Tutanota is Hardly the Solution to the ProtonMail Problem
Although ProtonMail is one of the few email providers that are not openly hostile to those who value their privacy, the company’s willingness to comply with law enforcement has concerned some users. To be fair, it is understandably difficult for me to criticize such a company when they do fight the majority of requests by law enforcement agencies. But when the company arbitrarily decided to comply with a request for information from law enforcement without a court order, they opened the door to unconditional criticism (most of which has been highlighted by commenters or various bloggers online).
Just drinking a cup of coffee. Normal OPSEC things.
One of the alternatives proposed by readers of this site is the email provider Tutanota. Tutanota provides some of the same features provided by ProtonMail but has many significant differences. Although both email services offer end-to-end encryption, Tutanota does not rely on PGP.
[img=]Oh, and there is that unavoidable javascript thing.[/img]
Tutanota uses standard algorithms also being used by PGP (AES 128 / RSA 2048) for encrypting the entire mailbox. Tutanota does not use an implementation of PGP because PGP lacks important requirements that we plan to achieve with Tutanota:
A further description from one of the company’s FAQ pages:
For the email encryption between users, Tutanota uses a standardized, hybrid method consisting of a symmetrical and an asymmetrical algorithm. Tutanota uses AES with a length of 128 bit and RSA with 2048 bit. Emails to external recipients are encrypted symmetrically with AES 128 bit.
I suppose the consensus is that javascript is unavoidable when using a secure email provider that offers client-side encryption. As with ProtonMail, Tutanota is unusable with javascript disabled. Most security-conscious Tor users are then unable to access their inbox (without changing their security settings).
A complaint about ProtonMail is that the company makes it complicated to pay for services with cryptocurrrency. In fact, if you access the ProtonMail payment portal and select “Add Payment,” you are greeted with two choices: paying via credit card or PayPal. In order to use cryptocurrency (they only support Bitcoin), you have to select “Add Credits.” After adding credits, one can pay for ProtonMail services with the credts instead of the two payment options listed above. (Note: this is how ProtonMail used to work. It is possible that paying invoices with account credits is no longer an option.)
[img=]Oh, there it is on the roadmap. Right below support for emojis.[/img]
Tutanota, however, will gladly accept donations in the form of Bitcoin, Monero, Bitcoin Cash, Ethereum, PayPal, and Credit Cards. However, in order to actually pay for Tutanota services, users have only two options: credit cards or PayPal. Cryptocurrency payments is on the company’s roadmap. However, the company has been promising support for cryptocurrency payments since 2017. There have not been any updates to the issue on Github and it has been closed as “Off-Topic.”
[img=]Oh, there it is on the roadmap. Right below support for emojis.[/img]
ProtonMail provides what appears to be a false sense of security through their onion service. Naturally, it provides no function to Tor users with javascript disabled. Tutanota does not offer an onion service. Although it would likely be unusable if they did, they appear either dismissive or opposed to the idea. Although the company added support for an onion service to their roadmap, they marked the issue on Github “Off-Topic” and published a somewhat confusing blog post about how everyone should use Tor. The post seemed like the unveiling of a Tutanota onion service.
Oh, there it is on the roadmap. Right below support for emojis.
Does Tutanota log I.P. addresses? Well:
We only log IP addresses of individual accounts in case of serious criminal acts such as murder, child pornography, robbery, bomb threats and blackmail after being served a valid court order by a German judge. You can find details on this as well as on German data protection rights on our blog.
Which is effectively no different than ProtonMail’s logging policy. Tutanota apparently does not arbitraily decide to release information without a court order though. Or at least they have not admitted to doing so.
At the heart of the issue, though, is the company’s transparency report. After all, the recent stir about ProtonMail stemmed from an unfavorable update to their transparency report. To recap that incident, ProtonMail complied with a lawful court order that resulted in the arrest of a person identified by ProtonMail as a so-called “climate activist.” The form of activism, illegally occupying buildings, seems like homelessness with more steps. It seems equally bizarre that law enforcement agencies would devote the time and effort required to identify a ProtonMail user simply to arrest some totally-not-homeless person.
