FOSS, Privacy, and Innovation: Meet Tuta Mail

Tuta Mail is one of the privacy-preserving software projects with a big potential impact. In this interview with Tuta, we explore the transformative role of Free and Open Source Software (FOSS) in both the business realm and its broader social and economic impacts. This discussion aims to shed light on how open-source projects like Tuta are pioneering privacy-focused solutions, challenging conventional business models, and contributing to technological innovation and community empowerment.

It is a pleasure to meet Hanna Bozakov, Head of Marketing & Press Officer at Tuta Mail.

Hi, Hanna, and thank you for this interview. Would you start with a few words about how and when you started your journey at Tuta?

I started at Tuta – called Tutanota back then – when it first launched in 2014. That’s already ten years ago, and it has been an amazing journey! During that time we’ve grown from 4 to more than 25 people on the Tuta Team and from 0 to more than 10 million users of our secure email service, Tuta Mail.

Can you share the journey and motivation behind Tuta’s commitment to privacy and open-source principles? And what are the benefits for Tuta in using FOSS?

At Tuta we do not simply build a secure email and calendar service; we see ourselves as freedom fighters. We believe that everyone has the right to privacy and we want to defend against growing surveillance tendencies online, by governments but also by big tech services. We achieve our goals through built-in and easy-to-use encryption.

Being open source is an integral part of this: only code that can be reviewed by peers can be considered truly secure. With closed-source code no one would be able to know whether a backdoor was hidden in the code.

We love the open source community. At Tuta we use a lot of other open source projects to build our encrypted service, and we also give back to the community by donating Tuta Mail to open source developers.

What are the biggest challenges in developing your own push notification system to replace Google’s FCM, and how did you overcome them?

Building our own push notification system was a huge challenge – but also one that was very dear to us. We wanted to offer our app via F-Droid (our favorite app store on Android), and this is possible only if you do not use any Google services, which also includes Google Push. Getting rid of Google Push is really difficult because Google doesn’t want you to. For instance, Google’s integrated battery optimization kills other notification services, so people using the Tuta Android app must disable Google battery optimization for our app to receive push notifications instantly and reliably.

We had to get rid of Google Push in Tuta because Google and Apple monitor all push notifications – and we achieved this in 2020. This was an incredible success and our developers are proud of this achievement to this day, as not many services – not even secure ones – take this extra step to protect the privacy of their users.

How does Tuta manage to balance user convenience with strict privacy standards in app development and service provision? Can you tell us more about what seems a win-win situation?

It is a clear win-win: user convenience and strict privacy standards in all our apps are closely interlinked. We are developing an end-to-end encrypted service that lets you send encrypted email messages easily, store and share your encrypted calendars, and secure all your contacts in our app, which can be synced to your phone with a few taps. We must make sure that our encrypted service is as easy to use as a not-encrypted service. Our service comes with the same features – and still protects the user’s privacy to the maximum. While this is often a challenge in development, it pays off in quality. We cannot take any short-cuts when developing because we need to make sure that everything works smoothly without leaking any data to third parties.

Because of this we have achieved a very high standard within our apps, and people honor our effort and commitment to privacy when rating our apps: all of them have a 4+ rating. This makes us a bit proud and motivates our team to continuously strive for the best!

How does Tuta’s approach to minimal data retention and user privacy compare with the broader industry trends? What is Tuta’s “recipe” to achieve that?

We do see the trend to collect more and more data by big tech companies as an immense threat to people’s privacy and an intrusion into their personal lives. Why should a huge corporation that offers email or file storage services have full access to users’ content and use the data for personalized ads or to train their AI systems? Instead, we call on a ban for targeted ads. At Tuta, we do not want to collect personal data on our users. To the contrary, we encrypt everything by default so that only the user can access their data.

We hope that more and more people understand the value of their data and switch to services like Tuta that respect their right to privacy and keep the data ownership fully with the user – not with the service.

In addition to our own stance on privacy rights, we are in the fortunate position that Germany has some of the best privacy laws in the world. Thus it is easy for us to keep as little data as possible from our users – and be as transparent about it as possible; because transparency plays a huge part when offering a private and secure service like Tuta Mail. There is no data retention for email in Germany, which is not the case in Switzerland – a country that is often perceived as having good privacy laws while the Swiss themselves tend to disagree.

Thinking ahead, #1: With the increasing threat of quantum computing to encryption, what steps is Tuta taking to ensure future-proof security for its users?

As quantum computers are rising on the horizon, we need to upgrade to post-quantum cryptography now! That’s why we have started a research project – PQMail – years ago, and we now have a working prototype that is capable of sending and receiving messages encrypted with a hybrid protocol: standard, proven algorithms (AES & RSA) in combination with quantum-resistant algorithms. This is a huge success, and we are eager to publish this major security upgrade to our millions of users. Stay tuned, as we are working hard to make this a reality!

Thinking ahead, #2: What are Tuta’s future plans for enhancing secure communication in the face of evolving digital threats?

In addition to future-proofing our encryption protocol, we also plan to add more services to Tuta. Right now we are optimizing our email and calendar apps in terms of usability and features. Next up, we also want to build an encrypted cloud storage and file sharing solution so that people can also store and share large files with post-quantum secure encryption.

How does Tuta navigate the challenges of maintaining user privacy while ensuring compliance with global data protection regulations?

Being compliant with data protection regulation is pretty easy for us: Because we focus on protecting our users’ privacy, we are usually one step ahead of legal requirements. We protect our users’ data much better than most services—even better than required by the EU GDPR—because privacy is in our DNA!

FOSS wouldn’t exist without its communities.Can you discuss the role of community feedback in Tuta’s development process and how it shapes your privacy tools?

Our community is very special to us. From the start our users’ feedback has influenced our development decisions – and do so to this day. We love to interact with our users on GitHub, through social media, or via email when they write to our support team. It’s important to get first-hand feedback in order not to be limited to your techy-FOSS bubble. While we are open source and privacy advocates, we also must comply with people’s feature requests, like getting notifications on Android even when they do not use Google Push. When we implemented our Google Push alternative, in part it sprang from our own commitment to free people from using any Google services with Tuta, but in part it was also the FOSS community demanding this change.

In what ways does Tuta envision contributing to the broader FOSS ecosystem in the coming years?

We contribute to the FOSS ecosystem indirectly – by offering Tuta Mail for free to open source projects – and directly by building a communication app with quantum-resistant cryptography that is fully published as open source under the GPLv3. Everyone will be able to view and inspect the code, but also use the code for their own open source projects. We love how the community works together, helps each other, and builds upon each other’s ideas to make the web as whole a better place!

We are thrilled to be part of this community, and hope to welcome lots of open source developers to our team in the years to come! If you’d like to work on our project, please check out https://tuta.com/jobs.