Tuta "Zero Knowledge"

I recently saw Tuta boasting about their “zero knowledge” email service but from reading their article it seems like the same stuff every private email service offers - encrypted email, contacts, etc etc. Doesn’t that make their tweet below seem a little disingenuous? To me it reads as though they don’t even keep IP info on their customers. Please enlighten me.

https://www.reddit.com/r/tutanota/comments/j8loij/comment/g8hq2vm

1 Like

Hmm. So they don’t keep registration IPs, I wonder if they keep access logs?

Maybe relevant, in the past they also have been ordered, by German court, to hand out incoming and outgoing non-encrypted emails.
https://www.reddit.com/r/tutanota/comments/k3sfs5/comment/ge4xywc/

2 Likes

I just want to point out those two tweets were made (A) two days apart, and (B) from two separate accounts The way the screenshots are displayed makes it look like there is a direct relationship between those two tweets that probably isn’t there/wasn’t intended.

3 Likes

They do not keep access logs. Only logged in devices with an Identifier and no IP addresses are shown in your dashboard.

Hi there, Tuta here.

We do not log any user IPs when creating accounts or when you access/use them. By not collecting this information we cannot be forced to turn it over. We also do not require phone numbers or secondary email addresses which means that you can create a truly anonymous Tuta account over the Tor network.

Regarding the zero-knowledge architecture, this is related. The blog post here is referring to how we have constructed our internal infrastructure in such a way that we are unable to view customer data (emails, calendar events, contacts, etc). This is specifically referring to the way in which data like emails, contact info, or calendar events are encrypted on your device before any data leaves your device and heads to our servers.

We have also created our own push notification service which completely avoids Google’s FCM service. This means that notification data is not being shared with these third-parties. With the Tuta Calendar event reminders we never see the names, times, places, or dates of any events.

Our goal is to encrypt as much data as possible and do not require any more information than is needed for operational purposes. We don’t need to store your IP to send an email, so we don’t.

There is no legitimate reason to store more data than is required for a service to function properly.

I hope this answered your questions, if not we can provide more info : )

12 Likes

Nope. We don’t need them to send your emails, so we don’t store them.

5 Likes

Good catch, I didn’t even notice that. Kind of weird for Tuta to be responding from a different account than the official one.

@Tuta_Official understood :slight_smile: just one small question: what if user forgets his/hers password?

I’m almost positive I have seen something about those kinds of questions on pretty much every email providers website…

That’s a great site, thanks.

But, won’t google know my Tuta address because of Google Play Services as you reveal my whole address in accounts and services (Under android settings) ?

They give you a recovery code during account creation, it is the only way to reset your password/2FA. If it’s lost, you are doomed.

1 Like

If you’re using GrapheneOS, then no, but if you’re using something else, then Google has privileged access over your OS.

1 Like

I am using Stock Android that came with my device. So, my Tuta email address is probably known by Google now ?