Remove TutaNota as service #2339

New Issue

2021-06-09T20:56:25Z

anon238 commented

2021-06-09 20:56:25 +00:00

(Migrated from github.com)

https://techcrunch.com/2020/12/08/german-secure-email-provider-tutanota-forced-to-monitor-an-account-after-regional-court-ruling

👍 1 👎 1

rusty-snake commented

2021-06-10 06:04:18 +00:00

(Migrated from github.com)

Posteo and Mailbox.org are based in Germany too.

ph00lt0 commented

2021-06-10 16:45:43 +00:00

(Migrated from github.com)

Old news, already discussed, conclusion: not a reason to delist it.

👍 5

lrq3000 commented

2021-06-11 18:47:32 +00:00

(Migrated from github.com)

However we should maybe add a note for all e-mail providers to mention that even E2E encrypted providers can implement surveillance backdoors for future communications on specific accounts. This is important for whistleblowers. Except if self-hosted of course.

gary-host-laptop commented

2021-06-11 19:06:36 +00:00

(Migrated from github.com)

@lrq3000 In this case, only unencrypted e-mails (which were received from other provider) were handled to authorities, there was no backdoor. I translated the German news article in the original issue.

youdontneedtoknow22 commented

2021-06-14 20:44:23 +00:00

(Migrated from github.com)

@lrq3000 In this case, only unencrypted e-mails (which were received from other provider) were handled to authorities, there was no backdoor. I translated the German news article in the original issue.

Fact is, Tutanota should encrypt all recieved emails and deleting the plain text version. For emails sent unencrypted, this should also be the case. Now, they're forced to make a copy of that plain text version and give it to the authorities if asked to with a court order.
Tutanota maybe shouldn't be delisted, as it's the only free email provider next to Protonmail, but this fact should be mentioned.

> > > @lrq3000 In this case, only unencrypted e-mails (which were received from other provider) were handled to authorities, there was no backdoor. I translated the German news article in the original issue. Fact is, Tutanota should encrypt all recieved emails and deleting the plain text version. For emails sent unencrypted, this should also be the case. Now, they're forced to make a copy of that plain text version and give it to the authorities if asked to with a court order. Tutanota maybe shouldn't be delisted, as it's the only free email provider next to Protonmail, but this fact should be mentioned.

Dyrimon commented

2021-06-15 03:01:51 +00:00

(Migrated from github.com)

@lrq3000 In this case, only unencrypted e-mails (which were received from other provider) were handled to authorities, there was no backdoor. I translated the German news article in the original issue.

Fact is, Tutanota should encrypt all recieved emails and deleting the plain text version. For emails sent unencrypted, this should also be the case. Now, they're forced to make a copy of that plain text version and give it to the authorities if asked to with a court order.
Tutanota maybe shouldn't be delisted, as it's the only free email provider next to Protonmail, but this fact should be mentioned.

Regarding the court order, every email provider will be forced to do this. It's the nature of email. You can't make it encrypted by design. Tutanota doesn't support PGP so there is no other way to automate encryption. This event of forced logging of plaintext email, not "backdoor" is an edge case. This does not enable mass surveillance. You shouldn't use email for private communication anyway.

> > @lrq3000 In this case, only unencrypted e-mails (which were received from other provider) were handled to authorities, there was no backdoor. I translated the German news article in the original issue. > > Fact is, Tutanota should encrypt all recieved emails and deleting the plain text version. For emails sent unencrypted, this should also be the case. Now, they're forced to make a copy of that plain text version and give it to the authorities if asked to with a court order. > Tutanota maybe shouldn't be delisted, as it's the only free email provider next to Protonmail, but this fact should be mentioned. Regarding the court order, every email provider will be forced to do this. It's the nature of email. You can't make it encrypted by design. Tutanota doesn't support PGP so there is no other way to automate encryption. This event of forced logging of plaintext email, not "backdoor" is an edge case. This does not enable mass surveillance. You shouldn't use email for private communication anyway.

gary-host-laptop commented

2021-06-15 05:02:34 +00:00

(Migrated from github.com)

@youdontneedtoknow22 If you don't enable it by default they could eavesdrop the messages on the way to the receiver anyway.

youdontneedtoknow22 commented

2021-06-15 09:29:31 +00:00

(Migrated from github.com)

Tutanota has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you.

