So as we all know, unless you are using PGP encryption (which Tuta doesn’t support anyway) or you are emailing someone that uses Proton or Tuta, your emails are not end to end encrypted.
Adding on to this, if you are emailing someone that has a Gmail or Outlook address, then your emails are already getting stored on Google and Microsoft’s servers and being scanned anyway. So having your emails encrypted at rest on your client doesn’t have that many benefits either in this case.
The same argument would apply if you are only receiving emails as well from mailing lists or the like because the email will be stored somewhere.
So my question is, what is the point of using these providers anyway?
This question assumes:
You are not emailing anyone on the same platform as you
You are not using PGP encryption
You are not storing your calendar and contacts on these services
You are not using a custom domain (if that matters)
When some agency requests for your mailbox contents, Proton and Tuta can say, we can’t access to the mailbox, not because we don’t want to but because we actually can’t.
And Proton will also say, “do you have a warrant from Swiss courts because we are not obliged to obey to other countries’ court orders.”. And even Swiss courts orders Proton to provide mailbox access, they can’t do it. They can only provide information about the account, which are not encrypted. Like subject of the emails or account recovery information if there are any.
It’s the same reason we use VPNs and alternate search engines–technical privacy isn’t possible, but better to trust your data with a company that claims not to misuse it than one that doesn’t.
Not realistic for most people’s threat model anyway. But even then, if the court has a valid order for Tuta or Proton to log any future unencrypted emails of a certain user, then they will comply. This would of course be possible because emails are not encrypted in transit.
You are still trusting Google and Microsoft either way:
Adding on to this, if you are emailing someone that has a Gmail or Outlook address, then your emails are already getting stored on Google and Microsoft’s servers and being scanned anyway
For me, its because it gives me less opprotunites to tie myself to Google’s and Microsoft’s ecosystem. Can’t sign up for a website using the Google SSO button if I don’t have a Google account. Not storing all my docs on Google Drive as well, have to use Proton Drive or another service. (For the record, I do have a Google Account).
If I am sending an email to someone with their account being from Google or MS, chances are it isn’t something I truly care about leaking or being used.
Also, I just kinda hate Big Tech in general, might as well use everything I can that isn’t them
An argument could be if you are using their aliasing services, then it is one less party to trust with your emails. This is an especially strong argument for SimpleLogin users as well. Other than that, the reasons provided so far have been idealogical (nothing wrong with that of course but I’m looking for technical ones).
For someone who does not have anyone to send or receive encrypted emails with, but wants a private/encrypted inbox away from Google et al, is there any alternative to Tuta and Proton? One that offers more storage space for free?
Whats wrong with just wanting to use a trustworthy email provider?
I understand most of my emails will not be E2EE because of the reasons mentioned but I still prefer to support providers with values that matchup to mine.
atleast for me, I am integrated in the Proton ecosystsem so I am obviously trusting Proton with more then just email but even if I was not…
I can still control how I send my emails. Pretty much anything I send goes through an alias first. Google is welcome to have that info. I am fortunate enough to not have to send information I don’t trust a third party with through email, so this issue of trusting another party is moot.
So you agree with me, whether someone uses Proton, Tuta or something else, It wouldn’t make a difference and ultimately doesn’t matter in the context of unencrypted emails.
Hi I just made an account to comment on it if you’ll allow me to chime in:
First of all there is a point to using tuta or proton. Both offer great privacy when it comes to emails as always.
Here’s what I exactly what to chime in:
Everyone, yes, if you’re not sending a password protected email to that other email server (eg. Tuta to Gmail or Proton to Gmail) you’re trusting that party with your content anyway, Same with any email that doesn’t operate as what Tuta and Proton are doing (could be a company or law firm email server, cock.li[hopefully it recovers], Microsoft etc.)
As I said above, but let’s go to the opposite, if you’re sending password protected emails those are encrypted and the third party in that case will have no idea about the content of the email being sent.
The one thing you can’t control is emails being sent from that third party to you (eg. Gmail to Tuta) but that’s a responsibility of that user who sent you that email, and how do you go about responding. That’s why encouraging someone you know to these alternatives to use them if they can or let them know about password protected emails and to only use that communication when you first meet them if you can talk with it elsewhere real life or messaging app like eg. signal
Obviously E2EE is a massive benefit of both Proton and Tuta and is a valid use case. However, the question specifically assumed you will not be sending or receiving E2EE emails at all which frankly, is the case for most people.
thank you. Yes then as I said you’re essentially trusting that third party with the content that’s in the email. Of course unless you both uses PGP which while it will encrypt the content, For it’s limitations and you’re still leaving metadata regardless but PGP encryption with each party could be better than if the content was stored in plain text onto the servers.
First and foremost, it depends on the threat model. Do you only care about big tech tracking or also about hackers ? Because by using Proton, your plain text emails can’t be leaked by Proton.
By using a privacy-focused e-mail provider, I think it is harder for GMail to build a profile of you, your interests and contacts. Because they would usually just use your account’s activity to track you. This is the easiest way. There is less probability imo that they want that hard to track you and that it is worth it to track you by building a virtual profile of you.
In the other hand, I think that Facebook does it (they track and build a profile of non-users) so maybe Google does it too.
But at least, they can’t just tap in one central account with all the data, which is a reliable method tu ruin your privacy.
It is just not only about the content of you communications. Using Proton also implies you probably have little activity that can be linked to one account. You do not need to log in to Google every day. They probably could tie all the informations they collect on most websites (analytics, doubleclick, …) to one ID, but it would be less personal (no account informations [phone number, no name, date of birth, …]). I think that with a VPN and a good browser, your activity is much less likely to be tied to one profile