They have one of the largest information security teams in the world, that team includes what is probably the best corporate vulnerability research team in the world. They're one of a small number of companies that is actively defining modern TLS and thus modern transport encryption; their operations and security teams are almost certainly the world's most sophisticated users of TLS. They ship the most secure browser in the world (if it's not, it's a dead-even tie with Edge --- but, since Google outclasses every other major vendor in vulnerability research, I doubt it's really a tie) and thus have a far better understanding of browser security and the interaction between serverside applications and clientside JS/HTTP applications than any other company. They spend more per year on external vulnerability assessment than most startups do... for everything. They're a constant state-level adversary target and have, over the last decade, evolved a secops and monitoring team to match those adversaries.
How many engineering employees does Fastmail even have? How much better would each of them have to be than one of the best-paying security teams in the entire industry for them to match up?
I could go on, but to me, you don't really even have to think hard about this.
So it's because Google has deep/best skills in security? It automatically applies and makes all their products more secure than everyone else's, even if their design is weakened as a result of their business model? e.g. Does Google's 1st class security team + unencrypted emails + tracking makes it more secure than a company like Proton Mail that's focused on providing Secure mail?
${All the things I said previously}. And, Google Mail is one of their flagship products.
Most of what is on that ProtonMail page is nonsensical. The claim that is relevant to the discussion here --- that ProtonMail has a "smaller attack surface" and is thus structurally more secure than Google Mail --- assumes significant facts not in evidence.
See downthread for my response to the claim that using a mail services outside the US somehow insulates you from NSA snooping.
They have every incentive to ensure the highest security possible. Their entire business model and most of their revenue is predicated on consumers and businesses moving not just some, but all of their data, straight over to Google's custody and control. Indeed, it damn well had better be secure.
But I think they're compromised by those same business models. Google wants to provide intelligence, and probably more important to them, marketing data. This requires that the consumer is an open book to them, and their business decisions incorporate that. Up until recently, they were actively scanning email for marketing insights. In addition, Google's operating complexity, both business and technical, increases the opportunity for failure. And their other business objectives compromise their security work. That's glaringly apparent for their Android platform. There's more surface. And in a Google world, the email account grants direct access to everything — location data, purchasing history, passwords, documents... everything.
For another dedicated email provider, what they have to protect is also simpler. There are fewer moving parts. There's less to protect, which means that there don't need to be as many engineers. That means a careful and well thought out email provider /can/ be as secure, by carefully limiting their exposure, doing one thing, and doing it well.
There's something to be said for careful application of open standards and open source software, a smaller and more responsive team, and not building a massive single point of failure. I am a current Fastmail customer, and hope to remain, depending on the outcome of this review.
How many engineering employees does Fastmail even have? How much better would each of them have to be than one of the best-paying security teams in the entire industry for them to match up?
I could go on, but to me, you don't really even have to think hard about this.