Here are the entries from the company’s transparency report for 2021:
Between the 1st of January 2021 and 30th of June 2021 Tutanota has
And for 2020:
Between the 1st of July 2020 and 31th of December 2020 Tutanota has
Between the 1st of January 2020 and 30th of June 2020 Tutanota has
It seems they released data more frequently in 2021 than in 2020. Tutanota provides entries for several periods of time on their transparency report.
At the end of the day, depending on threat models, people might need to operate as if nobody is trustworthy. And ultimatly, in this context, that statement is true. There are companies with what appear to be good track records such as Posteo. According to their transparency report, they only complied with one court order which was a mailbox seizure. Like any other email provider operating this way, Posteo is theoretically no different than ProtonMail or Tutanota when it comes to compliance with law enforcement. I have a suspicion that the people over at Elude have not complied with a single court order. I am not sure how law enforcement would serve one anyway. Please correct me if I am wrong on this count though.
P.S. I see people recommending Matrix as an alternative social networking/messaging platform. The Matrix.org foundation is suspicious at best as far as their metadata acquisition and retention policies go. Following their recommendations for setting up a self-hosted instance or using their recommended clients makes it very difficult to remove matrix.org and vector.im from the scenario.
Comments (13)
John2021-12-07df583cd0
What about riseup? They have a .onion, have been online since 1999, they do not collect IP info.
Revelator2021-12-08e16fd5f0
Riseup.net is a joke of a email provider which requires an invite from an existing user, making an invite impossible to get. Not that you'd want one, because you must be a communist to use Riseup, and you're supporting communists if you do. I can't in good conscience do that when I recall that communists killed 100,000,000 people the world over during the last 100 years. I will not join your death cult.
Riseupisajoke2021-12-0830b62380
>unironically recommends riseup They’re a bunch of leftist cucks & you write the word “nigger” too often, they will remove you from the service and try to dox you.
Tormail2021-12-072d8fcf90
Could also consider the pros and cons of an onion e-mail provider like tormail.
Dave2021-12-08005d7b00
I really don't get what people expect from these companies. Do you really think an above ground corporation with a listed address is going to tell a court "no?" That's a great way to get your servers seized. Anyone off the grid enough to ignore these requests will come with their own problems and probably be even worse for security. Remember Freedom Hosting / Tormail?
TitsMcgee2021-12-088920b5e0
I agree. Tutanota is providing privacy, not anonymity. If you're looking for anonymity then you should be using throwaway emails.
Dfsdsd2021-12-0854a6ad20
All over if you want to be secure then do as Mr_white do. Even if email use enforced pgp message or mail.. Yes subject is not encrypted but the body of message is encrypted.. At least you can fight. Because there is no other way to decode the message.
shitfuck2021-12-0813c8c8d0
Matrix is no alternative as it’s not an email provider. Matrix team is full of anti-1st amendment, but full of pedo, tranny and furry people. If you want to trust these people with your data, good luck. I’d say in less than 5 years we’ll see a pedo getting kicked from the matrix team, not because he was the only one but because he was identified by outsiders/LE. In case you missed it, PGP is indeed the worst (privacy-wise), for the reasons outlined by tuta (and a few more). Lastly, if you believe that the protonmail dude who got arrested was your average peaceful “climate activist” you are dumber than my wife.
gayhomie2021-12-090e629e80
email in general shouldnt be trusted if youre looking to do any less than legal or moral activities. all providers have their own issues. dont rely on email providers to encrypt things. leave your subject line empty or irrelevant, manually encrypt and sign your messages etc etc common sense stuff
Jazzy_Hippo2021-12-2843798240
By design e-mail can not and will not ever be a secure method of communication. end of discussion. That is why LavaBit shut down when the feds tried to come for Snowdens emails. they even said that is why they shut down, because they had no way to be secure 100\% I don't know when people will finally learn this about e-mail. even running your own email server is not secure.
TorTroll2021-12-093564c5f0
cock.li requires invites now. It used to be ok, but now it's more or less inaccessible. Cock.li also requires javascript, so it shouldn't be used for highly illegal acts such as buying or selling drugs.
a2021-12-0734351520
glowing