‘No company is going to go to jail for you’: Proton’s CTO on balancing privacy, policy, and trust
The Verge

‘No company is going to go to jail for you’: Proton’s CTO on balancing privacy, policy, and trust

The Interview

Today on Decoder, we’ve got the first of a two-part series on the systems that run the world: I’m talking with Bart Butler, the CTO of Proton, the company that makes private and secure productivity software.

You probably know it best for Proton Mail, which is encrypted by default, but the company also has docs, sheets, a calendar, and even a new AI assistant called Lumo, all built and marketed around the idea that they should be vastly more private than the products from Big Tech companies.

You’ll hear Bart say pretty plainly that the thing Proton sells, at a high level, isn’t really the products themselves, but actually trust. And trust in the software world isn’t only about the people who run the companies, but also the technology they develop and sell and the corporate structure in place to make sure that technology is built against the right incentives. Pure Decoder bait, in other words.

The challenge is that Bart also says part of Proton’s mission is very much to succeed at being a viable competitor to Big Tech, and that means the company has to grow and expand to competitive scale, all while preserving its core values. This philosophy, and that challenge, is baked directly into Proton’s structure and even its physical location - the company and its servers are based in Switzerland, in part because of the Swiss government’s geopolitical neutrality.

Two years ago, Proton also transitioned to a nonprofit structure governed by a foundation, which is a familiar model used by all kinds of companies that ostensibly operate in the public interest, but which has failure modes of its own, as we just saw with OpenAI.

Verge subscribers, don’t forget you get exclusive access to ad-free Decoder wherever you get your podcasts. Head here. Not a subscriber? You can sign up here.

We talked about all of that, but I really wanted to talk to Bart because he’s responsible for the technical construction of some very complex systems that interact with all these complex politics. I really wanted to know how you translate all these lofty ideals and concepts like user trust into real, privacy-centric products and features that can withstand all this policy pressure.

For example, earlier this year, the Swiss government requested payment data that led the FBI to unmask a protester associated with the Stop Cop City movement in Atlanta, Georgia, a request Proton complied with. So of course I had to ask Bart about all that, and what it means that the US government can use words like “terrorism” to coerce foreign governments to apply pressure on Proton - and how the company decides when and how to take on those fights.

This pressure manifests in all kinds of ways. Proton is on the record saying it will leave Switzerland, and Bart says it would also consider ditching its operations in EU countries like Germany and Norway if various surveillance laws working their way through European courts continue to threaten Proton’s privacy mission. Bart told me these aren’t just empty threats and that Proton is in the process of figuring out what it would mean to leave Europe if things get, in his words, more “dystopian.”

There is a whole lot in this one. We ran pretty long because we got so deep in the weeds. We first spent the time talking through the broad frameworks before talking about the very real problems of child safety, age verification, and AI - all of which are testing Proton’s values with some of the highest-stakes problems on the internet today. But we took the extra time to get there, and I hope you’ll think it was worth it.

Okay: Bart Butler, the CTO of Proton. Here we go.

This interview has been lightly edited for length and clarity.


Bart Butler, you’re the chief technology officer at Proton. Welcome to Decoder.

Thank you. Happy to be here.

I’m excited to talk to you. It feels like Proton sits at the center of an escalating, spiraling debate about how we build technology systems, how we regulate them, and how consumers can protect their data or have any control at all over their data at the center of it. Let’s start at the very start. I think most people understand Proton as ProtonMail, but there’s now a suite of office products and productivity products. Describe what Proton is and how you see all the products working together.

So Proton is an ecosystem, if you will - a collection of products that all share the same DNA in the sense that they fundamentally are, in many cases, versions of products you can buy elsewhere, but that are privacy preserving, right? Yes, we started with mail. We also have a VPN. We have a Proton Drive, which is our file storage, photos, and collaborative real-time docs. We have a calendar. We have a password manager called Proton Pass. We have Meet, which is a video conferencing software. So we have a whole collection of products that do things in some cases very similar to other products that you might be more familiar with, but are also privacy-preserving.

One of the reasons I’m excited to talk to you specifically as chief technology officer is the idea that there’s a set of products that are familiar, but the company running them is going to behave better than the other company, is a familiar pattern in this industry.

Sure, it is.

And Proton promises that the products are actually architected differently.

Yes.

That from the very beginning, the way the products are built is actually what makes and keeps the promise of protecting privacy, not a benevolent CEO or a benevolent board of directors.

We’ll come to that. There’s some of that in the mix here.

There’s some of that, too.

There’s some of that, too. There’s some corporate structure stuff, but yes, I also consider that there are actually, I would say, two primary structural… or maybe systems. You could call them systems engineering at a broader scale, but structural constraints on how Proton operates.

The first is that we encrypt all the data we can. So if we wanted to turn around and sell that data to somebody, we can’t. It’s mathematically not possible for us to do it, right? This also has other benefits. We can’t easily lose it to hackers or other interested parties, and there’s some data that we can respond to for, say, legal requests, but there’s some data we can’t. And this helps us; basically, we can’t give up data that we don’t have access to.

