Cybersecurity expert Ben Finn compares two security-focused email services popular among journalists, ProtonMail and Tutanota, on both usability and security features, and explains how journalists should choose the software best for them.

End-to-end encryption (E2EE) protects emails from third party readers by scrambling its contents while in transit, only returning to readable text when it reaches the recipient.  Therefore, using an end-to-end encrypted email service is important for the safety of journalists and their sources. ProtonMail and Tutanota are the two most popular security-focused email services with 50 million and two million users respectively, both available on browsers, Android and iOS. Other email services such as Gmail and Microsoft Outlook are not recommended when sending sensitive information, as they don’t provide encryption as a default setting.

Established in 2014, ProtonMail is an open-source end-to-end encrypted email service based in Switzerland, a top location for data privacy. Its user-friendly interface allows emails that are sent from ProtonMail to ProtonMail to provide full end-to-end encryption and even a setting for emails to self-destruct. Safety features that protect ProtonMail to non-ProtonMail exchanges include password protection and an auto-delete function in the non-ProtonMail user’s mailbox. 

• 50 million users, meaning higher chances that contacts are already using this service.
• Free 500MB storage and 150 emails per day.
• Full end-to-end encryption on ProtonMail to ProtonMail emails.
• Password-protection on ProtonMail to non-ProtonMail emails.
• Self-destructing emails that auto-delete from the recipient’s inbox after a set time, even with non-ProtonMail recipients.
• Integration with popular email apps.

• Text in encrypted emails cannot be searched
• Subject lines are not encrypted

Founded in 2011, Tutanota is an open-source end-to-end encrypted email service based in Germany and funded by its premium users. It offers a totally encrypted mailbox and calendar and end-to-end encryption on all emails regardless of whether the recipient has a Tutanota account or not. Journalists can feel safe knowing that all emails they send from Tutanota will be completely encrypted. Though Tutanota is based in Germany and therefore subjected to European Union privacy laws, Germany is also part of the intelligence sharing alliance between 14 different countries across Europe, North America, and Oceania called the “14 Eyes” alliance, which may impact data privacy. 

• Full end-to-end-encryption on all emails
• Free 1GB storage
• Encryption of subject lines
• Full text search on emails
• Secure calendar & address book
• Functional desktop app

• Communication with a non-Tutanota user requires exchanging a password during first contact; which can be inconvenient for less important emails
• Spam filter considered “too restrictive” by many users
• No integrations with other email apps
• Customer support only available with paid plans
• Based in Germany, a 14-Eyes Alliance member

Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been researching on how to maintain proper security in the context of an oppress ive nation-state, specifically in the context of Myanmar. He has also been working with multiple groups in Taiwan to train them on proper security and safety measures.