← Email
B

Tuta Mail

Some concerns
Tuta · 🇩🇪 Germany
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: de.tutao.tutanota
Manufacturer: Tuta GmbH

The bottom line

A German court ordered Tuta to build a surveillance backdoor for a specific mailbox. Germany's highest court upheld it. Tuta had to comply — they can be forced to monitor your unencrypted incoming email. E2EE between Tuta users wasn't broken, but the precedent is set. Tuta's app is open source — you can read every line. But their servers aren't. A Canadian intelligence officer alleged in court that Tuta could be a honeypot. Tuta denied it. But you can't verify what runs on their servers, so you're taking their word for it.

Legal jurisdiction
🇩🇪 Germany (headquarters)
GDPR (BfDI + 16 state DPAs) read more →
You can demand deletion, access, and portability. Germany has 17 enforcement bodies — strictest consent rules in EU
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
ACCEPTABLE Moderate concerns. Standard privacy hygiene applies.
4Contradictions
0Critical
1High
2Medium
4Sources
Findings by concern
Spying 2/4 MODERATE 1 finding
⚡ highfirmware analysis vs regulatory findings
A German court ordered Tuta to build a surveillance backdoor for a specific mailbox. Germany's highest court upheld it. Tuta had to comply — they can be forced to monitor your unencrypted incoming email. E2EE between Tuta users wasn't broken, but the precedent is set.

What they claim: Tuta positions itself as the most private email provider with end-to-end encryption

What we found: In 2020, a German court ordered Tuta to implement monitoring capability for a specific mailbox. The 2021 BGH (Federal Court of Justice) ruling upheld this. Tuta was legally compelled to build a surveillance backdoor for unencrypted incoming email on targeted accounts. While E2EE email between Tuta users was not affected, the court order proves that German law can compel backdoor access.

Security 2/4 MODERATE 2 findings
⚫ mediumfirmware analysis vs app permissions
Tuta has had several security vulnerabilities including one in 2022 where a crafted email could execute code on your computer. All were fixed, but for a product whose entire pitch is security, getting hacked via email is exactly what they're supposed to prevent.

What they claim: Tuta encrypts email subject lines — unique among major E2EE email providers

What we found: Tuta has had multiple XSS and HTML injection vulnerabilities (CVE-2024-23655, 2023 HTML injection, 2022 XSS+RCE found by SonarSource). While all were patched, the pattern of web-based vulnerabilities is notable for a security-focused product. The 2022 RCE meant an attacker could execute code on your machine via a crafted email.

✔️ lowfirmware analysis vs regulatory findings
Tuta fights three-quarters of government requests — far more than Proton or any Big Tech company. But German law still forces them to hand over unencrypted email when ordered. A proposed Right to Encryption law would help, but it hasn't passed yet.

What they claim: Tuta fights 75% of government data requests — far higher than any competitor

What we found: Tuta's transparency report shows they reject the majority of requests and maintain a warrant canary. However, when they do comply, they can provide non-E2EE inbound email content (per the court order) and account metadata. German law (TKG) classifies email as a telecoms service with corresponding obligations. The draft German Right to Encryption bill would strengthen protections but has not yet passed.

Honesty 2/4 MODERATE 1 finding
⚫ mediumpolicy claims vs firmware analysis
Tuta's app is open source — you can read every line. But their servers aren't. A Canadian intelligence officer alleged in court that Tuta could be a honeypot. Tuta denied it. But you can't verify what runs on their servers, so you're taking their word for it.

What they claim: Tuta claims fully open-source transparency

What we found: Tuta's client code is open source and auditable. However, the server-side code is NOT open source. In 2023, a Canadian intelligence officer (Cameron Ortis) alleged in court testimony that Tuta could be a 'honeypot.' Tuta denied this. While the allegation is unsubstantiated, the closed server code means users cannot independently verify what happens on Tuta's servers.

Sources