When you’re in the self-described business of bribing politicians and influencing elections, it’s perhaps best not to leave a digital paper trail.
Cambridge Analytica has that all figured out.
According to a London Channel 4 investigation published today, the data analytics and electoral strategy firm that worked with the Trump presidential campaign used an encrypted email service to communicate with clients — and set email to self-delete after two hours.
So explained now-former Cambridge Analytica CEO Alexander Nix, who was caught on hidden camera telling a journalist posing as a potential client that his company uses an email client called ProtonMail to proactively delete potential evidence.
“I’d like you to set up a ProtonMail account, please,” he instructed the would-be (fake) client, “because these are, now it’s getting quite sensitive.”
Nix later adds that “we set our ProtonMail emails with a self-destruct timer […] so you send them, and after they’ve been read two hours later they disappear.”
And why would anyone want emails to disappear? Nix has some thoughts on that as well.
“So then there’s no evidence, there’s no paper trail, there’s nothing,” he explained.
So how does that work exactly? It’s actually pretty straightforward, albeit with some very important caveats.
When composing an email in ProtonMail, one just needs to click on the “expiration time” icon, represented by an hour glass, in the bottom left corner. From there, you can choose how long you want your emails to exist before they are automatically destroyed.
Notably, this timer starts the moment the email is sent — not after it is opened as Nix incorrectly states. You should also keep in mind that this feature only works this way for ProtonMail to ProtonMail exchanges. In other words, if you email your friend’s Gmail account and set a message expiration time that email won’t magically disappear from his or her inbox.
There’s a trick around this, though, and we wouldn’t be surprised if the folks at Cambridge Analytica were aware of it. ProtonMail gives you the option to send an encrypted message to someone with a non-ProtonMail account. To do so, write and address your email like you normally would, but before clicking “send” chose the “encryption” option represented by a lock icon (it’s right next to the aforementioned hourglass).
Once you’ve selected it, ProtonMail will prompt you to create a password for the message. You’ll need to communicate that password to the intended recipient — preferably not via email. Once you’ve set the password, and the expiration timer, send your email.
The recipient will receive a link to that encrypted message — with the auto-delete time specified. This way, the contents of the encrypted message won’t live on Google’s servers, and when ProtonMail eventually erases the message it’s actually gone.
If Cambridge Analytica did indeed use ProtonMail’s message expiration feature in all of its communications, then there might not be that much email evidence for investigators looking into the company’s alleged misuse of Facebook data to discover.
Which is exactly the point. Too bad for Nix, he still left a video trail. If only there was an auto-delete feature for that.