Every company needs to comply with local laws, but it is better to adhere to one country law instead of many.
And what other countries laws is Tuta complying with?
EU, apart from Germany.
This is true for ALL lawful countries. This is how this thing works. Any registered company is obligated to the law in their registered countries. Swiss or not does not matter.
However, there are 2 things that would come into consideration:
- The adherence to the rule of law. Some countries have good laws and follow them, while some use the laws to abuse their people. Or in some extreme situations, they could just issue an order regardless of the laws. You can see the ranking/index from: WJP Rule of Law Index.
- The technologies involved. This is not related to trust, reputation of the company, privacy policies, etc., but the actual code as of written on the public repo for everyone to see and verify the source, for example, whether they’re using E2EE and how they’re using it. The ideal usage would be to compile the source yourself if your threat model is extremely high. Unfortunately, most don’t compile the source unless it’s necessary (me included). And most centralized services don’t release their server side source code, and even if they do, there’s no guarantee that they really run that exact code on their servers. Well, even Proton is spotty with their clients source code, let alone the server. Therefore, I always prefer decentralized services, which would require zero-trust.
The EU is a collection of member states who enter into treaties, enacted via their own local laws.
As far as surveillance laws go. Any request must go via local law enforcement in a member state.
Yes, there are treaties for sharing data. But they are enforced first and foremost by local/national courts. And in fact, the EU courts provide an additional backstop to protecting your personal data through Articles 7 and 8 of the charter of fundamental rights of the EU. Switzerland doesn’t have this additional safeguard. And in the recent past has made use of broad constitutional clauses to rewrite basic laws to safeguard Swiss interests against the interests of others.
Tuta say the truth though. Technically, when any mail provider receives unencrypted emails, they can do anything with them, maybe save, or maybe encrypt, you still need to trust them, does not matter is it Tuta, or Proton, or Cockli.
Tuta offers a free plan indefinitely as long as you use it.
I don’t think either provider has to adhere to US laws. If the nations court decide that they need to turn over data they are legally obligated to. This happened with Proton when the Swiss govt forced them to turn over data about that climate activist.
When the account is downgraded to the free version this six month inactivity policy is put in place. Should the account be returned to a premium version, the policy is no longer applicable.