I made my first and only account with tutamail and within 48 hours it was disabled due to abuse. It really bothered me because I had forwarded now deleted emails for storage, updated many accounts including my doctors with the new tuta email. The next time I try to login it tells me that my password is wrong or can’t login. I waisted my time trying to change the password and when I contacted support they send me this:
Hi there,
Thank you for your email.
Your account was flagged as an abusive signup by our system and it was therefore suspended. We have reviewed this case and we cannot make an exception. Please understand that we block some signups based on many different criteria in order to ensure the quality of our service.
Please feel free to register a different account.
Why the hell would I make another one? I signed up my one account the same day that I discovered them. I used a VPN, as if that’s anything new. “I can make another account” really? So they can delete it again?
Obviously I should have tested their client before going all in. Who cares about privacy when random assholes can just wipe my data or read my emails. I needed to vent. Fuck you tutamail
They can’t read your emails though, Tuta uses zero-knowledge encryption, it was something else that got you flagged. Did you send a lot of consecutive emails?
For the sake of accuracy: Incoming emails from external services are initially not encrypted. It’s only truly zero knowledge for either emails sent by another tuta user, or for emails that have already been received.
That being said, they don’t record this information unless specifically required by a court order, which to my knowledge has never happened. I understand that they make the decision of whether your account is spam within 48 hours, and after that it is in the clear. I created my account over Tor, didn’t use it much at all for the first few days, and have been using it fine since. That’s only one data point of course.
You are talking about End-to-End Encryption. Zero-Knowledge Encryption means they don’t have access to your mailbox because they don’t know the password, it’s not stored on their server, they only know the hash it generates (which is used to verify you know the password, but the password itself is never exposed).
Even though they can’t get inside your mailbox they know all the incoming and outgoing metadata (addresses of emails sent/received) so they know your traffic (there is no way to encrypt metadata anyway, it would be like giving a letter to a mailman but not telling him who to deliver it to), but, say, court orders them to give access to your mailbox, they have no way of doing it, only someone with your password can read your emails.
To be explicit. If its not e2e, it’s sent and recieved and logged in plaintext. Tuta can opt to encrypt it, then store it, after the fact. But you cant verify that they do. Even though they claim to. Only messages (which is not mail) between tuta customers are e2e as i understand it.
Use signal. (Or for mail: i am going to shill purelymail which is awesome)
Stored emails are encrypted in any service, the difference from Tuta, Proton, Atomic, etc, to Gmail, Outlook, Yahoo and others, is that they don’t have the decryption key. But yeah, technically any of them could make a copy of unencrypted emails you receive and send (the later don’t even need to since they have the key), but they can’t do it retroactively. Proton had a few third party audits checking their services, but afaik Tuta hasn’t.