What is the point of using Tutamail and Proton mail?

I absolutely agree that it’s a collective responsibility. The thing is, there are a lot of collective responsibilities that one can spend their time, energy, and social capital on: climate change, animal welfare, political transformations, etc.

Even within just the privacy space one might spend their time, energy, and social capital switching others to E2EE messengers like Signal, promoting private options for cloud sharing between friends/family, or asking others not to surveil them with smarthome devices.

That’s the point: life is complex, we all have many priorities, and there isn’t enough time or energy in a lifetime to get to everything that’s a worthy cause.

I like that you acknowledge the many demands on our social capital, and when you get right down to it, if everything is the “greatest crisis of our time,” then nothing is. Fair point.

However, what I choose not to agree with is the notion that we can allow conversations of “why bother?” to continue proliferating. The OP asked for reasons, the reasons were given to them, and yet they still doubled down on the indifference. My response was not about adoption and advocacy; it was about collective indifference, and that it’s high time we changed the narrative on how we allow such indifference to fester under the guise of “privacy is a personal choice,” because most privacy accelerationists believe that ship sailed when one’s indifference endangers others. The right to be lazy and contemplative, telling yourself the lie that it’s all too hectic and we’ve got too much on our plate, is no longer an excuse because you can’t claim such things while engaging with external stimuli. Adjusting the way we think isn’t a time commitment; it’s a choice.

Let’s leave it there perhaps? I do appreciate your responses.

Your opinions are all good. But they are only true from your own perspective, from your own community. So your community is different from mine.

Even IT pros rarely use PGP. Just look at how many people use PGP email to reach you.

Even with ProtonMail/Tuta, how many people encrypt their emails when sending to non-ProtonMail/Tuta users?

Your right but only if you’re assuming email CAN be made private and thats never going to be true.

Using a privacy focused service provides a critical part of a multi-layered defense against many things.
Block Beacon Attacks. These are invisible pixel-sized images or links used for marketing that are automatically opened when email is downloaded. In other words, before you open the email. These get your geolocation using a reverse IP lookup.

Solutions: Use a VPN or your carriers data network or a privacy oriented email client like Thunderbird on the desktop and K-9 Mail for Android. Also set your clients not to auto-download remote images.

Resist BigTech Relationship Mapping

Solutions: Use a Gmail address for all Google related maintenance & app logins and for nonsense sites but don’t include your real name, phone# or physical address in it and make sure its an email address that isn’t in your contact lists. Or use a paid email provider and don’t give that address to anyone including your real contacts.

Don’t Feed BigTech Profilers
Email left on the server is scanned for keywords.

Solutions: Use POP3 to auto-delete server-side email when you download them not IMAP. Set up an auto-purge on the ISP’s inbox and trash.

Prevent IP Leak on Send
Email headers contain your IP address. These are used for geolocation via reverse IP lookup.
Solution: use a VPN or your mobile carrier’s data network or StarLink.

## Email Forwarding services

Forwarding / aliasing services such as SimpleLogin and Anon.io solve multiple problems.

Help determine where a breach occurred. Remediation differs if it’s a newsletter or a bank, for instance…

Facilitates the immediate shut off of spam and phishing attempts by simply deleting the address.

Makes Credential stuffing much more difficult. On sites that force you to use an email address as your user ID a bad actor only has to figure out what your password is and if you used the same one in multiple places your burnt.

There are sites that search the net to find all the places where your email has been used.

Make it harder for data brokers and advertisers to link accounts and track activity.

Some sites make it difficult or impossible to unsubscribe so just disable the alias instead.

While you’re right that unless you’re using PGP or emailing someone on the same platform, emails aren’t fully encrypted, privacy-focused providers like ProtonMail and Tutanota still offer key benefits:

1. No data mining: Unlike Gmail or Outlook, these services don’t scan your emails for ads or sell your data to third parties. You get better privacy overall.
2. Reduced data breach risk: ProtonMail and Tutanota are less likely to be involved in data breaches compared to big tech providers, which are frequent targets due to their large user bases.
3. More control over your data: You’re not giving control of your personal data to Google or Microsoft. These services prioritize security and user privacy, with features like 2FA and encrypted storage.

So even if full end-to-end encryption isn’t possible, you still get a stronger privacy shield and security than with Gmail or Outlook. It’s not perfect, but it’s a step in the right direction

You make some valid points but there are clear advantages to using Tuta & Proton.

1) They both allow you to send E2EE emails to non Proton/Tuta users.

Most people may feel uncomfortable sending E2EE encrypted emails to non Proton/Tuta users because it might annoy them, but I do. If I have your phone number or can reach you from any other 2nd communication channel where I can send you the password, I’m encrypting my email. It’s a good way to teach people about privacy.

