Ben Robinson (Ben): Welcome to the Aperture Podcast. For this episode, we’re at Fongit and we’re with Andy Yen, founder and CEO of ProtonMail. Andy, welcome to the podcast.
Andy Yen (Andy): Yes, thank you. Thanks for having me.
Ben: Andy, I want to start with the idea of trade-offs, which is sort of inherent to the Internet because I mean, it’s become such a sort of integral part of our lives. I mean, it’s completely embedded in our lives. Nobody could imagine living today without the Internet, but the Internet was kind of started on the model of everything being free and that’s come with all sorts of negative externalities. So, I’ll start by asking, have we paid too big a price for the Internet?
Andy: I think it’s the opposite. We haven’t paid a high enough price for the internet. We live in the world where we’re used to getting things for free, but as any economist will tell you, there’s no such thing as a free lunch. Nothing is free. Everything has a cost, and in fact, if you look at the internet today, if you use it for free, if something is free, then you’re actually the product that is being sold and repackaged and actually you don’t bid it out to the highest bidder. So because of that, I think we’re not paying enough for the Internet and we’re paying in ways that we probably don’t understand and we probably shouldn’t be paying, namely today we mostly pay for our Internet services with our privacy in our personal data and that’s a price I think most people don’t realize and understand.
Ben: No, I think you’re right. I think most people would just think these services are free, full stop. And I think also with this idea of surveillance capitalism and the surveillance state and so on. What’s so bizarre, about this state of affairs, is that whenever people thought in the past, in 1984 about dystopias they thought that it would be really intrusive. So the state would be monitoring you in an active way, but actually what we’re doing is we’re surrendering our own privacy. Whether it’s a conscious choice or an unconscious choice, it’s a choice that we’ve made. So, do you think we can ever turn back the clock on that?
To understand regulation really, we need to look at history and kind of understand history. Governments have been in the business of regulating businesses since essentially the beginning of time.
Andy: Well, I would argue that people haven’t actually made a conscious choice, because let’s take an average person. When you agree to a Terms and Conditions, you don’t actually read it. You don’t know what you’re consenting to. In fact, we have no idea. If you imagine a 13-year-old child on social media, cause that’s the age in which you’re allowed to go on social media now without parental consent.
Ben: So there is actually now some notion of parental…?
Andy: Well there’s always been a notion of certain minimum age. It’s not really adhered to and respected. It’s not really verified.
Ben: I didn’t even know that was the case.
Andy: Yes, by law, it’s supposed to be 13 in most countries. If you take a teenager going on Facebook or social media for the first time, I would actually say they don’t really understand what it is they’ve consented to. They don’t realize the implications of giving up their data forever. They don’t realize that at the time that they’re posting a photo on Snapchat or on Instagram that this data could come back and haunt them for decades better. This is not what you think about in your first social media experience. So we haven’t really surrendered. We haven’t really consented. In some ways we’ve been sort of tricked into doing this and I think that’s an important distinction, because consent must be informed and without information, you cannot willfully consent to something.
Ben: And what role should the government play here? Because I didn’t even realize there’s a minimum age. But clearly somebody, somewhere has set a minimum age because they understand that anything like drinking or having a gun or whatever… there are some… you want a person to have a certain level of education and to understand the implications of what they’re doing. So there have clearly been some small efforts here to try to safeguard the consumer or the individual, and we’ve seen Europe issue GDPR, again sort of top-down pieces of legislation to try to safeguard the individual. We have these cookies, laws and things. Is it possible in the same way as you know, I asked you if we could turn back the clock and change customer behavior? I don’t think we can, but can we protect customer behavior through legislation?
You vote with your wallet in many ways and that decides the future of any industry. If consumers decide that electric cars are the future, then that’s the future. If customers decide that they want to have more privacy in the future, then that’s where things are going to go.
Andy: Well, the customer behaviour point we can revisit later, cause I’m not sure I entirely agree that we cannot change customer behaviour. Let’s talk about a little bit about government regulation. To understand regulation really, we need to look at history and kind of understand history. Governments have been in the business of regulating businesses since essentially the beginning of time. If you look at, for example, finance. That’s another industry that is quite widespread, known for some pretty bad abuses, things like that. The first Stock Exchanges appeared maybe in the 17th century, but the first legislation really only came after the Great Depression. It was the Securities Act of 1933. And then onward, even that wasn’t enough. We had a financial crisis in 2008 and then more regulation came afterwards. So what that really shows is regulation and governments in particular, it takes time.
Ben: And they’re also reactive as well.
Andy: Yes, reactive as well. So you cannot say, let’s rely on government regulation to keep us from going off the edge of the cliff because historically, that has never been the case. They regulate after you got to the edge of the cliff, and if you want to take action before then, I think it needs to come from the private sector. It cannot be government driven. Government will not drive the change in this area, because they historically never have done that.
Ben: And what about the consumer? Because you see a different kind of model in China, for example, where there’s an expectation from the consumer that they do need to pay for a lot more services in China, so some of the things that in the UK, US and so on are free, like this podcast. In China, there’s an expectation you pay for podcasts. So do you think the role of the private sector working together with the consumer is to try to actually create a price for using the Internet?
Andy: Well, I actually think China is not a very good example here, and I’ll tell you why.
Ben: Yes. I think it also has very strong trade-offs.
Andy: Yes. In China, there’s surveillance capitalism and surveillance in general. You are not fooling or tricking anybody. Everybody in China know they live in a surveillance state. They are aware the government is spying on everything that they do. They have the ability to read all their personal information. This is kind of a known fact. They live with it. And in fact, I would say that they have a much higher awareness of the risks of surveillance than Western society, because in China you write the wrong thing online, you end up in jail. Here we don’t have that sort of pressure and that’s not part of our everyday reality. So in fact, they’re not being tricked because they know exactly what’s going on. Whereas in the Western world, in fact, most people have no clue. It’s not part of their daily reality. So that’s why you cannot compare with China because the level of awareness is completely on a different level.
