – an ultra-secure e-mail system based on end-to-end encryption.

The Courier met with Yen and Bart Butler, ProtonMail’s chief technology officer and fellow CERN alumnus, at the company’s Geneva headquarters to find out how a discussion in CERN’s Restaurant 1 was transformed into a company with more than 100 employees serving more than 10 million users.

If you are a Gmail user, then you are not Google’s customer, you are the product that Google sells to its real customer, which is advertisers

“The business model of the internet today really isn’t compatible with privacy,” explains Yen. “It’s all about the relationship between the provider and customer. If you are a Gmail user, then you are not Google’s customer, you are the product that Google sells to its real customer, which is advertisers. With ProtonMail, the people who are paying us are also our users. If we were ever to betray the trust of the user base, which is paying us precisely for reasons of privacy, then the whole business model collapses.”

Anyone can sign up for a ProtonMail account. Doing so generates a pair of public and private keys based on secure RSA-type encryption implementations and open-source cryptographic libraries. User data is encrypted using a key that ProtonMail does not have access to, which means the company cannot decrypt or access a user’s messages (nor offer data recovery if a password is forgotten). The challenge, says Yen, was not so much in developing the underlying algorithms, but in applying this level of security to an e-mail service in a user-friendly way.

In 2014 Yen and ProtonMail’s other co-founders, Jason Stockman and Wei Sun, entered a competition at MIT to pitch the idea. They lost, but reasoned that they had already built the thing and got a couple of hundred CERN people using it, so why not open it up to the world and see what happens? Within three days of launching the website 10,000 people had signed up. It was surprising and exciting, says Yen, but also scary. “E-mail has to work. A bank or something might close down their websites for an hour of maintenance once in a while, but you can’t do that with e-mail,” he says.

ProtonMail’s CERN origins (the name came from the fact that its founders were working on the Large Hadron Collider) meant that the technology could first come under the scrutiny of technically minded people – “early adopters”, who play a vital role in the life cycle of new products. But what might be acceptable to tech-minded people is not necessarily what the broader users want, says Yen. He quickly realised that the company had to grow, and that he had been forced into a “tough and high-risk” decision between ProtonMail and his academic career. Eventually deciding to take the leap, Harvard granted him a period of absence, and Yen set about dealing with the tens of thousands of users who were waiting to get onto the service.

In need of cash, the fledgling software outfit decided to try something unusual: crowd funding. This approach broke new ground in Switzerland, and ProtonMail soon became a test case in tax law as to whether such payments should be considered revenue or donation (the authorities eventually ruled on the former). But the effort was a huge success, raising 0.5 million Swiss Francs in a little over two months. “Venture capital (VC) was a mystery to us,” says Yen. “We didn’t know anybody, we didn’t have a business plan, we were just a few people writing code. But, funnily enough, the crowd sourcing, in addition to the money itself, got a lot of attention and this attracted interest from VCs.” A few months later, ProtonMail had received 2 million Swiss Francs in seed funding.

“It is one thing to have an idea – then we had to actually do what we’d promised: build a team, hire people, scale up the product and have some sort of company to run things, with corporate identity, accounting, tax compliance, etc. There wasn’t really a marketing plan… it was more of a technical challenge to build the service,” says Yen. “If I was to give advice to someone in my position five years ago, then there isn’t a lot I could say. Starting a company is something new for almost everybody who does it, and I don’t think physicists are at a disadvantage compared to someone who went to business school. All you have to do is work hard, keep learning and you have to have the right people around you.”

It’s not a traditional company – 10–15% of the staff today is CERN scientists

It was around that time, in 2015, when Butler, also a former ATLAS experimentalist working on supersymmetry and one-time supervisor of Yen, joined ProtonMail. “A lot of that year was based around evolving the product, he says. “There was a big difference between what the product originally was versus what it needed to be to scale up. It’s not a traditional company – 10–15% of the staff today is CERN scientists. A lot of former physicists have developed into really good software engineers, but we’ve had to bring in properly trained software engineers to add the rigour that we need. At the end of the day, it’s easier to teach a string theorist how to code than it is to teach advanced mathematics and complex cryptographic concepts to someone who codes.”

With the company, Proton Technologies, by then well established – and Yen having found time to hotfoot it back to Harvard for one “very painful and ridiculous” month to write up his PhD thesis – the next milestone came in 2016 when ProtonMail was actually launched. It was time to begin charging for accounts, and to provide those who already had signed up with premium paid-for services. It was the ultimate test of the business model: would enough people be prepared to pay for secure e-mail to make ProtonMail a viable and even profitable business? The answer turned out to be “yes”, says Yen. “2016 was make or break because eventually the funding was going to run out. We discussed whether we should raise money to buy us more time. But we decided just to work our asses off instead. We came very close but we started generating revenue just as the VC cash ran out.”

Since then, ProtonMail has continued to scale up its services, for instance introducing mobile apps, and its user base has grown to more than 10 million. “Our main competitors are the big players, Google and Microsoft,” says Yen. “If you look at what Google offers today, it’s actually really nice to use. So the longer vision is: can we offer what Google provides — services that are secure, private and beneficial to society? There is a lot to build there, ProtonDrive, ProtonCalendar, for example, and we are working to put together that whole ecosystem.”

A big part of the battle ahead is getting people to understand what is happening with the internet and their data, says Butler. “Nobody is saying that when Google or Facebook began they went out to grab people’s data. It’s just the way the internet evolved: people like free things. But the pitfalls of this model are becoming more and more apparent. If you talk to consumers, there is no choice in the market. It was just e-mail that sold your data. So we want to provide that private option online. I think this choice is really important for the world and it’s why we do what we do.”

 

bright-rec iop pub iop-science physcis connect