Tutanota is safe from this ? NSA
Most of your claims are plain wrong. No one else besides a very small set of our employees has access to the encrypted data stored on our servers. BND and other authorities never had access to our systems!
In fact, German privacy laws are way stricter than in many other countries. For example, Switzerland has a dedicated surveillance law, just as the UK...
Please read the following articles on our blog for further insights:
John Doe commented
I am very impressed by Tutanota and absolutely love it. It is so great! But, it turns out there is a dark side. The privacy.
I am not so concerned with the NSA or GCHQ. They have security protocols in place and wrong people will not see what they are not supposed to see. And actually these intelligence agencies are in democratic countries and there are normal people working there. Fact is they can read it anyways.
The problem here is that Bundesnachrichtendienst, German intelligence service has access to Tutanota, and they are corrupt, full of moles working for Russian FSB. NSA and GCHQ save lives fighting terrorism, but BND was based on different ideals, now combining East German and former (present?) Nazi people.
I would expect content of every mail I send in tuta ends up in Russia. Personally, not a problem for me, I would never send anything confidential over email and you should not either.
Move your servers out of Germany if you are legit people defending freedom of speech.
I know you the founders of Tuta are Germans, you do a great job and I admire that, but this really is the time to move on. You could relocate to Switzerland, Norway, Finland, Iceland and even the UK with GCHQ would be better than Germany
Being open source makes it even easier for NSA to place backdoor within. Its already been done, just as ProtonMail has been penetrated. Keep in mind, Email, whether its encrypted or not, is inherently weak and NSA plus others, nation sponsored, have been inside.
Most likely nothing is safe from the NSA, but everything that is encrypted is harder for them to just grab and spy on. "Wir haben es nicht gewusst" is the lamest reaction since 1945. We all know that they probably knew it, and when saying that they didn't know it just makes them look stupid and ignorant. So those politicians should never ever get a vote for the rest of their lives, they are not worth spending any ones tax money. It's the ignorance of those very people that puts our privacy at risk. This problem is hard to fight as long as bureaucrats make decisions that need an engineers mind to make sense of. The pencil pushers just don't have a clue what their decisions actually mean. And 4 years later then they just say. "Wir haben es nicht gewusst"
Back to square one...
And another thing you could ask is this: How safe is it for those kids to play soccer right next to those microwave antenna's. :-)
Any non-encrypted mail is at risk. Always and anywhere, not only in Tutanota. E-mail is an inherently insecure means of communication. No matter how honest or capable Tutanota is, unencrypted emails can and will be intercepted while in transit.
Encrypted messages, on the other hand, seem to be very secure, unless the NSA is specifically targeting you for a high profile case, in which case probably nothing can protect you, they'll find a weaker link in the chain (keylogger, intercept antivirus data, confiscate computer, etc.)
While not strictly related to your question, I do trust that Tutanota will not sell your information, even if sent unencrypted, that in itself is a great advantage over GMail and the like.
German privacy laws are very strict. We do not log IP addresses or hand out any user data. A German court warrant needs to be issued before officials can ask for data. On our servers, we only keep metadata (from, to, date) unencrypted. All other data is encrypted with the user's password and cannot be accessed by us.
Colin Arnott commented
It seems like this article is describing interactions between the NSA and German governmental institutions, so tutao is likely not colluding with the NSA. Furthermore as their client code is opensource, it is possible to verify that even if they were colluding that any encrypted communications on their servers is protected. This is the beauty of good crypto and opensource code, we do not need to trust tutao.
Note: if they were to be colluding it would mean that any non-encrypted mail would be at risk; however it does not seem like this is a tangible risk based on tutao's mission statement.