Ben: And so just to revisit that idea of it won’t be the government that solves this, or at least proactively or in advance of whatever the next scandal is, so you’re saying it’s more the role of private companies and possibly I would argue private companies in alliance with the consumer. So how do you think that will play out?
Andy: Well, ultimately when you look at an industry and how it evolves, it always comes down to consumer choice. Consumers will make a decision and their decision translates to how they pay for things, their wallet. You pay with your wallet. You vote with your wallet in many ways and that decides the future of any industry. If consumers decide that electric cars are the future, then that’s the future. If customers decide that they want to have more privacy in the future, then that’s where things are going to go. My view and the reason that we’re doing ProtonMail and working so hard in this space is we actually view privacy as an innate human need. It’s something that everybody has a need for. Whether you realize it or not is another question, but you do have that need. You have your passwords on your accounts. You have curtains on your windows. You have locks on your doors because we have an innate need for privacy and that need for privacy so far hasn’t translated to the Internet yet, but it will. It’s just a matter of time.
Google’s business model, Facebook’s business model, this is not something that can be hidden forever. People will eventually figure it out.
Ben: And do you think it can happen without education because maybe we can go back and discuss customer behaviour. But in order to change my behaviour, I have to realize there’s something wrong with that behaviour or at least the risks associated with that behaviour. So you can have a situation where suddenly the private sector allows us choice. For everything, we have two versions — the free version and the paid version and one gives us privacy. One sacrifices that privacy and we make that choice. How do we make the consumer aware and make that informed choice? Because at the moment as you said, they’re not making a conscious choice because they’re not aware of those inherent trade-offs.
Each time there’s a scandal, there are always spikes in new users, but you don’t build a business or change an industry based on spikes. What you need is a strong underlying trend, and that trend is not going to be based off a scandal. That trend will be based off of user awareness and user knowledge and user sophistication, and that really comes naturally.
Andy: Well, there’s a couple of things there. First of all, to make a choice, there has to be a choice, and until ProtonMail came along, there really wasn’t a choice. You wanted email; you’ve got it from a service that was going to invade your privacy and mine your data. That was it. So what industry and private sector can do is a) we can provide that choice. That’s the first step. Once you have the ability to make a choice, then it’s just a matter of time in some sense, because Google’s business model, Facebook’s business model, this is not something that can be hidden forever. People will eventually figure it out, and the reason their awareness today is higher today than it was, let’s say 10 years ago is because the technology is newer. Back then, people didn’t really understand it. Now they do. And in 20 years, of course, more people will understand.
Now certain things like education. Certain things like data breaches and scandals, these things will accelerate that trend, but knowledge tends to spread and the information will get out and that’s why it’s really just a matter of time. So what we are controlling an industry is providing the choice and then seeing what we can do to accelerate that shift.
Ben: And then do you see in your own business, in adoption and so on a positive correlation with the things that you were just saying, like scandals, you know. So after Cambridge Analytica, did you suddenly see a spike in demand and interest for ProtonMail?
We are trying to change the business model of the Internet
Andy: Yes. So each time there’s a scandal, there are always spikes but you don’t build a business or change an industry based off of spikes. What you need is you need a strong underlying trend and that trend is not going to be based off a scandal. That trend will be based off of user awareness and user knowledge and user sophistication, and that really comes naturally. The first time you go on Facebook, your first thought is not how do they make money, but after seeing some ads that are suspiciously like what you’ve searched for and hearing some stories from people who have used the service and know more and maybe friends who are well educated, you slowly begin to know. So that knowledge permeates out into the society, but it takes time. It’s not overnight.
Ben: You yourself used the term change an industry, and the industry you’re trying to change is a very big industry. And so implicit in what you’re doing is that you’ve got just massive ambition, and also you are really early with this. In preparation for this, we watched your TED Talk and you were saying things back in 2014 that people have only really started saying recently about these sorts of negative externalities of a free Internet. And so a) how did you get into this? And b) how do you arrive at wanting to sort of take on Gmail and Google and the biggest corporations in the world? I suppose most people would have thought this is a great business, but it’s just so big and scary that I’m going to do something smaller. So how did you arrive at this and how do you manage with a business that has such ambitious mission?
We think the Web today is not really reaching the full potential of what it was created to do.
Andy: Well, I think what you mentioned earlier, and I think back in that TED Talk, we are trying to in fact change the business model of the Internet. Because the only way that our mission succeeds is if you build a new business model, and the business model cannot be around advertising. so that’s of course very ambitious cause it’s trying to disrupt an industry that today is maybe over two, $200 billion a year. So that in fact is the mission, and I don’t think you’d go into this with that in mind. You don’t go into a job and say, okay, I want to disrupt a $200 billion industry. Some people maybe go in that way, but the way that I went into it and the way that our team went into it was we saw a need. It was a need that we think is important. Not just…because there’s a business here, but really because of the social impacts. Democracy relies on freedom of speech. Freedom of speech relies on having privacy. It’s all connected. So we solved the social angle that was very, very important. And that’s what made us decide that we needed to pursue this. And I think a lot of that comes from the history of the company. It was founded at CERN. It’s created by scientists in fact. The World Wide Web was also created at CERN, so we had a connection to that.
Ben: You had a kind of symmetry there.
Andy: Yeah, and we saw how the Web had transformed. It was invented to foster communication. It was invented also to build a better world, and we think the Web today is not really reaching the full potential of what it was created to do. It’s become in many places actually a tool of oppression. And for us, the key thing is we need to try to reverse that trend somehow by providing choices and options and tools for people, and that is really what drove us into the business. After coming in, I guess we’re not stupid, we realize that it’s quite challenging, of course, as you say, but we think this is something that’s very important to do, success or fail. Someone needs to do it. And I think that’s the reason why most people go into Science, because you do it because somebody needs to do it. And we thought that calling to go out there and do it.
