Interviews Technology Intelligence Security October 28, 2015

Matthias Pfau: Tutanota and the Battle Against Mass Surviellance

Matthias Pfau is co-founder and developer of the encrypted email service Tutanota. Tutanota is part of what can be considered a post-Snowden development movement that aims to short-circuit government mass surveillance capabilities. I spoke to Matthias to discuss his project and where he believes that the battle between privacy advocates and governments is heading.

John Little: So how is Tutanota doing? How is it being received? Do you think the project will be sustainable from a financial standpoint?

Matthias Pfau: Very good. We are experiencing massively increasing sign-up rates with thousands of new users coming in daily. I think people value most that their entire mailbox is encrypted and that we truly have no access. We plan to build upon this by adding features like an encrypted calendar and other groupware functions in the future. We have a lot on our list, and we would like to develop much faster, but we keep our budget tight. The upside: Tutanota already is sustainable: We’ve released our first Premium features with custom domain support three months ago. Many of our existing users switched to Premium immediately so that we have reached break-even.

What excites us the most is that many of our users simply upgrade because they WANT to pay for a secure service that respects their privacy without really needing the offered Premium features. That proves that people are realizing how harmful it is that companies and other third parties spy on their data. We believe that this is the start of a trend and that more and more people will make the switch away from the Googles of the world soon.

John Little: A number of other encrypted email services have been rushed into service recently. ProtonMail is a good example. How does Tutanota plan to differentiate itself in this emerging market? And will the market still exit if the massive players like Google move to more secure models?

Matthias Pfau: We believe that there are not too many encrypted services, but too few. The more services there are, the more people discuss these option and become aware of the fact that it has become very, very easy to keep their data private. What we can say about Tutanota is this: We encrypt the entire email – subject, body, attachments automatically. We encrypt all your data stored in Tutanota, even your contacts. We have build a scalable encryption solution that we can easily transfer to future additions like an encrypted calendar or encrypted cloud storage. It took us about three years to lay a solid foundation (server structure, encryption method, flexibility to change encryption algorithms when needed) for Tutanota so that we are well prepared for the future. We also have an up-time higher than 99.99 percent so that Tutanota is always available.

Plus Tutanota is a true open source project. You can GitHub: build and run Tutanota locally if you want to be more independent from us.

We don’t think that Google is a threat to Tutanota. Their business model relies on the fact that they can search their user’s data and post targeted ads. The security options Google implements will continue be add-ons only. In contrast to that, encryption is the default in Tutanota.

John Little: One challenge users face at the moment is fragmentation. We can send encrypted communications to other users on the same platform but not between platforms in many cases. Is this something that Tutanota is working on? Are you actively discussing this with other companies and developers?

Matthias Pfau: You are completely right, this is definitely an issue we need to tackle. We would like to make Tutanota interoperable with other services. We’ve been in contact with Openmailbox and know that they are open to the idea. However, we want to focus on developing more features for our users first. In addition, people on Tutanota can send end-to-end encrypted emails to anybody when they exchange a password. And many of our users do this as we can see from the encryption rate: To date already 37% of emails sent from Tutanota are end-to-end encrypted. This is a great success as it makes mass surveillance very, very hard, if not impossible.

John Little: The hacker community is diverse but Edward Snowden’s revelations seemed to have an impact on a significant percentage of the hackers I know. The reaction was an almost universal shift away from cooperation or sympathy with governments in places where there had been some success in getting the two camps to better understand each other. What’s your sense of where the community stands now?

Matthias Pfau: We are not in direct contact with the community so we can’t really say. What we see in Politics, however, is that politicians tend to act against the common opinion of IT security experts when it comes to the internet. One of the best examples is data retention: Even many IT experts and criminal investigators state that data retention does not help to prevent terrorist attacks. Nevertheless, politicians around the world resort to this method to prove to their voters that they do everything they can to increase security. In fact, this is just a big show that every tech-savvy person sees through, thus, they feel appalled by politicians and their actions against their citizen’s rights.

John Little: Let me clarify a bit because I did not intend to imply maliciousness with the term “hacker.” Stepping back away from this specific battle alone (although it is obviously the most extreme point of tension) how do you think governments who absolutely need the skills of developers, cryptographers, and security experts restore some of the goodwill that has been lost over privacy issues?

Matthias Pfau: We did not understand your questions to imply maliciousness. Governments in many cases seem not to understand how to make the Internet more secure, but rather rely on mass surveillance tactics. In my opinion they can only restore the goodwill of the community – not just hackers, but all privacy-advocates – if they get proper consultation from Internet activists such as the EFF or in Germany netzpolitik.org. As long as they tend to work against these groups instead of listening to their advice, the prospects for Internet laws are very bad.

John Little: We’ve seen fundamental changes in the public’s understanding of security in the past few years but there is still a long way to go. Do you think that we are moving towards ubiquitous encryption? Five or ten years from now will we see platforms or apps succeeding without it?

Matthias Pfau: At least that is what we are trying to achieve! We, as tech companies, have to make encryption so easy and running so smoothly in the background that the consumer has no reason anymore to use non-encrypted services. Given the extent of surveillance done by Secret Services and marketing companies around the world, this our only chance. Without self-protection, all our secrets including health issues, family problems, drinking habits and so on will become publicly accessible soon. This is not the kind of world I dream of for my children.

John Little: States have immense capabilities and they have directed significant resources at intercepting encrypted communications. It’s what intelligence agencies do – and always have done. How do you see this battle playing out from a technical perspective? Could consumer level encryption eventually leave even the most sophisticated agencies in the dark? Could large governments essentially render consumer encryption models irrelevant (as some would argue that they have done already?)? Or does the situation continue to remain murky as advantages shift slightly back and forth?

Matthias Pfau: The more people use encryption, the harder it gets for governments to monitor the Internet. This also makes mass surveillance as it is currently done impossible. Governments can still try to monitor individuals with targeted attacks. We have to be honest here: Encryption does not protect someone when he is committing crimes. But that’s not the point. The point is that illegal surveillance of everybody’s data becomes impossible and that is well-achievable with encryption technologies such as Tutanota.

John Little: Do you get the sense that governments are starting to come around to the idea that strong consumer encryption, encryption free of backdoors or other weaknesses, is an inevitable necessity? Do you get the sense that you’re winning?

Matthias Pfau: That’s hard to tell. Of course we would wish for such a move, but politics is hard to predict. We do, however, see that governments themselves increasingly understand that they need strong encryption that is easy to use. The more politicians understand that encryption is to their own benefit, the more likely it gets that they will also consider it to be valuable for all their citizens. So, let us say, we are hopeful!