ProtonMail Vs. Tutanota: Who is the safest email provider?
When it comes to secure, private email services, two big names stand out: ProtonMail and Tutanota. Both services offer a free account so you can try them out, but what makes each one different?
What makes ProtonMail and Tutanota different?
The Protonmail and Tutanota are two secure email providers that emphasize above all on security and privacy. This includes end-to-end encryption support to make it almost impossible to monitor, protect your privacy without keeping logs or requiring your personal information when registering, and providing secure methods of communicating with people who use "regular" Email providers such as Gmail or Outlook.
This increased security comes at the expense of convenience and features. You may need to use a dedicated mobile application to access your messages, for example (as opposed to your smartphone's default mail application). With Gmail, Google Assistant can help display relevant information by scanning the contents of your Gmail inbox, but secure email services can not do this because your data is encrypted.
Since secure email is a niche feature, free accounts are not as generous as Google and Microsoft offers (ProtonMail offers 500MB compared to Tutanota 1GB.)
Both providers support advanced encryption
Of course, ProtonMail and Tutanota support basic Layer Transport (TLS) security, which is used by all major email providers. This provides a basic level of security between the computer or smartphone and the server that is responsible for storing and sending email.
Additionally, the contents of your inbox are encrypted from end to end on the server, which means that you are the only one who can read it. In the event of a data breach, your data would be almost useless because it is encrypted with a key that (for now) will take an eternity to break. This is something that Gmail, Outlook.com and standard email services do not offer.
Both ProtonMail and Tutanota support easy end-to-end encryption between users of the same service. If you send an email from your ProtonMail account to another user of the same service, it will be automatically locked and signed with a key that only the recipient has. You do not need to configure anything else when communicating with someone using the same service. Apart from this, ProtonMail also supports PGP.
Pretty Good Privacy (PGP) is an additional level of security for sending email to almost any email address in encrypted form. Messages are locked with the recipient's public key and can then be decrypted with a private key known only to the recipient. With ProtonMail, this can be configured to work "automatically" with defined contacts, taking care of the encryption / decryption process for you.
Tutanota does not explicitly support PGP, although you can encrypt and decrypt your email manually if you wish.
Both allow secure messaging with third party email providers
If you can't convince your contacts to go to a secure email provider or adopt PGP, both ProtonMail and Tutanota have covered you. Each provider has the option to send an encrypted message to any email address. The process is almost identical for both:
- Compose an email and select password protection, then press send.
- The recipient receives a notification of a new message, but the message does not appear in the "body" of the email.
- Instead, the email contains a link to the ProtonMail or Tutanota servers with a password field.
- The recipient enters the password in the field and reads the message.
This works almost identically between the two providers, except that Tutanota encrypts both the message body and the and subject line, while ProtonMail only encrypts the body of the messages. This is not a huge risk if you are using the previous service. Just make sure the subject lines do not contain sensitive information.
Messages sent this way via ProtonMail expire in 28 days or less (with the option to set less time), while Tutanota messages are only available until another email is sent to the same recipient.
ProtonMail is located in Switzerland and Tutanota in Germany
The country in which your data is stored is important. Both Germany and Switzerland have strong privacy laws, with Germany being considered one of the strictest privacy advocates among EU nations. Switzerland is a famously neutral country (not part of the EU).
Tutanota wrote a post describing why the company is in Germany, citing laws such as the Federal Data Protection Act, which prohibits data collection and back-end access to encrypted data. ProtonMail also wrote about its decision to host its data in Switzerland, acknowledging the changing nature of privacy laws in the country, noting that ProtonMail can not be forced to spy on its users.
It is difficult to say which is the safest in terms of data privacy. While Germany has stricter laws, the country is also part of Fourteen Eyes, an international information-sharing community.
Since both providers use end-to-end encryption to secure the content of their servers, the data is likely to remain secure even if the German or Swiss authorities required it to be delivered.
Both services are open source
It is important for a service that sells privacy and security to have the source code available for everyone to understand. If your ISP is open source, it can be controlled by anyone. The more transparent a provider is, the more you should be able to trust them to deliver on their promises.
That said, no service is fully open source. In the case of Tutanota, the server-side software is not yet fully open source. The client web interface and mobile applications are already open source, and Tutanota admits that "the only thing left to do is open the Tutanota server part."
ProtonMail has a similar commitment to be open source. The ProtonMail web interface is fully open from version 2.0, the iPhone application was open source in 2019 and the Android application followed a year later. The company has stated that it does not intend to release the source code for the back-end server component, as this would provide "information on how we do anti-spam and anti-abuse".
Many of the technologies included in both packages, including the encryption protocols and the implementation of OpenPGP by ProtonMail, are already open source.
Tutanota provides a more attractive free option
For private use, Tutanota provides 1 GB of storage per user, limited search capabilities and a calendar. There is no limit to the number of messages you can send or receive per day or how your mail is organized.
ProtonMail offers only 500MB for each user, a limit of 150 messages per day and three tags with which you can organize your mail. This makes ProtonMail more restricted to free users than Tutanota.
None of the services are "complete" without upgrades to access features such as custom domains, inbox rules, email aliases, autoresponders, and better support. This is another area where secure email providers are forging a different path to their free competitors via webmail. If you want a suitable, secure email address, then you have to pay for it.
ProtonMail is more expensive
Direct price comparison is difficult, as both services have different designs and different offers. If you are considering paying for an email service, ProtonMail is the most expensive, with the cheapest package starting at $ 48 / year or € 48 / year, with also monthly packages.
With this, you will have a huge 5 GB space, up to five email addresses (nicknames), support for a custom domain and access to filters and autoresponders. ProtonMail still sets a limit of 1.000 outgoing messages per day, although this is a "soft limit" based on how you use your account. Receive up to 200 labels for greater organization.
Tutanota only starts at € 12 / year (about $ 14), but you will still have 1 GB of storage in total. You also get a unique custom domain, five email aliases, full search access and the ability to create inbound rules. There is no limit to daily messages or tags.
While Tutanota is cheaper, it also allows you to create the perfect email design. You can add users, aliases, storage and additional services, such as a secure contact form for your site, and then pay a monthly fee for all of them. ProtonMail takes a more "all or nothing" approach.
Tutanota supports Email Body search
The ability to search your inbox is a feature that you probably take for granted, but with a secure email address, it is not that simple. Due to the way email is encrypted from end to end, searching your inbox is not possible with ProtonMail. You can only search by subject lines, senders, recipients and time. This is because ProtonMail servers cannot decrypt your email.
By comparison, Tutanota also encrypts your email on the server. In 2017, the service announced that it would now be possible to search the body of an email. This happens locally on the user's device and can be done either in a browser or using a dedicated mobile app. This is done without sacrificing privacy, as search tasks are performed by your local computer instead of the server.
If search is a big deal for you, Tutanota has the upper hand here.
Both services have exclusive mobile applications
Neither ProtonMail nor Tutanota are compatible with "normal" email clients. ProtonMail paid accounts have access to ProtonMail Bridge, which extends service support to shared mail clients such as Outlook, Thunderbird, and Apple Mail on Windows, Mac, and Linux desktops. Tutanota is based on proprietary clients for Windows, Mac and Linux.
To access any service on a smartphone, you must use the exclusive ProtonMail (iPhone, Android) or Tutanota (iPhone, Android, F-Droid) applications. There is no support for key mail clients due to how the data is encrypted on the server.