The encryption needs to be fully automatic, fully transparent and invisible to the user. And that is really, our goal, and in many ways our main innovation.
Ben: So I’m guessing you’re a physicist?
Andy: Yes, that’s correct.
Ben: Yes. So you’re a physicist, and that’s how you ended up at CERN, and how you go from CERN to creating software to change the Business Model of the Internet?
Andy: I think the joke is that it’s all Math at the end of the day.
Andy: So, in fact it is all math. It is all logical reasoning. So the great thing about physics is basics. You can kind of go into essentially any field out there. What physics does, it doesn’t teach you any specific skill so to speak, but it teaches you how to think. So in fact, quantum physics to new technology was not a huge jump.
Ben: And tell us how it works, and by extension, the business model for it. How you make it pay?
In ProtonMail there’s a strong network effect, because if you want to protect the entire network, you want to get your friends and family to use the service. And that’s something that has been driving the growth because if you want to protect your whole community then you also get them on the same system. And we see more and more of that as we continue to grow and scale.
Andy: The business model is a freemium. So that means you can use it for free. But if you want more advanced features and services, then you have to pay for it. So, in essence it’s quite similar to Dropbox and it’s either you pay for the service or the service is going to sell you to pay for itself. That’s the model that we picked for the service. It works by using something known as end-to-end encryption, and what end-to-end encryption does is it encrypts data on your device before it reaches our server, and the beauty of that means that all the data that we store on you is encrypted in a way that we actually can’t access. So, this guarantees you two things.
One is privacy because if we can’t get your data, we can’t sell it to third parties. It’s as simple as that, but also it gives you security kind of for free, and that’s because the data that we store is encrypted. If we were to get hacked or breached, a hacker cannot steal from us something that we don’t have. So, really security and privacy go hand in hand. There are actually two sides of the same coin. And that’s why I think it’s really important because it’s not just for privacy. It’s also for security and cyber-crime today is one of the biggest challenges that we’re going to face in the 21st century. So, it sort of solves both of those problems at the same time.
Ben: Yeah. And what I like about it, to revisit that point from earlier is, doesn’t really require any behavioural change. Instead we carry on doing what we always do, which is emailing many people at once, big attachments, all the things that are a little bit risky, but this time they’re encrypted. So if you like, you’re not asking people to change behaviours that have grown up with the internet, you’re just protecting that individual from exposing themselves to the risk of hacking.
Our mission is to make privacy accessible to anybody in the world that wants and needs it. And we subsidize that through people who do pay us.
Andy: Yes, yes, exactly. And I think that’s really, really important because if I go out on the street and ask anybody, would you like more privacy and security? No one’s ever told me “No” to that question. It’s always, who do I give up? What do I sacrifice? What’s the trade off? And our mission, if you want to sum it up in the sentence, is to make that trade off zero. So we know we want to reduce all the technical hurdles, reduce all the user interface hurdles and make it as simple and as easy as the services you already use that don’t have encryption. So the encryption needs to be fully automatic, fully transparent, invisible to the user. And that is really, our goal, and that’s actually in many ways actually our main innovation.
Ben: And so if you send me an email, which you have, from ProtonMail, it comes into my email server displayed in a way that’s like every other email?
Andy: Yes, yes, that’s correct. Now in that situation, obviously my inbox is encrypted. Everything on my side is secure, but if you’re not using ProtonMail, you are using Gmail, then of course Google will get a copy of your email. And that’s why in Proton there’s kind of a strong network effect, because if you want to protect the entire network, you want to get your friends and family on to use the service. And that’s something that has really been driving the growth because there’s obviously still value in protecting your own data, your own inbox. But if you want to protect your whole community of people on contacts, then you also get them on the same system. And we see more and more of that as we continue to grow and scale.
There’s sort of like a hidden transfer of wealth there, but that is in fact needed to create a more equitable and just world.
Ben: So really pleased that you raised that because I was because I was going to ask you about Customer Acquisition Cost and the speed of adoption and so on. So, there are two things, based on what you said that really would suggest to me that this would have very low customer acquisition costs. One is the freemium model. And so the first question is what percentage of users eventually become paying users? And then the second model is to what extent are the network effects really driving user adoption?
Andy: Well, we know that the largest segment of growth, so the single biggest reason that people use ProtonMail today is actually word of mouth referrals. So network effect is in fact the biggest driver of growth. So that’s that then I think freemium is also important, but for us, freemium is really going back to the mission of the company. Our mission is to make privacy accessible to anybody in the world that wants and needs it. And you can only do that by offering the service for free. I’ll give you example. We have a VPN service as well, and the country that has the most users of Proton VPN is actually Iran.
Andy: They’re under sanctions. So in fact, they don’t have credit cards. They’re not tied into the banking system. They have no way to pay us, and if the service wasn’t free, then those hundreds of thousands of users in Iran would get cut off. So that’s why for our mission to succeed, in fact, we must make it free to make accessible and we subsidize that by people who do pay us.
Ben: So there’s actually… I don’t know if you’re familiar with this term… shared value transactions. But it’s this idea that the heaviest users or in this case, the most demanding users maybe pay for all the features that are then offered to everybody, and you only need a small number of those people to become paying users for the whole model to work. So what’s the conversion rate on freemium into premium in your case?
I think a lot of people pay for the service really to support the ideals of the company and what it stands for. And they pay because they know that privacy matters. They care about it.
Andy: Well, it depends a lot on country. And the way a service like Proton works because we’re so global is in fact you essentially have the First World subsidizing the Third World.
Ben: So it’s like probably what the model for climate change.
