Best privacy settings on Android | Tuta

Well, isn’t it a good enough reason that everyone needs to have Tuta if they want to send something encrypted?

Sorry. I edited my comment. Please read again.

To me, it’s not a good enough reason to discount or disparage the product and their service.

You can say the same for Signal. You need another person using Signal to use Signal with them. Following your logic, unless Signal works with other apps while keeping up with the privacy and security it offers, it is not worth using and must be a deal breaker.

But Signal isn’t email.

Nothing stops them collecting your password or serving up a different web client that siphons off your messages.
They also, somewhat understandably, block Tor for signups.
(These same issues apply to Proton and others tbf.)

I was giving an example of a different product category but the principle is the same. You need others to use the same tool to best make use of said tools’ privacy and security.

Back on the topic, I do wish these companies would have someone on hand to at least proof-read these posts before posting.
It is minimal added effort and would make them look less bad.

Yes, I do agree with you here. Shame they are unable to ensure of this.

How many people do you know who use Tuta? For me, it’s zero.

I can always use Tuta with others with the option they offer where you can still send emails with a Tuta link for the web app to open on their end, hence ensuring the privacy you want/prefer to have.

But now we’re going off topic.

My question is whether PG should continue to recommend nonsense companies like Tuta that continue to put out this level of privacy misinformation posts.

Lets assume that a user follows PG’s recommendations and signs up for Tuta (lol btw). They would then be much more likely to read and follow Tuta’s blog posts, which would encourage them to install insecure trash like /e/OS (as recommended in the previously-linked 2025 degoogle blog post). Doesn’t that go against the whole purpose of PG?

Well, a new post asking for change in their evaluation criteria is how you can lobby PG to change their criteria against which they measure products in this category.

A part of that post if you make it would be if PG should account for intangible aspects and external factors of the company (and/or its people) and not the product it offers only when assessing the quality and promises the company makes about the product against the established criteria.

That’s the question for the project director Jonah. Hope after the holidays the team and he can chime in on all the new controversial posts (about the VPNs recently) and the rationales for the existing PG criteria and potentially with new ones should changes be introduced.

Precisely the point.

I think the point perhaps here is of education, no? I would trust that this community hopes to instead teach people: ‘Yes, {X} has negative aspects, but you are supposed to be threat modelling - think, in addition to what faults this has, what utility do I gain from it?’. No doubt there are controversial recommendations here that remain on the grounds of their utility.

So in rebuttal, I’m not sure it’s necessarily true that someone who came to Tuta from PG in particular would be ‘more likely to read and follow Tuta’s blog posts’ - I would hope they realise something isn’t quite right with the post, as we have here, and that enough of us contribute to get the message across to some internal team that these posts ought to be vetted better.

Could I ask for an elaboration of what makes Tuta a nonsense company? Not to argue, I just want to understand the sentiments around the company better, since I had the impression they were doing ok overall.

These are the points I’ve seen mentioned in this thread:

• Tuta has poor/no interoperability with other recommended email providers.
• Tuta recommendations for other services are frequently poorly thought out.
• (Not mentioned here, but Tuta’s tone towards direct competitors in the privacy space can be antagonistic.)

However, they also seem to have things going for them:

• They fulfill PG’s current criteria for recommendations for both their email and calendar services.
• They’ve partnered with other reputable privacy services to promote them and provide mutual discounts, such as Ente and Notesnook.
• They’re engaged in relevant legislation for their juridstiction.

Not that the following is excusable but Tuta is German run by German people. There can and is most likely a cultural difference with how they correspond and market with the rest of the world and that difference is how we end up seeing and evaluating it differently.

Their core product is email software privacy &security. Every one in this space who understands cybersecurity understands the same language so they can be great at this one thing. But with everything else, it should not be shocking that they may not be good at speaking about things in the industry via these blog posts of theirs.

This is just some context I’d like to add that I’ve been thinking about. Yes, they, like Proton need to improve their marketing and improve other things they put out in the world besides their core product offerings.

I don’t use Tuta, but their blogs have always been terrible.

Sensationalism:

Misinformation:

Talks big game, but no proof about Apple (data collection and usage is not inherently evil, privacy violations are):

Recommends random stuff like DDG browser, confuses anonymity with censorship resistance, etc. while talking of hyphanet:

Does not understand what Signalgate issue was at all, even Guardian had better reporting on it:

Even Proton recently went bad, with “How to write email” spam and “We recommend Vivaldi because it is European or something”. Terrible year for corporate blogs outside of cloudflare (multiple outages means multiple RCA blogs) and google security (redesign of the page, finally it doesn’t look like 2002).

What I have lately been noticing is that corporations and the corporate culture is becoming worse and worse with what they’re putting out in the world that’s not their core product. They don’t appear to care for the details and the accuracy of information as they once did. Perhaps it is because of AI? I can’t prove it but the timing of it all makes it circumstantial evidence.

Either way, this is a bad trend. The only one doing better is Mullvad as they always stay on point. I don’t remember any other blog posts that are memorable or worthy from this year, even though some of them did have some good information.

As I see it, the privacy business is a business of trust. Tuta is a privacy business, but they’re promoting a ton of privacy misinformation that SkewedZeppelin and koocmit have linked in this thread. In my eyes this makes them untrustworthy, which is why I called them a nonsense (privacy) company.

Yes, there are some privacy tech/tools/services that we could argue about and not agree on. As for me, I have high trust in GOS and I run their software on my phone. This year the GOS guys posted pretty damning essays about /e/OS. Namely Hiroh phone? - GrapheneOS Discussion Forum and Devices lacking standard privacy/security patches and protections aren't private - GrapheneOS Discussion Forum Tuta losses my trust when they recommend /e/OS in their blogs like Top list to deGoogle with best private alternatives | 2025 | Tuta

The privacy business is also the business of transparency and verifiability. What are you talking about? They make open source privacy software that gets audited. How much more open can they be and why do you only say its trust?

I don’t follow yours or others who are thinking less of Tuta. Yes, they have on more than one occasion (Several in fact) made mistakes in talking about inferior products/tools/things and thus “recommending” them to whomever is reading it. But all this does is leave a bad taste in your mouth about their ability/capacity/willingness to be more mindful, thoughtful, and to an extent even intelligent enough to know better and not write about things inaccurately. That’s it.

This does not by default make the core product they sell bad or suddenly poorly made that ought not be used.

All this means is that we must be more vigilant than ever about everything they say or “claim” or do and ensure it’s accuracy and authenticity (of their core product too). But I reckon we were always this way with it or any other privacy tool.

People, please correct me if my thinking is wrong here. I’m not following the somewhat misdirected hate here. I think you and others are conflating mistakes in one area to their entire offering being a mistake and a bad unfit inferior privacy product for what it us supposed to do and promises.

I’m happy to listen and will try to understand why you feel this way and how I rather ought to be seeing it instead of how I am seeing it now and what I have aforementioned thus far. I explicitly ask for this now because no one has explained or “argued” against what I have said thus far about the matter.

They do like to juice the rankings. I don’t understand how it doesn’t turn more people away.

Open source is not a guarantee of anything other that I can switch to self-host their stuff if I want. There’s no way to verify what’s running on their server and I have to trust a company if I’m relying on their server-side code. PG touches on this in the “Open-source software is always secure” common misconceptions page: Common Misconceptions - Privacy Guides

I agree. Their blog posts do erode my trust in them, but I cannot for certain say that their core product is poorly made or is insecure. My concern was that users that read PG’s recommendation of Tuta will start to follow and believe Tuta’s misinformation in their blog posts.