Cambridge Analytica Used ProtonMail To Hide Email Paper Trails

Uploaded on 2018-04-02 in NEWS-Cybersecurity News, FREE TO VIEW

Cambridge Analytica faces more accusations following a third expose by Channel 4 News, which filmed recently-suspended CEO, Alexander Nix, discussing the company’s role in the 2016 US Presidential election. 

The report also featured the CEO talking about how the company used a “secure, secret email system” to cover up correspondence between the company and third parties. 

The email system, ProtonMail, is a Swiss company that provides encrypted email services not accessible by anyone other than the mail sender and the mail recipient. 

According to the company’s website: “Data is encrypted on the client side using an encryption key that [we] do not have access to. This means [we] don't have the technical ability to decrypt [your] messages, and as a result, [we] are unable to hand your data over to third parties.” Furthermore, ProtonMail’s website said: “All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO), which offers some of the strongest privacy protection in the world for both individuals and corporations. 

“As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”

In the recent report aired by UK Channel 4 News, CA’s Nix explained to the undercover reporter, posing as a political consultant, how the company covers its tracks: “I’d like you to set up a ProtonMail account please because now these are getting quite sensitive.”

When asked whether the consultant should hand over the ProtonMail account, Nix replied: “Well, nobody knows we have it… and secondly, we set out ProtonMail emails with a self-destruct timer. So you send them, and after they’ve been read, two hours later they disappear. “So then there’s no evidence, there’s no paper trail, there’s nothing.”  

Comparing itself to SnapChat, ProtonMail says that communication with non-ProtonMail users can be secure, saying that encrypted messages can be sent to Gmail, Yahoo, Outlook, and others. 

The company stopped publishing its transparency reports in February 2017 – the latest update showed that only five user data access requests were granted out of 54. 

ProtonMail responded to Infosecurity's request for comment with the following statement:

"The real story is that the mass collection of data is dangerous. As was clearly demonstrated by Facebook, if your core business is building a massive surveillance system, the data will eventually be misused. Whether it is breached, hacked, misappropriated, or sold is irrelevant.
"Given that ProtonMail is one of the most secure email services in the world, it is not altogether surprising that Cambridge Analytica chose to use ProtonMail. 

“However, it is important to note that ProtonMail users also include journalists, dissidents, doctors, lawyers, NGOs, and even regular people who rightfully won't want their data sold and resold without their consent through platforms like Facebook and Google.

"While we may not always agree with the people who use ProtonMail, we must nevertheless continue to protect their privacy rights, because the essence of democracy is respecting the rights of even the people we disagree with. 
“However, as a society, we must act against the mass collection of data perpetrated by big tech companies because that does pose a threat to democracy. When it comes to protecting against bulk data collection though, encryption is not the problem, but actually part of the solution."

A spokesperson also confirmed that: "ProtonMail has a sizeable anti-abuse team within the company that works 24 hours a day, seven days a week to prevent abuse of our platform, so we are making constant efforts to prevent the misuse of our technology. 

As to whether CA's usage of ProtonMail was lawful, we would need a Swiss court to weigh in on the matter before we can express an opinion about it."

Infosecurity

You Might Also Read: 

Millions Of Facebook Profiles Were ‘Harvested’  In US Election Breach:

The Cambridge Analytica Row Shows Politics Are Moving In A Disturbing Direction:

 

« Julian Assange Has Internet Connection Cut
Death by Robot »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Assuria

Assuria

Assuria Cyber Security solutions provide protective monitoring of systems and user activity across the whole IT infrastructure.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

Accertify

Accertify

Accertify is a leading provider of fraud prevention, chargeback management, and payment gateway solutions.

Purple Security

Purple Security

Purple Security arises from the association of specialists in offensive security (ethical hackers, white hats) and experts in insurance, compliance and implementation of industry standards.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

Sentra

Sentra

Sentra is focused on improving data security practices within the cloud, mitigating the risks of damaging data leaks by providing comprehensive visibility into critical data assets.

Surfshark

Surfshark

Surfshark is a cybersecurity company focused on developing humanized privacy & security protection solutions to secure people's digital lives.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

Peris.ai

Peris.ai

Peris.ai is a cybersecurity as a service startup that protects businesses and organizations from online threats.

Digital Encode

Digital Encode

Digital Encode is a leading consulting and integration firm that specializes in the design, management, and security of business-critical networks, telecommunications, and IT infrastructures.

SENTRIQS

SENTRIQS

SENTRIQS advanced encryption technology is engineered to defend against the most sophisticated cyber threats, keeping your operations efficient and secure.

Screwloose IT

Screwloose IT

Screwloose IT are a national provider of information technology services. We specialise in managed IT, cloud services, cyber security, website design and digital marketing for businesses of all sizes.