Andy: Exactly. I think that’s actually a good thing because in fact, there’s sort of like a hidden transfer of wealth there, but that is in fact needed to create a more equitable and just world. So I think that’s actually a good feature. And conversion rates of course are much higher in Western Europe and the US. They’re much lower in places where people cannot afford to pay, but we’re okay with that because overall, we have a model where it’s sustainable, it’s profitable. So that means it can continue to grow and it’s a cycle that fuels itself and that’s what we need to have a business that can survive and be stable.
Email, I would argue is actually the most meaningful passport of the 21st century. In the 20th century, your identity was tied with your passport. That was who you were. That was how you verified to the world who you were. That was how you accessed all the services that the world could offer you. Today, everything’s moving online, and every online service that you sign up for is actually linked to your email.
Ben: What is the trigger point to go from freemium to premium?
Andy: It’s very hard to say. It depends on the person.
Ben: Sorry, to ask it in a different way… it’s a set of features that I sign up to that then makes it premium, right?
Andy: Yes, that’s exactly right. So paid accounts have certain features which are not available…
Ben: Such as?
Andy: Well, you can have additional storage, additional features like auto-responder on emails. So it’s a subset of features and storage that you need you don’t get on the free account, and that’s what is driving conversion. But I think a lot of people pay for the service really to, I think support the ideals of the company and what it stands for. And they pay because they know that privacy matters. They care about it, and if they don’t pay, they simply won’t have the privacy anymore. Someone needs to pay something if you want to have this option. So it’s really about keeping a private option available to the world and I think that’s very important.
Ben: And then do you have many businesses that adopt ProtonMail for all of their employees?
Andy: Yes. So today there’s probably between 20,000 and 30,000 businesses who are using the service. They obviously all pay, and for business the value proposition is very clear. You can go to a cloud but still keep control of your data. That’s important to a lot of banks and financial industry customers. But then secondly, is your communications within the company are secure and private by default because every employee will be automatically security-encrypted.
Ben: Because when you laid out the binary choice earlier between either having privacy in your email communications or not having privacy in your email communications, and you said you had this sort of free options like Gmail or the paid options like yours. There’s a third actual option, which is you use your corporate email account, but in which case the corporation you work for can see everything that you’re seeing and doing. Right? So I’d argue that there are actually three choices for individuals. Would you agree with that? But in this case, I guess the corporation allows you free access to email that’s secure and where they can’t spy on you.
the best way to protect data is to not have it in the first place
Andy: So actually, I would argue against that… because what is email fundamentally? Email, I would argue is actually the most meaningful passport of the 21st century. In the 20th century, your identity was tied with your passport. That was who you were. That was how you verified to the world who you were. That was how you accessed all the services that the world could offer you. Today, everything’s moving online, and every online service that you sign up for is actually linked to your email. It’s your online passport, and the idea of using your corporate email account doesn’t actually work because that would be like say, your employer is your identity. It’s not true. So that’s why for that reason, you know, that’s not really an option for most people.
Ben: It’s so true because that’s happened sort of insidiously, which is so many services just say sign up using Gmail, sign up using Facebook. And again, unconsciously you don’t think about the ramifications of that. But you’re right, it’s become way more linked to our identity than…I mean, you saying that it’s made me realize, wow, that’s true, and I hadn’t even thought about that myself.
Andy: Yes. So Gmail isn’t just, let’s say controlling your data. They’re also controlling your identity in some ways. And you don’t realize that when you set up for it. But that’s what is happening. And that’s why we feel it’s very important to have an independent identity, which is built on the idea of privacy and security at its core and respecting your rights online.
Ben: Some people make an argument … I obviously know where you stand on this, but some people say the genie’s out of the bottle. We can’t go back and reclaim our privacy. So almost more logical would be to make everything transparent and if everybody could see everything, then there’ll be less abuses of our rights. Where do you stand on that? How do you challenge the logic and the soundness of that argument?
Andy: Well, I would ask that person that tells you that for their email password and see they give it to you.
Ben: Good point. And so I can imagine that many people for many reasons — because they want to challenge what you’re trying to achieve in your mission, I imagine you’re the subject of attempted hacks a lot. How do you counter that?
Andy: Well, the best way to protect data is to not have it in the first place. So the way that we counter that is simply by encrypting as much as we can so that we don’t have anything that can be stolen from us.
Ben: But if they solve — I don’t know exactly how it works — but if they can figure out the encryption keys, then they can get access to the encrypted data.
Andy: To this day, not possible to break the encryption that we use. This of course maybe won’t be the case two decades from now, but we encrypt data in a way that even the strongest supercomputers in the world theoretically should not be able to crack the data. So it is for all intents and purposes inaccessible to a hacker.
Ben: And so that’s one risk. I think so you’ve convincingly argued that you were ahead of that risk. And I suppose in the same way that the sophistication of hackers will grow, the sophistication of the technology you use will also improve. So it’s a race, but for now you’re ahead. The other big risk I guess is coming under pressure from governments to just hand them the data… Because a bit like Apple says you know our devices are encrypted and safe and so on, and then the US government says we want access to it. Have you come under that kind of pressure? How do you deal with that?
Of course encryption and security technology can be abused, but there’s a very strong benefit which is: we need to secure our data and secure our future because the future is data and the future is online. And the social benefit from that outweighs the risks that may come as a result of this technology.
Andy: Both the answers of course is Yes. Like any major tech company, we do come under that type of pressure. We’re based in Switzerland. Switzerland has very strong privacy laws and a strong history of protecting privacy. So that is obviously a very strong advantage. But the technology also works. If you do the technology properly, in fact, there was no way for us to decrypt the data, so it’s mathematically not a possibility.
Ben: So you couldn’t, even if you wanted to, decrypt the data you have on your servers?
Andy: Yes. That’s the point of intent encryption, is that it’s encrypted before it comes to us and we don’t have a way to decrypt it.
