Cambridge Analytica Used ProtonMail To Hide Email Paper Trails

Cambridge Analytica faces more accusations following a third expose by Channel 4 News, which filmed recently-suspended CEO, Alexander Nix, discussing the company’s role in the 2016 US Presidential election. 

The report also featured the CEO talking about how the company used a “secure, secret email system” to cover up correspondence between the company and third parties. 

The email system, ProtonMail, is a Swiss company that provides encrypted email services not accessible by anyone other than the mail sender and the mail recipient. 

According to the company’s website: “Data is encrypted on the client side using an encryption key that [we] do not have access to. This means [we] don't have the technical ability to decrypt [your] messages, and as a result, [we] are unable to hand your data over to third parties.” Furthermore, ProtonMail’s website said: “All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO), which offers some of the strongest privacy protection in the world for both individuals and corporations. 

“As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

In the recent report aired by UK Channel 4 News, CA’s Nix explained to the undercover reporter, posing as a political consultant, how the company covers its tracks: “I’d like you to set up a ProtonMail account please because now these are getting quite sensitive.”

When asked whether the consultant should hand over the ProtonMail account, Nix replied: “Well, nobody knows we have it… and secondly, we set out ProtonMail emails with a self-destruct timer. So you send them, and after they’ve been read, two hours later they disappear. “So then there’s no evidence, there’s no paper trail, there’s nothing.”  

Comparing itself to SnapChat, ProtonMail says that communication with non-ProtonMail users can be secure, saying that encrypted messages can be sent to Gmail, Yahoo, Outlook, and others. 

The company stopped publishing its transparency reports in February 2017 – the latest update showed that only five user data access requests were granted out of 54. 

ProtonMail responded to Infosecurity's request for comment with the following statement:

"The real story is that the mass collection of data is dangerous. As was clearly demonstrated by Facebook, if your core business is building a massive surveillance system, the data will eventually be misused. Whether it is breached, hacked, misappropriated, or sold is irrelevant.
"Given that ProtonMail is one of the most secure email services in the world, it is not altogether surprising that Cambridge Analytica chose to use ProtonMail. 

“However, it is important to note that ProtonMail users also include journalists, dissidents, doctors, lawyers, NGOs, and even regular people who rightfully won't want their data sold and resold without their consent through platforms like Facebook and Google.

"While we may not always agree with the people who use ProtonMail, we must nevertheless continue to protect their privacy rights, because the essence of democracy is respecting the rights of even the people we disagree with. 
“However, as a society, we must act against the mass collection of data perpetrated by big tech companies because that does pose a threat to democracy. When it comes to protecting against bulk data collection though, encryption is not the problem, but actually part of the solution."

A spokesperson also confirmed that: "ProtonMail has a sizeable anti-abuse team within the company that works 24 hours a day, seven days a week to prevent abuse of our platform, so we are making constant efforts to prevent the misuse of our technology. 

As to whether CA's usage of ProtonMail was lawful, we would need a Swiss court to weigh in on the matter before we can express an opinion about it."

Infosecurity

You Might Also Read: 

Millions Of Facebook Profiles Were ‘Harvested’  In US Election Breach:

The Cambridge Analytica Row Shows Politics Are Moving In A Disturbing Direction:

 

« Julian Assange Has Internet Connection Cut
Death by Robot »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Nutanix

Nutanix

The Nutanix enterprise cloud platform provides performance, robust security, and seamless application mobility for a broad range of enterprise applications.

Global Digital Forensics (GDF)

Global Digital Forensics (GDF)

GDF specialise in Digital Forensics and e-Discovery. Other services include Data Breach Response and Cyber Security.

ZenMate

ZenMate

ZenMate is a Virtual Private Network services provider offering secure encrypted access to the internet.

Span

Span

Span designs, develops and maintains information systems based on advanced technological solutions of global IT leaders.

Clari5

Clari5

Clari5 redefines real-time, cross channel banking Enterprise Fraud Management using a central nervous system approach to fight financial crime.

Elemendar

Elemendar

Elemendar Artificial Intelligence reads cyber threat reports written by humans and translates them into industry-standard, machine-readable and machine-actionable data.

Emirates International Accreditation Center (EIAC)

Emirates International Accreditation Center (EIAC)

EIACI is the national accreditation body for the United Arab Emirates. The directory of members provides details of organisations offering certification services for ISO 27001.

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

Secberus

Secberus

SECBERUS creates cloud security technology to help organizations stay secure & compliant in the public cloud.

Kasada

Kasada

Kasada has developed a radical approach to defeating automated cyberthreats based on its unmatched understanding of the human minds behind them.

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange is an intellectual hub and community of researchers with the common goal of advancing academic and industrial efforts in the science and engineering of quantum information.

Vention

Vention

Vention (formerly iTechArt) is the partner of forward-thinking tech leaders around the globe.

Schweitzer Engineering Laboratories (SEL)

Schweitzer Engineering Laboratories (SEL)

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world.

Cyber Security Authority (CSA) - Ghana

Cyber Security Authority (CSA) - Ghana

The Cyber Security Authority has been established to regulate cybersecurity activities in Ghana.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Apex iQ (ApexiQ)

Apex iQ (ApexiQ)

ApexiQ is a continuous asset assurance platform that empowers you with the confidence to make better data-driven decisions and take automated action to reduce your risk.