Interview With Matthias Pfau – Tutanota

Interview With Matthias Pfau – Tutanota
Aviva Zacks
Posted: June 23, 2019

When Matthias Pfau, founder and developer of Tutanota, agreed to an interview with Safety Detective, we jumped at the opportunity. He discusses the need for an open-source email service which offers end-to-end encryption.

Safety Detective: How did you get started in cybersecurity? What drew you to the industry?

Matthias Pfau: After I graduated from University, I was shocked by how difficult it was to send confidential emails. At work, we used PGP to encrypted emails, yet we regularly received confidential emails that were not encrypted because maybe someone didn’t have access to his PC or was sending an email from his phone. Then I thought, there must be a better way. There must be an option to send encrypted emails from any device easily. And that’s when we started Tutanota—an email service available on all devices that easily sends a secure email because the encryption is already baked into the code.

SD: What does Tutanota do to keep end-users’ information secure?

MP: Tutanota uses automatic end-to-end encryption, meaning only the user himself has access to his encrypted data. We as the service provider have absolutely no access. For this reason, we can’t even reset passwords, but the users can do this themselves with the help of a recovery code.

We make sure that all data is always encrypted—whether our users access their data via the web client, the Tutanota phone apps, or the Tutanota desktop clients. We even use an innovative search feature that searches all emails and contacts locally on the users’ device which means our servers never see the users’ search queries or results. We are committed to protecting our users’ data 100%.

SD: What is the email encryption process?

MP: In Tutanota all emails are encrypted automatically with asymmetric encryption when both people use Tutanota. When the other person has not yet signed up with Tutanota, you can encrypt an email with a click on a button and with defining a decryption password when composing an email. This password must be shared via a different channel, e.g. in person or on the phone. Tutanota then encrypts subject, body, and all attachments automatically.

SD: What is the worst cyberthreat today?

MP: One of the biggest threats to online security is phishing attacks. Email accounts are of particular interest to malicious attackers as everyone uses their email address to reset passwords of other services—Facebook, Twitter, PayPal, Amazon, and more. That’s why a webmail service must offer two-factor authentication. Our approach at Tutanota is: do the security right so that users can easily secure their email accounts.

Another big cyberthreat—one that only the provider can and must(!) take care of—is data breaches. New legislation like the GDPR tries to force companies to better protect their users’ data from potential breaches. However, the best protection users can get for their data is when the service not only focuses on privacy but actually protects all data with built-in encryption. That’s what Tutanota does, and that’s why we recommend leaving Google and switching to privacy-friendly alternatives.

SD: How do you see cybersecurity developing in the next 5 years?

MP: We believe that open source is one of the most important aspects to build secure services, and we are proud that Tutanota is one of the best open source email services available. Only with being open source, security experts can verify that our code does what we promise: protecting our users’ data to the maximum with built-in end-to-end encryption.

The most secure option to use Tutanota is to download our brand-new desktop clients for Windows, Linux, and Mac OS. These clients are also published as open source and users can verify the signature, which guarantees that no one has tampered with the code. This is of particular importance because politicians around the world are demanding access via encryption backdoors. Open source is the best guarantee users can get that their apps are free from any backdoor.