Ben: So your argument is simply, no matter how much pressure you apply, we simply can’t respond to your desire.
Andy: Exactly. But there’s also a third aspect to this, which is that the opinion of governments has shifted quite a bit from 2014. In 2014 it was, okay, encryption is a major threat to national security. Now the conversation is we need more cyber-security because they’ve seen the hacks and the scandals and the issues of the past five years. So in fact, governments that were maybe pushing and trying to pressure us in 2014, some of them are now our customers.
In 2010 Mark Zuckerberg basically said that privacy is no longer a social norm. He comes out this year and he says privacy is Facebook’s main focus now.
Ben: Really? I was going to ask about users. We’ll come back to it.
Andy: Yeah. So this kind of shows a shift in how the attitude has changed because people realize that in fact we’re not just providing the privacy but also security, and security is the key to securing the 21st century digital economy.
Ben: Yeah, and again, coming back to this point, I just think it’s Canute-like to sort of say, okay, let’s roll back what we’ve put in place and instead it’s much better to say what we’ve got in place that’s secure. And that’s what I really like about everything that you’re saying. The mission — obviously everybody buys into the mission — but also, it’s a mission and a business that doesn’t require… it doesn’t introduce loads of friction into our lives basically, because we’ve got used to friction-less experience using the Internet.
Andy: And the other way to look at this is Does encryption come with certain risk? Of course, it does. It’s not black and white. Yeah. Is it possible that terrorists could use something like ProtonMail? Of course, but we also know that they also use Facebook. They also use Twitter. They also use buses and planes. You cannot possibly ban everything a terrorist could possibly use. The way you address this question, the way you look at it is you say, what is the overall social benefit? And when it comes to trains and cars and planes, of course they can be abused, but there’s a very strong benefit there as well. And it’s the same for encryption in security technology. We needed to secure our data and secure our future because the future is data and the future is online. And the social benefit from that outweighs the risks that may come as a result of this technology.
Ben: So we’ve started to touch on a couple of times, but now, if you don’t mind, delve into a bit like who uses it? So I imagine, millions of individuals like me use ProtonMail, but I’ve read on your website, you were talking about the activists that use it. You’ve said governments sometimes use it. I guess terrorists could use it as you said. So who uses it and what do they use it for? First of all, give us a sort of breakdown of the demographics of the kind of people that use it, and then is there anything about their usage that makes you uncomfortable as a CEO?
Andy: As a web service and a email provider, the users are basically anybody that would use Yahoo, Gmail or Microsoft. It’s the same spectrum of people.
Ben: Is it though, because I guess particularly, I don’t know…I mean, we’ll come back to numbers of users if you could share that with us, but I imagine particularly beginning, the early adopters were people who were hot on this idea of privacy in a way that others weren’t.
From the beginning of time the Internet was actually not free. If you look at things like Hotmail and Yahoo, in the early days those services were not fully free. The free Internet and free Internet services is a relatively modern invention in history of Internet. It really came in the mid-2000s. So it was paid first, it became free and now is shifting back towards being paid again.
Andy: I think in 2014 that was true, but today with more than 20 million users, it’s really kind of come into the mainstream and everybody will have a reason to use a service like this. People that want privacy and security. It isn’t just the paranoid guys or the government people or the journalists or the activists. That’s a need that actually even your mother might have. In fact, I would say, of course, we may not have as many mothers using ProtonMail, compared to let’s say, you know, Gmail. But that demographic is represented. So we capture actually the full spectrum globally, but it’s really people that have a higher awareness. What links them together is not what the field, they work in their backgrounds or where they live, but relieve their level of awareness of how the internet works and their level of concern for privacy and security.
Ben: And that 20 million number, that’s staggering. The first time I ever heard you speak was at an event here at Fongit and I was blown away by what you’re saying, the ambition of what you’re doing. But even then, which is I think just a few months ago, the number wasn’t anywhere near 20 million. So that would suggest to me that you really are seeing these network effects kick in. It’s like exponential type growth.
Andy: Yes. The growth is pretty rapid right now. It’s really because of awareness. People are just more and more aware today than they were in the past. If you go in 2014…, 2010, Mark Zuckerberg basically said that privacy is no longer a social norm. He comes out this year and he says privacy is Facebook’s main focus now.
Ben: So do you believe him?
Andy: Of course not, but the fact that guys like him have shifted tone so dramatically in the past decade really shows where things are going, and that’s why I think if the awareness is up and we want to be ready, we want to have the service that people can rely on, and we want to really be part of the change that we want to see in the world.
Ben: And do you see more users or greater adoption in countries where their privacy is potentially at greater risk? And do you see — and I suppose you don’t even know that much about the demographics — but do you see, just to go back to this topic of activists cause you yourself were talking about this in one of your blogs, is it people and places where their privacy is more at risk?
Andy: I think adoption is certainly higher in those communities. Among journalists and activists, it’s very, very popular. A lot of people are using it. But if you look at our VPN service in Iran, that’s a huge user base there as well. So of course, if you have a need and if it’s something that your life depends on, you’re going to use it right, and you’ll use it may be potentially more and preferentially more compared to somebody else who isn’t at risk. So there is of course a correlation.
Ben: Where do you stand on freedom of speech? Because activists are using your platform to defend their freedom of speech and to defend their freedom of protest, and somebody like Mark Zuckerberg, let’s bring him up again. I suppose he would make any argument that would absolve him from taking any responsibility for protecting freedom of speech. Where do you stand and what are the limits of freedom of speech if we can’t see what people are saying?
