Why Tutanota?
Since I have been gradually weaning myself off of all google products over the past few years, I have been using a protonmail secondary account. Since I completely stopped using gmail as of last week, it is now my primary email provider. Whenever I research privacy focused, encrypted email providers, tutanota always is mentioned as an alternative to protonmail. I have planned to check it out for a while, so I finally did.
Here are my impressions:
Creating your account
I signed up for a free account, or tried to. I was prevented from continuing because I had a “suspicious internet connection.” This surprised me, but since I was running a VPN, I turned it off and tried again. This time they let me continue. I assume this means they use an IP address to verify new accounts.
There is no requirement to enter your name or any other identifying information. You simply choose your proposed new email address, and you are told whether or not it is available. Next, you are prompted to create a password, and if it’s secure enough, they create your account. This was all very straightforward. I then was prompted to log in.
When I did, this notice appeared on the screen:
Sorry, you are currently not allowed to send or receive emails because your account was marked for approval. This process is necessary to offer a privacy-friendly registration and prevent mass registrations at the same time. Your account will normally be automatically approved after 48 hours. Thank you for your patience!
Despite this delay, I was permitted to explore the email, contact, and calendar functions, make entries, and compose email drafts.
Then I waited. And waited
And then, Voila! After 48 hours passed I had full use of my account.
User Experience
Tutanota utilizes a pretty standard interface, looking very similar to gmail, protonmail, and most other web based email clients. I like the integration of the contact and calendar functions. The free plan includes access to a good deal of functionality, but does not include inbox
rules. Contact and calendar functionality are standard, with no glaring deficiencies. Note that unlike protonmail, tutanota does not currently offer an encrypted drive.
Pricing
Although I signed up for a free account, I checked tutanota pricing for when and if I upgraded to a paid account.
The premium personal account, which includes 1 gigabyte of storage, a custom domain email, and 5 extra email addresses, is 1 euro a month. You can buy more storage, add users, etc, for an additional, very reasonable cost.
For business accounts, which I will eventually need if I switch to Tutanota, the premium, all the bells and whistles price is currently 7 euros a month.
Encryption
Protonmail uses PGP end-to-end encryption(E2EE).
Tutanota uses end-to-end encryption (E2EE) using a proprietary cryptographic technology.
Here’s how this review described Tutanota’s encryption:
Rather than using PGP and S/MIME, Tutanota has rolled out their own encryption standard incorporating AES and RSA, which encrypts the subject line, supports forward secrecy, and can be updated/strengthened over time.
Tutanova encrypts message headers, whereas protonmail does not.
Tutanova boasts zero knowledge search function. Now, I do not have the capability to determine whether the search function is really “zero knowledge.” Read this article if you are as baffled about the concept as I am. The ability to search the body of my emails is very important to me, and I don’t know how well tutanota’s search actually works. Protonmail has recently implemented an improved search function seems adequate for my needs right now.
Both companies log IP addresses, so a VPN should always be used.
A few years back protonmail received some bad publicity for handing over user data to a government entity.
Tutanota makes the following claims in trying to distinguish itself in this regard:
How Tutanota Secures Your Email From Hackers & Government Agencies Governments around the world often demand that email clients provide a backdoor where users’ emails can be decrypted. Some government agencies, law enforcement units and institutions also demand email information belonging to particular people of interest. In opposition to these practices and in favor of users’ privacy, Tutanota has not complied and would not comply with any government agencies or institutions that demand customer data. By demanding to break encryption protocols, these government institutions are asking Tutanota to choose between privacy or political gains. It’s a well-established fact that some email service providers, including Google, have complied with government agencies.
Who knows? Talk is cheap. If you are breaking the law I wouldn’t count on any email provider to protect you.
Secure Log In
In addition to password and 2FA protection, tutanota also provides new users with an encrypted recovery phrase.
One caveat here: you get one view of your “seed”, or recovery phrase. It’s not like a hardware wallet, where you can see your keys if you have your password. I learned this the hard way. So if I lose my password or screw up my 2FA, I am out of luck.
Not your keys, not your email, or something like that.
Location
Tutanota is a German company, and the servers are located in Germany. They claim Germany has strong privacy laws, but I have my doubts. Protonmail is Swiss. Switzerland’s previously strong privacy laws have been watered down in recent years, but are probably still stronger than Germany’s.
Conclusion
I like tutanota so far, and I plan on continuing to use both protonmail and tutanota going forward. They both seem like great providers, both have open source code, and the only reason I am even considering a protonmail alternative is the growing stigma that seems to be attached to using it. I believe that email will be in all likelihood be obsolete in the near future anyway. I know that "the death of email" has been predicted many time since the late 1980s, but bitcoin’s lightning network can provide better security with better functionality than encrypted email with much less friction. Until the world discovers this fact, I’m stuck using this archaic technology.