Tutanota’s Founder Arne Möhle on Privacy and Encryption in Email Communications

Tutanota is a trusty end-to-end encrypted email communications platform that has been around for a decade now and is already used by two million people. Today, privacy and security in online communications are maybe more crucial than ever, and services like Tutanota are getting increasingly squeezed by lawmakers and regulators who want to abolish strong encryption or plant backdoors that are, as they claim, required for the protection of children and national security.

We have reached out to the founder of Tutanota, Arne Möhle, to discuss all that, as well as to get a better idea of how their product works, what are the plans of the project, and what are the key points that internet users who value their privacy should keep in mind.

Can you give us the ‘short version’ of why you decided to found a project like Tutanota?

Really short? To fight for people’s right to privacy!

What does it mean to offer secure and anonymous email service on today’s internet, with efforts to scrutinize people’s communications intensifying?

Using a secure mail service like Tutanota becomes increasingly important, not only because of increased interest from the authorities to have access to people’s communications. It is also important because in today’s internet, the malicious people, the attackers, become more and more sophisticated.

Email, however, is one of the most important online accounts each of us has. Lots of accounts are tied to your email address via the password reset option. This makes email a highly profitable target for malicious actors on the web: once they are in your email account, they can hack your Facebook, your Amazon, potentially even your bank account.

Automatic email encryption and the highest standard of login security like in Tutanota help people protect themselves from such threats. That – and the fact that we respect our users' privacy and do not post targeted ads – makes a great number of people switch to Tutanota.

Since you can guarantee privacy in communications, your service is inevitably used by hackers and terrorists as well. How do you handle this problem, and can it practically be dealt with?

Tutanota is based in Germany; thus, all our users are bound to German law. Tutanota may not be used for illegal activities; otherwise, the accounts will get closed.

Is there any way for a government to get user details from you, like IP addresses, or payment details, or anything that could help identify a person?

Data protection laws in Germany are very strict, also because of the European GDPR. This means we are obliged by German law to protect our users’ data. We may not hand out this data, not even upon foreign governments’ requests unless there is a valid warrant from a German judge.

When presented with a warrant from a German judge to investigate criminal activities, we can only hand out the data that we have. For instance, the encrypted data in Tutanota can not be decrypted, so we can only hand this out in an encrypted form. When someone under criminal investigation has used a paid Tutanota account, we can hand out the payment details. You will find more information on the legal situation in Germany here.

Why have you chosen Germany as the base of Tutanota’s operations? What role does that play in user data safety, and what data retention policies laws apply right now?

We chose to place Tutanota in Germany because it is one of the best countries in terms of data protection and privacy rights. Germany has a constitution that defends the right to privacy, and every law must be weighed against this basic human right. The Federal High Court in Germany takes the human right to privacy very seriously as well and has ruled that data retention laws are not legal when it comes to email because it would infringe on citizens’ right to privacy. Thus, there is no data retention law for an email in Germany, while lots of countries – France, Switzerland, the USA – have data retention laws where service providers are forced to store traffic and user data of all users for months, in some countries even for an entire year.

Compared to other end-to-end encrypted email services, what is it that makes Tutanota unique, and what are the reasons people should use it over the competition?

Tutanota is the email service that encrypts the most data. Plus, we do not simply say the data is encrypted, so Tutanota is secure, but we understand the protection of privacy as a holistic mission. This includes:

• not using any Google services, not even for push notifications on Android
• making sure that there is absolutely no tracking in Tutanota
• being transparent by openly disclosing security issues and publishing a transparency report
• using only open source code in the Tutanota clients so that people can check that we actually do what we say.

In terms of encryption strength, are there any risks for the email communications that happen through Tutanota now to be cracked in the future?

Of course. Everyone in the tech community knows that today’s encryption protocols are not safe enough once quantum computers are going to be realized. That’s why we are already working on a research project to harden Tutanota’s encryption with post-quantum secure algorithms. We have already implemented a prototype of a hybrid encryption protocol that can withstand attacks from quantum computers. We want to get this ready in Tutanota in the coming years – way before any quantum computer can threaten our encryption.

Is Tutanota still banned in Egypt and Russia, and what are you doing about it? Also, where else are Tutanota users having trouble using your service, and what solid access restriction bypassing methods are there for them to use?

Tutanota is banned in some parts of Russia, possibly also in Egypt, but nonetheless, our user communities are growing there as well as everywhere else in the world. Today every internet user knows what a VPN is or how the Tor browser works, so accessing Tutanota, even in these countries, is easily possible. We also plan to add our own proxy server to Tutanota to make sure everyone around the world can access Tutanota – even when the authorities try to stop their citizens from using a secure communication channel.

After almost a decade since the launch of the service, does the business model of relying upon donations and premium subscriptions work well for you? Are advertisers and marketers still barred from your platform?

Yes, it works perfectly. We have already reached break-even a couple of years ago and can now increase our development team according to our growing user-base. It is great to see a privacy-focused project such as Tutanota flourish because it proves that a different internet is possible: one where the users’ right to privacy is respected, and their data is not abused.

What are the plans for the project? Do you plan on launching any other complementing tools for the security and privacy of internet users, like web browsers or calendars, or even a VPN tool?

Tutanota already offers a zero-knowledge calendar! We also plan to build an encrypted drive in the future, but right now, we focus on email and calendar features. We do not plan to offer a browser or a VPN. Particularly offering a VPN does not make any sense because then the email provider would still be able to find out users’ original IP address if they connected via this VPN. For privacy reasons, it is better to keep such services separated.

If you were to give our readers a single piece of advice on what to watch out for and how to protect their privacy online, what would that be?

I can give three:

1. Encrypt as much data as possible.
2. Choose your online services wisely: if the service is free, you are paying by being tracked, profiled and targeted with advertisements.
3. Do not think that when you're protecting your privacy you are anonymous online. Being anonymous is a complex task and needs more education than reading a few tips from a privacy advocate like myself.