Andy: I think freedom of speech is obviously something that’s very important. It’s the cornerstone of modern Western democracy right now. Can freedom of speech be abused? Sometimes. There’s hate speech, there’s hate crimes, there’s far-right and far-left people who can abuse services like this. Email though, which we do is inherently a private conversation, and what you say in private, in fact is protected. Now if you use technology like Twitter or Facebook or even ProtonMail to let’s say, espouse far-right hate speech, then that is actually against the law. That’s against the law in Switzerland and we as a company would adhere by Swiss law. And I think on topics like this, it’s important for tech companies to really follow the law. We cannot take on the role of judge, jury, executioner, adjudicating and passing judgment on these types of issues. We must adhere and respect the legal framework.
Ben: And so just again to get back to the idea of the legality of some of these things and therefore government’s role in regulating the Internet, do you remember the law that was passed in the Clinton era that essentially absolved lots of these internet companies from taking responsibility for any of this stuff, from having any responsibility for safeguarding the truth on their platforms? Do you think it’s time to change that law then? Because if you’re saying that ultimately your responsibility is to adhere to legal frameworks, do those legal frameworks therefore need to be upgraded for the internet age?
Andy: Well, ProtonMail for example as a mail service because mail is private communications, is a complete separate category from other social media where it’s publicly view-able. So this discussion for example, wouldn’t really apply to a service like ProtonMail, which is private communications. Now the law — I do know the law you are talking about, what this basically says is platform providers like Facebook and Twitter cannot be held liable for the content that is posted by their users, because the user is actually the author of that and my personal view is, in fact, I think that law is in fact correct because you cannot…it’s probably in many ways almost impossible to force platform providers to really police everything that is said and posted on their platforms. I think it’s actually impossible. Where I think there does need to be some more strengthening is that if something posted is false, defamatory, or malicious, there needs to be ways to probably legally compel the take down of such information after it’s proven to be false, defamatory or malicious.
Ben: Do you think they have a responsibility themselves for that kind of fact checking?
We have a ‘don’t cut any corners’ type of philosophy. The trade-off of this is we are probably higher cost than our competitors. We probably develop products more slowly than our competitors, but I would argue that we also provide a product that is higher quality, more secure and more private than our competitors. You must make trade-offs all the time, and in any sort of project, any sort of business, you need to decide where in that space you want to position yourself.
Andy: I would say there’s a moral responsibility to do that, if not a legal responsibility
Ben: I’m not sure morality and ethics is high on the list of some of the people that run these platforms.
Andy: I would say they’re more concerned about their profit margins and their bottom and top lines, and spending time checking content and responding to legal requests is probably not very cost efficient. So yes, most of the platform providers probably hide behind this law and say it’s not our obligation, but I do think they do have an obligation to remove data that is just false and wrong.
Ben: Do you think it was a sort of necessary step that we needed some sacrifice of our own privacy in the beginning to get the Internet moving? Would you argue it was a necessary precondition to widespread adoption for us to be giving up some of our privacy and now has come the time to solve, now it’s adopted in our lives to then just tighten up?
Andy: Yeah. Well the Internet was never really free to begin with. You pay for your internet service; you pay for internet protection. In fact, from the beginning of time the Internet was actually not free. If you look at things like Hotmail and Yahoo, in the early days those services were not fully free. The free Internet and free Internet services is a relatively modern invention in history of Internet. It really came in the mid-2000s, so it was paid first. It became free and now is shifting back towards being paid again.
Ben: So you argue it needs to just go full circle?
Andy: Yeah, yeah.
Ben: Where do you stand on net neutrality?
Andy: I think it’s important to protect it. I think we need it. Without net neutrality, you essentially give big companies certain advantages that smaller people cannot compete with.
Ben: Yeah. So you would argue it was a mistake to make that change?
Andy: Yes. I think net neutrality is important for the future of the Internet. That’s my personal view.
Ben: So are you campaigning for it to be reintroduced?
Andy: Well, I’ll give you an example. In the UK there’s a new law that allows ISPs to censure various websites if they believe it’s adult material, and our VPN service — Proton VPN — was mistakenly categorized as adult by some ISPs. And the ISPs are very hard to get in touch with and not very responsive, and in fact, the only way to solve this issue is to make an official complaint under EU net neutrality rules. So that’s an example of a small company being able to compete in a market because of net neutrality. So in fact I think it is very, very important and without that, you don’t have innovation. If we didn’t have this legal recourse to do this, then we’re at a disadvantage because a big company like Google will never get blocked because they are too big.
The network effect moat protects us in the encrypted space, but that’s maybe the 2% of the market that we’ve captured so far overall. The opportunity is the other 98% of Google users who are not on the system yet, and to go after them, you must innovate. You must be better. You can’t just be more secure and more private.
Ben: Want to talk a bit about the scaling journey you’ve been on. So you’ve got 20 million customers, which is …again, I’m staggered by that number and I guess you’re adding tens of thousands a week or whatever the number is. What have been the challenges along the road to scaling this business to that extent, and what trade-offs have you had to make because clearly you want this to be the most secure, but that costs lots of money. Clearly you want this to be as economical as possible for the users, but that’s a difficult thing to achieve and to produce a really high quality. So what trade-offs have you made and what have you learnt in scaling a business to this level?
Andy: It’s no different than any other business actually. There are three levers that you can control. There’s cost, there’s time which is related to cost to some extent, and there’s quality. If you want high quality and high security, invest more time and as a consequence of investing more time, you are investing more money, and all businesses to some extent are automating these three levers and depending on the company you go to, they are could be on very, very different sides of the spectrum. For us, security and privacy are our core business. Quality is very important. So we’ve optimized the business in such a way that we care about quality first and costs and time are sort of secondary. So we have a ‘don’t cut any corners’ type of philosophy. The tradeoff of this is we are probably higher cost than our competitors. We probably develop products more slowly than our competitors, but I would argue that we also provide up a product that is in the end, higher quality, more secure and more private than our competitors. You must make trade-offs all the time, and in any sort of project, any sort of business, you need to decide where in that space you want to position yourself.