This statement on the PTIO Website for Tutanota is wrong. It's not zero access encryption, if they can have access (or copy the plain text before the emails are encrypted). That's what I want them to change. Look at how they described Disroot:

Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have.

So I think they should add a warning that Tutanota can make these plain text copies of emails.

Regarding the other comments,

Regarding the court order, every email provider will be forced to do this. It's the nature of email. You can't make it encrypted by design.

You can automaticly encrypt every email and never leave a copy of the plain text. This was the case in Tutanota up until the recent law in germany, now it's not. Now they can be forced to make a copy of the plain text. However, Protonmail doesn't have this and all recieved emails are saved encrypted on the server with no way to decrypt them and they don't.

You shouldn't use email for private communication anyway.
Well sometimes you have to. Snowden for example used Lavabit. Good he used it and not the 2021 Tutanota, otherwise they would've made copies of his emails.

If you don't enable it by default they could eavesdrop the messages on the way to the receiver anyway.

I'm not sure about this tbh. Aren't all emails encrypted with TLS on the way, so that they can't be intercepted? PGP prevents the mail provider of the sender and recipient from having plain text versions of the email, it's not to prevent the interception. That's how I understood it while reading this statment from Disroot (which doesn't utilize PGP by default):

"Disroot provides secure email accounts for your desktop client or via a web interface. The communication between you and the mail server is encrypted with SSL, providing as much privacy as possible. Furthermore, all the emails being sent out from our server are encrypted as well (TLS) if the recipients email server supports it. This means that emails are no longer sent as traditional "postcard", but are actually put in an "envelope"."

Correct me if I'm wrong tho. I'm by no mean an expert in these topics, but I do like to learn about them :)

> Tutanota has zero access encryption at rest for your emails, address book contacts, and calendars. This means the messages and other data stored in your account are only readable by you. This statement on the PTIO Website for Tutanota is wrong. It's not zero access encryption, if they can have access (or copy the plain text before the emails are encrypted). That's what I want them to change. Look at how they described Disroot: > Disroot uses full disk encryption. However, it doesn't appear to be "zero access", meaning it is technically possible for them to decrypt the data they have. So I think they should add a warning that Tutanota can make these plain text copies of emails. Regarding the other comments, > Regarding the court order, every email provider will be forced to do this. It's the nature of email. You can't make it encrypted by design. You can automaticly encrypt every email and never leave a copy of the plain text. This was the case in Tutanota up until the recent law in germany, now it's not. Now they can be forced to make a copy of the plain text. However, Protonmail doesn't have this and all recieved emails are saved encrypted on the server with no way to decrypt them and they don't. > You shouldn't use email for private communication anyway. Well sometimes you have to. Snowden for example used Lavabit. Good he used it and not the 2021 Tutanota, otherwise they would've made copies of his emails. > If you don't enable it by default they could eavesdrop the messages on the way to the receiver anyway. I'm not sure about this tbh. Aren't all emails encrypted with TLS on the way, so that they can't be intercepted? PGP prevents the mail provider of the sender and recipient from having plain text versions of the email, it's not to prevent the interception. That's how I understood it while reading this statment from Disroot (which doesn't utilize PGP by default): > "Disroot provides secure email accounts for your desktop client or via a web interface. The communication between you and the mail server is encrypted with SSL, providing as much privacy as possible. Furthermore, all the emails being sent out from our server are encrypted as well (TLS) if the recipients email server supports it. This means that emails are no longer sent as traditional "postcard", but are actually put in an "envelope"." Correct me if I'm wrong tho. I'm by no mean an expert in these topics, but I do like to learn about them :)

freddy-m commented

2021-06-21 13:11:59 +00:00

(Migrated from github.com)

See @ph00lt0's comment.

This repo is archived. You cannot comment on issues.