Skip to content

Championing Privacy Online: A Deep Dive with Tuta

"If encryption is broken, our society as a whole is at an immense risk."

Esra'a Al Shafei
6 min read
Championing Privacy Online: A Deep Dive with Tuta

The value and significance of privacy in today’s world cannot be overstated. The amount of personal data we generate on a daily basis is staggering. Every action we take on a product that neglects or undermines our privacy can reveal intimate details about our habits, behaviors, preferences and personal lives - information that can be easily weaponized against us.

This is where the importance of tools and platforms that prioritize user privacy comes into play. Tuta is amongst the companies building a better web with a strong and deeply committed privacy-first approach, offering not just an end-to-end encrypted email and calendar service, but also endless resources and advocacy campaigns to protect privacy rights and encryption worldwide.

These efforts and products are essential in shaping a new landscape where users can communicate and collaborate without fear of surveillance or data collection tactics that impede on our rights. Many companies today treat our data as a commodity, rather than the most valuable asset that belongs to us. It underlines the need for a world where the pursuit of privacy isn't a constant battle, but rather an intrinsic part of our daily web experiences.

We’re excited to learn more about Tuta’s longtime and tireless privacy advocacy in this interview with Hanna Bozakov, Tuta's press officer, who passionately notes:

"Every one of us has the right to express any idea freely, or to keep it secret. That’s how we’ve managed to build our democratic societies. As a citizen of a free democracy it is my obligation to protect my private information. Encryption is the only available key to keep my messages secret."

A deep dive with the Tuta team

Team Tuta hearts privacy!

Tuta has been a vocal advocate for privacy and encryption. Can you elaborate on the core beliefs and principles that drive your commitment to privacy?

At Tuta we are not simply providing a secure email and calendar service, we see ourselves as freedom fighters: We fight for the human right to privacy, and encryption is an integral part of that. Without encryption, privacy online is not possible. However, we see a lot of backlash from politicians who want to undermine encryption for prosecuting criminals. The framing goes: We need to break encryption to monitor terrorists and/or child abusers to keep all citizens safe.

But this is wrong: If encryption is broken, our society as a whole is at an immense risk. In our view, a backdoor to encryption must never exist. The right to privacy and free speech are being undermined with policies against encryption; in the end this development will lead to mass surveillance and destroy everything we stand for in our democracies. That's why we have decided to not only fight global surveillance tendencies with technology - i.e. our encrypted email service - but also with becoming politically active and making our voice heard in the ongoing fight for privacy.

Why is advocacy and educating others about privacy important to Tuta, rather than just running the services?

Both are interlinked: Tuta Mail can not exist in its current form without strong end-to-end encryption. Thus we must fight for our right to privacy and make sure that citizens, but also politicians understand that privacy online must not be abolished.

As Germans we also understand the threat that general mass surveillance brings with it: In Eastern Germany (the GDR) many Germans had to live in an oppressive system where free speech was not possible and general surveillance was a daily occurrence. We must make sure that such a system is never established again, and fighting for our right to privacy online is very important to achieve that.

What are some of the most recent campaigns you've been involved in?

There's been so many, that's a very good question! 😄 Most recently, we called on EU member states to defend strong encryption in the light of the EU Commission's Child Sexual Abuse Regulation (CSAR), which proposes to scan every message of EU citizens for abuse material. Last year, the EU Parliament already positioned itself against such client-side scanning - a huge success for privacy advocates in Europe. Now we are calling on EU Member states to position themselves in this battle of privacy vs surveillance. We call on our ministers to uphold citizen's right to privacy and defend strong encryption.

We also see a threat in the UK Online Safety Bill to undermine encryption and tried to lobby against this dangerous bill. However, this law has already passed, but the fight continues, and we give feedback to Ofcom who is currently refining the rules under which conditions communication providers must scan data to make sure that encryption is not being undermined.

But we are also active in other policy issues: we are calling on politicians to ban targeted ads to make sure big tech starts respecting people's right to privacy. Most recently, Apple was forced to allow side-loading of apps by the European Digital Markets Act (DMA) - but came up with a new policy that is so bad for developers that no company that wants to do business on iOS is able to switch to the new policy proposed by Apple. Thus, we call on the EU Commission to review Apple's new policy closely and see it for what it is: malicious compliance. Because app sideloading will remain impossible on your iPhone even when the DMA comes into power in March.

Can you share examples of where you believe your advocacy has influenced policy in favor of privacy?

The EU chat control bill - Child Sexual Abuse Regulation (CSAR) - is a very good example. Here we see a positive development in that after constant push from privacy advocates, the European Parliament has clearly positioned itself against the proposal and in favor of strong encryption. EU member states are also undecided so the likeliness of this bill being passed decreases as we speak. This is a huge success for Europe and our right to privacy!

In case you missed it: Earlier this month, The European Court of Human Rights ruled that end-to-end encryption is essential to privacy within digital systems and weakening it violates human rights. [Read more.]

Looking forward, what do you see as the most significant challenges to privacy and encryption? How is Tuta preparing to address these challenges?

The challenges have been there since we launched Tutanota ten years ago - and they are unchanged. It is tiresome to fight the same fight over and over again, but if we want to uphold our democratic values, free speech and the right to privacy, we must keep fighting this fight. And we will!

What has changed for the end users, however, is that Big Tech has become a major threat when it comes to protecting one's privacy rights. Corporations like Google and Meta, but also Apple, hold more data of their users than ever before. It has become a huge challenge for people to keep their data private; and that's where we want to offer an alternative.

Another huge challenge is the rise of quantum computers. We are already preparing for this by implementing post-quantum cryptography to defend future attacks by quantum computers and also protect form the risk of "harvest now, decrypt later". At the moment everyone is talking about AI - but rest assured in a matter of five years everyone will be talking about quantum computers and how they can break all asymmetric encryption used today. That's why we need to prepare now - to future-proof the security in Tuta.

How does Tuta respond to governmental or legal pressures that could potentially compromise user privacy or the integrity of your services?

At Tuta we operate under German law - which is great as Germany has some of the best data protection laws in the world . The European General Data Protection Regulation (GDPR) was based on a similar German law, and it makes sure that data of EU citizens is properly secured and is not being shared with others. In addition, in Germany there is not data retention for email, data requests by the authorities must always go through the hands of a German judge and a valid court order needs to be issued. This makes sure that there is no warrantless mass surveillance, and that only data of targeted criminals can be requested by the authorities. If we do receive a court order, we always check its validity and hand out the data requested, which we also publish in our Transparency Report. We can hand out only very little data as most data in Tuta is secured with end-to-end encryption, and only the user can decrypt this data.

Transparency is very important to us: we do state clearly what data we have, and what data we can hand out under what circumstances. At Tuta Mail, we promise maximum security and privacy and being transparent is an inherent part of this.

We hope that more people understand the importance of privacy and will switch to services that respect them and their data!

Shared Mission

At XMTP Labs, we love to collaborate with, work alongside and learn from developers, companies, and communities who share our vision for a privacy-centric future.

We’re cheering on companies and products like Tuta with demonstrated impact towards a world where communication is inherently private.

AdvocacyPrivacy & Security