Ben: And who do you see as the competitors? Cause presumably you would put people like Gmail in a completely different category. They are not a direct competitor.
Andy: I think today in fact the competitor is Gmail, cause if you look at where most of our new users are coming from, they’re coming from legacy email services. They’re coming from Google, Microsoft, Yahoo, even AOL sometimes, so they are in fact our biggest competitor. And if you want to think about the future, that’s the target that we need to aspire to go after.
Ben: But is there another secure email service offered on a freemium basis? Is there anybody else who has exactly the same business model as you out there?
Andy: Oh yeah, of course. After we entered the space and opened up the space, a lot of people came in as well. This is sort of normal for any other space, and I think that’s actually a positive thing. It’s good to have more competition, more activity and more attention on your space because that drives innovation, that drives growth and competition’s always good in my mind. Us being sort of the first movers into this space and being by a significant margin the biggest player, that’s something that is quite durable because there is a network effect here..
Ben: Any business with network effects tend to be ‘winner takes most’ markets. That’s right.
Andy: And I would say communication apps in general also follow that sort of trend. So that is inherent advantage for us being in this space. But at the same time, we’re also not the ones who just kind of sit on our hands and say, we’re happy. We want to push innovation in the space. We want to continue maintaining our level of quality and we want to keep doing new things and doing things better and better. So that remains our key focus because we must do that if you want to take down the real competition, which is Google.
Ben: Yeah. I think what you’re saying is interesting because when you have got a business that is underpinned by network effects, the temptation is just to sit back and let them kick in, because it becomes such a strong moat. But what you’re saying is you’re not resting on the network effects moat. You’re also pushing the innovation moat as well.
Andy: Yes. Because network effect moat protects us in the encrypted space, but that’s maybe the 2% of the market that we’ve captured so far overall. The opportunity is the other 98% of Google users who are not on the system yet, and to go after them, you must innovate. You must be better. You can’t just be more secure and more private. You also need to be maybe easier to use, faster. You have to look nicer. It needs to be more stable. You’ have to compete on all these other things that people care about as well.
Ben: Yeah, they do. And would you argue today that your service is it’s the most widely used? Would you also argue it the most secure?
Andy: I would say so, yes. What I also want to say is there’s no such thing as a hundred percent security. By definition it doesn’t exist. Any system can be compromised and can be hacked. All we can do on our side is adhere to best practices, don’t cut any corners, do things as carefully as we can and engineer the cryptography in as strong a way as we can. So these were things that we try to do. It’s a reason that we use cryptography that’s open source and open standards which have been embedded by the community. So we do our best to check every single box, but I think it’s irresponsible and not honest to claim that things are 100% secure because they by definition cannot be 100% secure.
Ben: So I would imagine that everybody that’s listening to this now wants a ProtonMail account. I want one. How do we get one? And if we’re a business, how do we port all of our existing email addresses onto the Proton network?
Andy: Well, if you are a consumer, you just go on the website, get an account. That’s it. If you’re a business, we have an importing tool and we also have a customer support team who is there to help you with the migration. And we’ve migrated probably hundreds of companies just in the past month. It’s something we do all the time and we’re also improving these tools so they’re getting better and better every single month. Our whole ride is to make it easy.
if you can leverage the potential of all of Europe into one company, then in fact you have access to a bigger talent pool at a lower cost and you have more raw materials here than in the US
Ben: Just to get back again cause I think we talked about this scale of the ambition for the company, which is great, but what was the sort of Eureka moment where you were like, okay, that I’m going to stop trying to discover whatever you guys are doing at CERN and if you want to tell us what people do at CERN, that might be also be interesting, but how do you go from that to something like okay, I’m going to launch a secure email system service?
Andy: Well, I think as scientists we have natural curiosity. So there really wasn’t an Eureka moment in the sense that you thought about the problem and said okay, let’s do that. It was more like; this is something that I, myself would like to have. I like to have email that is secure and private, and if you’re a scientist, I guess the benefit of that is you can actually build your dreams.
So we just actually went out and built it ourselves cause we had the know-how to do it. And after we did that, we simply released to the public. We said, okay, we built this. Now you can come and use it. And when we released it, we discovered that a lot of people had the same desires and same wishes as us, when it came to security and privacy, and this was something that we didn’t expect. We didn’t anticipate, we didn’t project or foresee. It was just let’s do it for the sake of the science. Let’s do it for the sake of having technology, and then, as they say, the rest is history.
Ben: The last thing I want to talk about, so when I saw you speaking at the Investor Day here at Fongit, I mean I was struck by the ambition, keep talking about this. But the other thing that I found really sort of heartening was that a business with this potential scale is a) in Europe, because we don’t have many platform-type companies in Europe and b) in Switzerland. And so I think you’ve talked a bit about why you’re in Switzerland, because you worked at CERN centers in Switzerland. There’s an inherent advantage because Swiss privacy laws are very robust. But are there other advantages to being in Switzerland? Have you at any point thought okay, this is such a big business now. I think we need to take this to California?
Andy: Yeah. Of course, we get asked this question quite a bit. Investors in particular ask this question so why Switzerland and why Europe?
Ben: I’m very pleased that you’ve chosen Switzerland and Europe, so, I’m not challenging you…
Andy: I think it’s an important question. I can start from a couple levels. What is the most important thing for a tech company to survive and thrive? I would say the most important raw material, if you will, of our industry is raw talent, and if you consider Europe, not Switzerland but Europe as a whole, this is a population here of around half a billion people. That’s a bigger population than the US and it’s a highly educated population.