The second is the business model. I mean, there are other SaaS players, of course, that do this. I don’t think there are a whole lot of B2C consumer-based SaaS players at our size who do this, but our revenue model is getting paid by our users, right? So we don’t sell ads. The products are not carrots to get people to come in and give us their data so we can sell it to advertisers. And that means that those users - the ones who pay our bills, pay our salaries - allow us to grow the business. If we were to betray them, then that would essentially undermine the value of the business. We have tied the value of the business and the growth of the business to protecting our users so that our interests are aligned. This is also very important because temptations are a thing. People respond to incentives, and we have structurally arranged our company such that those incentives are aligned with the people to whom we have promised to protect.

If I were to very reductively summarize what you just said, it is that we take money from consumers, and what we sell them is encrypted versions of popular services that they rely on, like email, a VPN, and an office suite. Do you think consumers understand that what they’re buying is the technology solution, or are they buying the promise of privacy? Or is it some mix? Because I’m not actually sure consumers really understand at mass scale how it all works, right? They think their iPhones are listening to them.

What I will tell product people and engineers in meetings about new features is that if you’ve mentioned the word encryption to the user, you’ve already failed. I mean, people don’t understand what this is. That’s fine. Our goal is to make products that are as usable and as functional as our competitors, or more functional. I mean, I don’t want to sound entirely derivative. We do have features that nobody else has that are often geared towards privacy and functionality for people who need confidential communications. However, in general, we’re selling the promise. We’re selling the promise that we’re a different kind of company. We’re selling the trust - and that trust is critical. Without trust… That is where the real value of the company is. Now, that trust is backed up by technology, right? But we’re selling the trust.

The reason I’m pushing on it, and specifically I’m happy that you mentioned trust, is that the big tech players will all make the same kinds of promises about your data being private. Facebook will happily tell you that they don’t sell an ounce of your data. It’s actually not in their interest to sell the data because the ad targeting that they do depends on the data being theirs and not anyone else’s. We can get into this for days and days and days. I’m just curious where you see that trust being expressed or where you feel like that trust is most communicated from Proton. Because if you ask me, as a more technical person, I do look at the architecture of “it’s all encrypted” and probably mathematically, it’s impossible to get into. Sure, we’ll come to how much metadata can be shared with authorities because there’s some debate about that. But that’s the piece that resonates for me as opposed to trusting you or a board of directors. Some other people just look at the promises and take them at face value. Then there’s some set of regulators that say, “Actually, we have a bunch of other interests in being able to see the data that goes on here, and we actually don’t trust you to be a good player in the ecosystem.” So when you think about trust, does it come down to “the data is encrypted, and that’s the core promise we’re making, and anything that breaks that also breaks the whole product”? Or is there some other dimension of trust that is important at Proton as you build the systems?

So end-to-end encryption is obviously important. It’s the gold standard, and it’s what we strive for. However, there are definitely features that we… privacy, at least to me personally, is about control. There are some times when I want an integration with an external service or something like this, and I mean, my choices are no integration or breaking end-to-end encryption. Our goal is to make it so the user has an informed choice and control over who sees their data. So it’s not the same as never sharing your data or never sharing your photos with anybody. But the point is, instead of sharing your photos with somebody like Facebook who might monetize them, it’s sharing your photos with grandma and grandpa, and only grandma and grandpa.

That’s not to say that encryption is everything, but I think we’ve set up… I don’t know if we want to get into the corporate structure right now. But we’ve set up the fundamental engineering, which backs up the trust. People like you look at the architecture and say, “Okay, this is encrypted. This is important to me.” And then you go tell somebody else, and to that other person you say, “I trust Proton because of this, this, and this.” The other person, all they know is, “Hey, I know Nilay, I trust him, and he says Proton is good.” There’s a whole cohort much, much greater than the techie cohort. The techie cohort is our core, of course, and has been since the beginning, but there’s a whole cohort of people who trust Proton because of other people they know. And by now, I mean it might just be people they trust on Reddit, right? But other people they know say Proton is there.

And what I’m trying to say is we have set up... We’ve all been getting object lessons in the rules, bylaws, laws, other things that can be worth something, but ultimately are worth something when they are... Personnel really matters, right? Who enforces them really matters. So we have the technical layer, which is designed to constrain what we can do technically, and then we also have the legal and corporate structure layer, which is its defense in depth, basically. It’s defense in depth. All of these things are interlocking guarantees to our users that we are trustworthy. Ultimately, that’s the most important thing about the business.

I do want to come to the corporate structure. It is Decoder after all, but just one more turn on the product set itself. You started with ProtonMail. You’ve got the other suite of products, including now an AI Assistant. You talked about the fact that the business model is the consumers paying money directly for the products. Is ProtonMail still the core product that’s making the most money? Are the other lines of business growing? How does this look?

So we don’t disclose direct financials. Mail and VPN are the two oldest products, and as you might expect, they are the two largest products still. But we also have a lot of people who buy bundles and buy multiple products. We try to make the products work well together in an ecosystem. Some products are more tightly bound than others. The new products, the more recent ones like Calendar, are very tightly tied to Mail, of course, but we also have Drive and Pass. Those are not as big as the older products. They have less of a head start, if you will, but they are growing rapidly. So they all contribute, but yeah, they co

Comments

No comments yet. Start the discussion.