CBC: Tutanota (Tuta) is a honeypot

Article: https://www.cbc.ca/news/politics/ortis-testimony-transcripts-1.7026011

Tutanota replied to these allegations:



This is something we can’t verify because having open source code doesn’t tell us anything about the things that they run on their servers, it doesn’t prove anything. Lack of PGP support is one of the reasons I don’t pay for it. I would feel more at ease if I could use it in a different email client, but it’s not possible with Tuta.

What do you think about this?


Tuta responded to these allegations on Reddit. They claim the allegations are ‘absolutely false’. Reddit - Dive into anything


Extraordinary claims require extraordinary evidence. Trust me bro is not evidence.


This is most probably a mistake by the journalists writing the article. Maybe they were referring to another service, had no idea what they were talking about, or just made the stuff up. In any case, there is absolutely no evidence or anything of the sort here. This doesn’t even qualify as an accusation. I don’t think it’s worth engaging with.

Tutanota should get into contact with CBC though, and have them remove the article or face defamation charges.


I think the post on r/privacy is since removed (edit: ‘for it being an unreliable news source’, Reddit - Dive into anything), but Tuta actually responded to a Redditor about this. Tuta said they are in contact with their legal team about these allegations.


There is also a long discussion about the allegations on /g/ on 4channel:


One would think that a “Senior writer, Parliamentary bureau at CBC” would send a request for comment to a company being called out like that before publication. Although unconfirmed it looks like that didn’t happen which makes me question her journalistical ethics.


You guys seem to think that the journalist is making claims against Tuta. She didn’t. A former spy did. In a court. To the judge.

What you guys should be questioning is why the court didn’t redact the name of an alleged intelligence agency’s honeypot and why is the regime’s semi-official press telling the world about it. Seems a little detrimental to “national interest” or whatever they want to call it.


Nah, I think she’s demonstrated journalistic incompetence. Then again, she is a reporter and not an investigative journalist, so I am arguably expecting a level of scrutiny that exceeds her job requirements.

As per this earlier CBC article from Wednesday, the court delayed the sharing of the transcript:

“Due to an unforeseen and serious technical issue at the Department of Justice, the transcripts are not yet ready for release. They are being reviewed for national security reasons and will be provided as soon as possible,” said spokesperson Nathalie Houle.

Which to me sounds like they probably checked with their agencies whether there was any thruth to it or not – and seeing as it it wasn’t redacted I think we can safely consider the claim completely made up.

1 Like

I was looking at this yesterday, and as far as I can tell it’s basically impossible for the public to obtain a copy of this transcript. The CBC is the only organization I’ve seen who supposedly has a copy and is reporting on it, and other news organizations are just repeating the quotes that the CBC is pulling from it.

If any Canadians have any insights into how your court system works, please share… but from my point of view it seems like transparency is not the way things work around there. Impossible to even know what Ortis was talking about in the first place without these records published, and even so that testimony about Tuta is essentially hearsay :man_shrugging:

See also:


You should not use Tuta if you do not trust their web clients, and this has always been the case. The best options for using your own trusted email client like Thunderbird are:

  1. Mailbox.org with their automatic incoming PGP encryption enabled
  2. Proton Mail w/ their local bridge app
  3. Any email provider with SimpleLogin/Addy’s automatic incoming PGP encryption

This is why we split PGP recommendations from other implementations on our email provider recommendation page.

That being said, to respond to this point:

The server-side code doesn’t matter when it comes to encryption, because the encryption is done client side (in your browser, not on their server) where you do have more visibility into what is running.


But the browser has no mechanism to pin hashes of scripts locally.

Any such service could easily serve up different scripts to targeted users or every 10/100 visits that do siphon off message content.


Just another honeypot argument. Tuta and proton are honeypots. So what, should switch to Gmail?

Technical problems do not make them Honeypot (computing) - Wikipedia

Well, you should just be aware of the limitations of Proton and Tuta. It very likely is not an issue, but if you are concerned that it might be an issue, more secure tools exist.

The encryption provided by Proton is convenient and positions Proton as much better than services like Gmail. However, the convenient option is usually not the best option, and you could be running Thunderbird with PGP entirely locally under your control instead for example.

Like @SkewedZeppelin alluded to above and as we say on the following page, these web clients are not the appropriate medium for strong security in the first place:

Nobody should really be using Tuta, Proton, or any other email provider for personal communications anyways. This is why the first thing we say on all our email resources is to use an instant messenger instead.


Never said, but when one party accuses another you should give the other a option to respond. That’s journalism code so to say.

1 Like

I never really understood yhis argument. Sure it is easier to check the source code of an app but do you do that on every update? Made by the same vendor I do not see any realistic difference.


The main difference would be that you usually know when an app updates, but not when a web app updates, so in theory at least it’s not being done secretly.

1 Like

I understand where you/the argument comes from now but I still do not think this is a feasible defense strategy. Also as you also probably realized most apps are auto updated these days on most platforms.


Also, web app or PWA would have a lot more limitations of what it can do on your system, since basically everything requires a user permission, from mic, cam, location, storage, etc. It’s actually a safer platform for most users.

I think knowing when an app updates (usually auto updates and also without an easy way to rollback) doesn’t out weight the benefit of the browser strict sandboxing.

1 Like

Well—and this is more applicable to mobile phones specifically—it’s also more difficult for a malicious developer to specifically target someone with a malicious app update, because app stores do not provide that functionality.