So if you can leverage the potential of all of Europe in one company, then in fact you have access to a bigger talent pool at a lower cost and you have more raw materials here in fact than in the US, so that is from a high level why it makes sense. And I think the fact that we want to do it in Europe and leverage its potential also explains Switzerland in some ways because Switzerland is maybe the most cosmopolitan country in continental Europe. It’s the place where you can bring Germans, Poles, Spanish and French and Romanians wherever into one place, and they can all feel at home and feel welcome here, and it’s only by leveraging all of Europe that we will succeed.
I think Switzerland also has various, in addition to the strong laws, it also has a lot of support structures for startups like us. There is Fongit where we are based, which is offering a lot of support in the office space, organization, management in helping us to operate the business. There’s State of Geneva, which is very open providing whether it’s funding, advice, whether it’s tax breaks or other sort of support. These support structures make it a lot easier for us to run the business and focus on growth instead of worrying about other things. So I think it’s this combination of factors that made it so that we were able to succeed in Switzerland and continue to grow within Europe.
Ben: I don’t know if you were there, but Neil Rimer from Index Ventures, he gave a presentation on where he thought Switzerland was at in terms of attracting and retaining great digital-age businesses. And even if you weren’t there, the slide was circulated on social. You may have seen it, but he basically had pluses and minuses and I think there were more minuses than pluses, and you’ve talked about many of the pluses that he talked about. We haven’t addressed the negatives. So he was talking about the high cost of living, the difficulty sometimes getting visas for people. Have you encountered those kinds of problems? I guess the high cost of living, for sure.
In Zurich, you’re in a talent pool that is much more conservative, much more risk averse and much more corporate in a certain sense, whereas Geneva, I would say people here are more willing to take risks. They’re more of the startup mindset, and that’s another reason why we build our base here and I think we are now more successful than we would be if we would have gone to Zurich.
Andy: So actually, on the visa and permit side, having a close relationship with the State of Geneva has essentially solved that issue for us. So we’ve never had any issues there. I would say cost is in fact a problem. The cost of living is very high. Geneva is better than Zurich in the sense that you’re close to the French border, so you can sort of reduce the cost of it that way. This is why I recommend actually Geneva over Zurich, which is not a popular opinion in Switzerland, but that’s my opinion. But I think you can’t build a business like this just in Switzerland. You also need to leverage other offices, other locations in Europe, and that’s what we’ve done. We have other offices in other locations throughout Europe which allow us to bring the overall cost basis down even further.
Ben: Where are your other offices?
Andy: So we have offices in Prague. We have offices in Vilnius in Lithuania, and also in Macedonia. So these locations help to kind of lower the average costs in Europe. Then I think the other thing is when it comes to costs, yes, Switzerland is expensive, but you have to look at the alternatives. If you’re not building a tech company here, then the only logical place you would actually go is San Francisco. If you compare Swiss costs with California costs, in fact, we’re quite a bit cheaper here.
Ben: I am slightly surprised cause so housing, wages, these things are now more expensive in California?
Andy: Yes. So it’s completely shifted in the past five years. I think in 2014 they are about the same. Today we’re maybe around 30 or 40% lower in Geneva compared to San Francisco.
Ben: And I also liked the fact that you’re challenging the received wisdom of Geneva over Zurich. That’s cool. Earlier on today as I was introduced to some of the members of your team and the first thing that you observe is it’s very multicultural. The second thing is these guys are very young. Very smart and very young. The third thing you observe is there aren’t actually that many of them. So would you also argue that to create a platform business today, you don’t need hundreds of thousands of people that you might need to create a really large industrial age business? So that also perhaps gives an advantage to places like Switzerland where you can get very high-quality talent and you don’t need hundreds.
Andy: I think to scale you do need a lot of people. There’s no way to get around the need for people. But it is true that if you hire very smart people, very talented people, and that you leverage the newest technologies, it’s possible to do a lot more with the same amount of people that would have been possible even one or two years ago. So, in fact it’s true. You don’t need that many people to run a pretty massive business, but you still need people. It’s still your main raw material and the fight for talent is still going to be the main thing. And the other reason I say Geneva instead of Zurich is also kind of mindset and competition. The competition is all for talent and in Zurich you’re fighting against some very big established players and…
Ben: Including your nemesis…
Andy: Including Google, yes, but not only that. It’s that you’re in a talent pool that is much more conservative, much more, I would say risk averse, and much more corporate in a certain sense, whereas Geneva, I would say people here are more willing to take risks. They’re more of the startup mindset, and that’s another reason why we build our base here and I think we would actually be maybe more successful than we would be if we would have gone to Zurich.
Ben: Last question. We’ve talked about the company journey. What about your personal journey? So you’ve gone from scientist to CEO of what is now becoming a really big business. What has that transition been like for you?
Andy: Well, I think in terms of what I do on a day-to-day basis, obviously there’s a big transition because I had to learn new things, figure it out, learn from mistakes obviously, and also do things that maybe I wasn’t trained to do in my schooling. So that’s obviously a transition. But I think what is also very important is yes, you need to change and evolve, but it’s also important to stay the same in many ways, to hold onto your core ideals and remember and keep in mind what is important. And I think for our business to succeed, we must also keep in mind always that’s our main focus. Why are we here? Why do we get up in the morning? It’s not to create a huge fortune. It’s not to become the next Google.
We don’t want to become what we’re fighting. What we want to do is we want to stay true to our ideals — freedom, democracy, privacy, security, serving the world, serving the community and serving the users first. And that’s something that I think my role now in the company is to make sure that we retain that for as long as possible and to make sure that the new people that come in understand that that is what makes us different. And that is what makes us important and able to carry out the mission that we want to do.
Ben: Wonderful. No better way to finish than that, with your description of why this business is so important and why it’s so different. I think it’s inspiring and I’m delighted that you’re based here in Switzerland. Andy, I just wish you all the best with your mission, and I hope the trajectory carries on being as exponential as it’s been. And I thank you very much for coming on the podcast.
Andy: Thank you.