2021 Review: Tutanota
What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?
Tutanota is one of the more popular end-to-end encrypted (E2EE)/zero-knowledge email providers out there, largely considered the main competitor to ProtonMail. A zero-knowledge provider means that they can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero-knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I email someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something.
The main thing that sets Tutanota apart from other recommended email providers, in my opinion, is that they use a modified version of PGP that encrypts more content than usual. Normal PGP does not encrypt metadata, specifically the subject line, sender, and recipient (source). This is much more than Proton or Ctemplar’s simpler “content and attachments” policies.
Just like Proton, Tutanota also offers a zero-knowledge calendar which – unlike Proton – is accessible within the app for both iOS and Android. Like Proton, Tutanota is powered by renewable energy (if that’s a thing you care about) and like both Proton and CTemplar, Tutanota offers a way for you to initiate secure conversations with non-Tutanota users. They are also based in Germany, which has strong consumer privacy laws, and they are known for having a much lower price than Proton (great for those on a budget) and having outstanding customer service. (I can attest to both: while both offer great customer service, I have personally noticed that Tutanota seems to go above and beyond in my experience). Tutanota has further expressed their support for the open source community by offering free Premium features to open source software projects (source). They also offer submission forms, and while they may cost a bit too much for my own basically soloprenuer project, they should be easily affordable for most small/medium-sized businesses, which means companies now have an easy, drag-and-drop solution for clients to securely contact them. Also they created their own alternative to the CAPTCHA to further de-Google themselves, so that’s cool.
I like Tutanota, I really do, but as with every review I do, nobody is perfect. Let’s start with the two biggest dings for me: the first is their modified encryption. Since Tutanota is not based on pure PGP, that means there is absolutely no way for a non-Tutanota user to initiate secure communication with Tutanota users. With Proton or CTemplar, I can post my public key and any PGP user – even those who don’t use the same service – can email me securely and start the conversation. With Tutanota, the only way to start a secure conversation with me is to also be a Tutanota user.
Next, Germany. While Germany does indeed have strong privacy laws, they have also repeatedly expressed their eagerness to join the Five Eyes intelligence community. It’s pretty hard to accept that a country who wants to be part of the most invasive, illegal, unethical, and comprehensive surveillance network ever seen also has my privacy in mind. Now of course, that doesn’t mean Tutanota is a sham. I’m a US citizen and yet I personally take privacy very seriously. The country you’re based out of doesn’t necessarily reflect your own values. However, it does mean that you are subject to their rules, which has already come back to bite Tutanota at least once.
Finally, there are a few other small dings against Tutanota that largely come down to personal preference. They do have a desktop app, but it’s Electron-based. As a non-programmer, from what I understand that means it’s basically just the website wrapped in an app and generally insecure. Their mobile app is notoriously slow. Tutanota’s web client has been audited, but not their servers (though one could make the argument that if the client is secure and does what it claims then the servers hardly matter) and not their mobile apps (though they claim their mobile apps use the same protocols and standards as the web app, so they should – in theory – be equally secure). And, this is just personal experience, Tutanota seems to get DDoS’d a lot. At least once every couple months. For most of us, I don’t think we do anything so time-sensitive that this matters, they usually have it fixed within a couple hours, and I guess there’s also the argument to be made that when you’re meeting resistance you’re probably headed in the right direction (video game logic), but still, that can be an issue for some.
Email is not secure. I think that’s worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. You should never trust your life to email (which is why Snowden didn’t just email his documents to people). But also, email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. And, truth be told, you can’t do much better than Tutanota. There are a few niche things that make other providers more appealing – more features, better jurisdictions – but Tutanota has repeatedly proven themselves to be advocates and friends of privacy, with an equally long history of striving to be as secure, private, and user-friendly as possible. In your quest for an encrypted email provider, you’d be making a huge mistake not to check out Tutanota and give them a chance.
You can learn more and sign up for Tutanota here.