Tutanota DDoS: Should We Keep Faith With The Privacy-Protected Email Concept?

Monday 21 September 2020
Bob Leggitt
"I think we should expect true privacy resources to encounter problems, and to encompass some inconvenience - because that's how real privacy commitment rolls."
Photo by Michael Dziedzic on Unsplash

After a sustained bout of disruptive DDoS (Distributed Denial of Service) attacks on the encrypted email provider Tutanota last week, questions are being asked about the reliability of such services. Although there's little doubt about the trust factor of the privacy-committed email services themselves, any interruption to access is a concern. So even if the access interruptions are the doing of malicious third parties, they can still damage a service's aura of reliability, and thus its trustworthiness.

WHY DO PRIVACY-PROTECTING EMAIL SERVICES SUFFER DDOS ATTACKS?

Tutanota is not the only private email service to have suffered persistent DDoS attacks. ProtonMail has also been subjected to two such successful assault campaigns, dating back to 2015, and 2018.

So why are these services targeted? Are the authorities trying to take them down in order to stop secret, subversive messaging? Is Silicon Valley organising against them because it fears losing its grip on the data-mining gravy train?

Well, email is certainly one of the Internet's richest sources of private data for the tech giants, and we know the entire data-guzzling tech collective wants private email to fail as a concept. Likewise, there are evidently governments who don't approve of any kind of electronic messaging that can't be covertly monitored. But the reality of the attacks on Tutanota and ProtonMail is rather less spectacular than state-and-tech-giant-sponsored sabotage.

Privacy-first email services have been targeted with DDoS because they've been the easiest email services to target with DDoS. One of the problems with genuinely committing to privacy online is that you lose options in the realm of threat-prevention.

Cloudflare, for example, is a commonly-used protection against DDoS attacks. But its privacy and data-gathering stance is definitely not compatible with the mission of Tutanota. So Tutanota can't, for moral reasons, protect itself with Cloudflare, or use similarly data-hungry solutions to fend off attacks. That sends out an invitation to bad actors. It's the metaphorical intruder looking for the house with the lowest fence.

With that said, we shouldn't confuse DDoS with hacking. Tutanota was not hacked, and no data was compromised. The service was just prevented from functioning. If you compare this with an email provider like Yahoo, which has been hacked multiple times, with major compromises to user data, you start to set Tutanota users' plight into perspective. Private email limits unauthorised data access by design. If Tutanota insiders can't read your encrypted emails, I wouldn't fancy a hacker's chances much.

TRUST FACTOR

In some ways, the success of DDoS attacks against both ProtonMail and Tutanota serves as proof that such services are trustworthy. That may sound a bit daft to someone who couldn't access important emails for a hefty portion of last week. But as people who care about data protection, we should be asking questions about every service that claims commitment to privacy. How does a given service do what it does? Are there any major trackers involved in its supply chain?

DuckDuckGo, for example, is so heavily dependent on Microsoft that it wouldn't be a great stretch of vision to see it as a Microsoft subsidiary. Microsoft isn't just the main provider of DDG's search results and its tracked ad referral mechanism. Run a TraceRoute on DuckDuckGo, and you'll see that Microsoft is also providing the main inward path to the supposedly private search engine. You see the path progress until it quickly reaches Microsoft-owned domains, and then the rest of the path is blocked from view.

We can, if we wish, blindly accept that even though Microsoft is clearly serving as a container around DuckDuckGo, the privacy arrangements are still rock solid. But I think we should be more suspicious than that. I think we should expect true privacy resources to encounter problems, and to encompass some inconvenience - because that's how real privacy commitment rolls. And I think that when supposed privacy resources run with all the slickness and convenience of Bing, we should smell a rat.

IS IT WORTH PERSISTING WITH PRIVACY-PROTECTED EMAIL?

Let's remember that true privacy comes at a price. Whether that price be paid financially, or in terms of convenience, it's going to be a fact of life. If there is no price, we can be fairly confident that there is no privacy.

So let's not desert Tutanota on the basis that it might be prone to inconveniences or interruptions in future. Until such time as the private email services shake hands with the mega-trackers, they are the true face of freedom in a world where most other online service providers have, to a greater or lesser extent, sold out to spy-tech. I said some good (and bad) things about Brave Browser, but it's still holding hands with Google. Tutanota is not doing that. We have to recognise the difference between resources that have a real, hardline privacy goal, and resources that only really care about privacy up to the point where it incoveniences them. The Braves and the DDGs are useful tools - let's not forget that DDG can be used with guaranteed IP anonymity via Tor [UPDATE: Not necessarily true, as DuckDuckGo is involved in running Tor]. But hardline privacy mechanisms they are not. They're both in bed with their supposed enemy.

It's very much worth persisting with private email options. Even if you're not going to use them for the bulk of your messaging, sign up to them. Help grow their userbase. Because that sends a message to the data-guzzlers that you know there's an alternative. And the wider that knowledge spreads, the better the data-guzzlers will have to behave in order to compete.

Data-driven tech is relying on our passiveness to push through some of the most dystopian spying tactics you can imagine. Regulation will not halt the march of privacy violation. Spy tactics have dramatically worsened since the introduction of GDPR less than two and a half years ago. The only hope of us stopping our lives from becoming ever-monitored prisons, is for us to take the little bit of extra trouble and use truly private services. There's a tipping point, at which resistance changes not only our small picture, but the landscape of the big picture too. If enough of us say no, even the demigods of digital data must listen.