2) Most people I communicate with via email are not friends and family but businesses.

Most businesses have their own domains and do not use commercial Big Tech email addresses. Yes, I’ve encountered small businesses that do, and I don’t have a problem encrypting my email with a password, especially if it’s sensitive.

3) Proton and Tuta can be used powerfully with other privacy tools.

Sometimes, I find myself in situations when I cannot encrypt an email because I do not have a second communication channel to send the recipient the password.

What I do instead is send them a non-encrypted email, either from a Proton address or from an alias, in which I provide a Notesnook link to a note contains the sensitive message. The Notesnook link is protected with a password, that I provide in the email, but the link can only be opened once, after which it will expire.

Notesnook is a E2EE notes app for those who don’t know.

This narrative will never end.

Everyone follows their own path and solves their own challenges. Email is not designed to be safe; whether e2ee or not, it still has significant drawbacks (metadata, for example) as compared to other communication methods. Personally, I will balance everything, perhaps 4-6 today or 6-4 tomorrow, depending on the circumstances of the day.

I’ve returned to using the Google and Microsoft ecosystems, as well as some of their goods, however with different settings to decrease privacy risks. Because I know email is not safe, I use a few tiny providers that are enough to maintain communication seamless. Protonmail and Tutanota are not on my list. Of course, email aliases are essential (Duck, Addy, SimpleLogin used to exist, but I abandoned it due to several limitations).

I hope you quickly understand the genuine nature of scenarios and find your paths soon.

Can I ask who you do use instead of those providers? And what influenced your choices?

I never trust services that promote themselves and disparage their competition. Look at how many blog posts they have. Read and digest them.

Choose the service that best meets your needs from this list. As I previously stated regarding email insecurity, I ignored the colors and scores; it’s great that I discovered the appropriate one.

Looks like this was last updated almost 5 years ago. Are you certain all of this information is accurate?

Last update: 2020-01-02

Personally, I still refer to.

You can refer, verify, pick, or ignore.

Good luck!

The point is that you would protect my emails, if we communicate by email in the future. This is probabilistic. The more people use privacy protecting email providers, the more likely it is that we are not going to be tracked based on our mailbox, even if they are not end-to-end encrypted.

All email is recaevied in plain text. First by the aliasing and then by the email provider. I’d rather trust one company (proton+SL) than two.
Same thing for network traffic: First by the DNS and then by the VPN provider. I prefer Proton for both.

Ethically, in this age where “Free” = “compromised privacy” I prefer to pay for the services I use but I realize not everyone can afford to.

How often do you write an email?

It’s mostly for receiving stuff securely that you would use Proton/Tuta (storage).

There is no point besides casual use/dodging targeted advertising. Self host or die.

Are all of those private providers using E2EE?

Wow, I’m going to start doing this too. They want convenience then they can make a PGP key.

I see the offerings by Proton and Tuta as beneficial for

• Encrypted data storage
• Proton-to-PGP and Tuta-to-Tuta communications (though these may be subject to metadata surveillance)
• Unencrypted emails

That’s about it.

Proton and Tuta store users’ emails encrypted, but

• Incoming and outgoing emails can be scanned. I assume Proton and Tuta don’t do this unless compelled to.
• Emails to email service providers like Google, Microsoft, Yahoo, etc. (the vast majority of email users) are most likely scanned by those companies, thus nullifying the encryption benefit. Not much point having my own emails encrypted when Gmail scans all emails I send to Gmail users.
• The encryption is storage only. Emails in transit are unencrypted, which is the vast majority of emails.
• Encryption being optional and not the default, encryption is difficult to use (compared to E2EE messaging apps), and there’s high likelihood of people forgetting to enable encryption or making stupid mistakes while handling encrypted emails.

Email is encrypted in transit if the provider uses TLS or both so not true, and to my understanding both Microsoft and Google support TLS:

Proton does scan for incoming email to check for spam, same with tuta (outside of E2EE emails) it’s more a sacrifice for the greater good but no outgoing emails do not get involved here.
Encryption is enabled by default when the other uses the same provider, whenver it’s on by default doesn’t matter, The side using PGP that’s a different story and you can enable to be by default on anyways (Tuta last I used it actually had encryption on by default which included password protected, if it wasn’t it is possible to change it and iirc same applies to Proton)
while it is true that sending from say proton to gmail and vice versa does eliminate the whole point of encryption, it’s why password protected emails are set in place to address that.

Password-protected emails are great when they work. The downsides are inconvenience and mistake-proneness.

For password-protected emails to be useful in the first place, you need to send the password to the intended recipient over a separate secure channel.

After the recipient accesses an encrypted email (not just password-protected ones but also PGP), they need to reply without exposing plaintext by mistake. I’ve had many experiences where people exposed plaintext of emails I sent to them.