Germany based encrypted email startup, Tutanota, is taking its service out a beta next week — after a year of testing and almost 100,000 users signed up to send and receive secure email.
Additional domains will also be offered in the new release, coming on Tuesday, including .com and .io options (in addition to the current .de option).
Tutanota was founded at the end of 2011 with the idea of making secure email easier than extant options like PGP. Its ease of use pitch means it’s doing encrypted email in the web browser and also offering iOS and Android apps.
It’s similar to the likes of encrypted email products ProtonMail, StartMail and Hushmail but says it’s putting more emphasis on usability, with a clean interface, features such as attachment encryption and support for different devices.
“We decided to invent something new which is easy to use. That was the plan from the beginning,” co-founder Arne Möhle tells TechCrunch. “It was clear that we need to use the modern technologies — web browsers, apps — and that’s why we decided to create a web application instead of something you have to install locally.”
The company professes itself confident in the robustness of Tutanota’s security, after a year long beta testing process and community review, to remove the beta label now — albeit it did admit to being vulnerable to a cross-site scripting vulnerability last summer (a flaw it subsequently fixed).
Since 2011, Möhle says it’s tracked a growing interest in privacy, and says the product has found users all over the world — including a sizable proportion in the U.S., which he describes as a major market for Tutanota.
“We definitely see an increase [in interest in privacy]. Which is maybe not a very big increase but it’s definitely an increase, especially after [NSA whistleblower] Edward Snowden. Many more people — private users — understand the threats. And they have to do something to fight for their privacy,” he adds.
With Tutanota encryption is done locally, on the client device, secured with a user’s own password (so that also needs to be strong, and their own devices need to defended from malware to ensure email security), before being uploaded and sent to the recipient via Tutanota’s servers, and then decrypted on the recipient’s device.
Tutanota is not privy to users’ passwords (there’s no password reset option) so it says there is no way for it, as the email service provider, to be able to decrypt the data it’s sending. Which means it can’t be strong-armed by governments to hand over data. Nor is it data-mining your emails to sell intel to advertisers.
“We use end-to-end encryption. That means if you encrypt some data it’s always encrypted on the client, so in the browser, in the app, and it cannot be decrypted except by the person this data was encrypted for,” says Möhle. “This decryption again happens on the client. So if you send an email this email is encrypted on your client, sent through the Tutanota service and is then decrypted on the receiving client again.
To further user trust, it open sourced its software last year to allow for community review. And notes it has also subjected its system to cryptographic peer review by German penetration testing firm SySS.
“We use standard encryption algorithms which are proven to be secure, at least according to the current knowledge of course, so we use RSA and AES. Which are both also for example used in PGP or S/MIME or military systems and so on,” he adds.
Tutanota users are automatically assigned an asymmetric key pair (one public, one private) when they register for the service — with the keys created on their client device, rather than on Tutanota’s servers, and again encrypted with their own password.
Encryption keys are synced across user devices so users do not have to manually transfer them. Attachments and email subject lines are also encrypted as a matter of course by Tutanota. And Möhle concedes that while metadata remains problematic for encrypted email, the service at least does not store IP addresses. It also intends to implement a feature to hide the specific sender of an email in a future update.
“Even emails which you send unencrypted — it’s possible to send… ‘normal’ emails [via Tutanota], but even these unencrypted emails are stored encrypted on the server,” adds Möhle. “So if you send an unencrypted email your sent email is encrypted for you on the server so we cannot access it afterwards.”
Encrypted email continues to present challenges in the wake of the 2013 Edward Snowden revelations about U.S. intelligence agency surveillance programs. That summer U.S.-based Silent Circle shuttered its encrypted email product to avoid having to hand over user data to government agencies, for instance, and has since pivoted to encrypted mobile comms products with Blackphone (while also working on the Dark Mail project to build a new secure messaging protocol for email that aims to also lock down metadata). It’s also shifted its HQ to Switzerland.
Startups in parts of Europe where the political outlook is more conducive to safeguarding privacy are clearly seeing a business opportunity here. Switzerland, for instance, enshrines a right to private communications, including email, in its constitution. While Möhle says German law means email providers cannot be forced to manipulate their software to implement backdoors.
“We cannot deliver the emails [to governments] because we cannot read them,” he adds. “If [users] are familiar with source code they can review the open source source code and see for themselves the code is ok. You can already build the Tutanota Android app or the web application by yourself, so you can use the code you’ve reviewed, build the application and run it locally so we offer the possibility for everyone to make sure that the software they use is actually the one which you have looked at.”
Tutanota has a freemium business model, with a free version of the product that offers up to 1GB storage, and premium paid versions planned to monetize the consumer version in future. It also already offers a premium version for businesses that lets them use their own domain and plug into Outlook email. It’s already taking revenue from this.