I was at CeBIT this year. One of the new products that were unveiled at the exhibition was „Tutanota, the first absolutely secure, flexible and easy-to-use webmail system in the world“.
The idea is to provide a web interface for email and to store the emails encrypted „in the cloud“. That way, the cloud storage provider would not be able to access the emails while the user would still be able to have full access from every device capable of running a web browser. Sounds nice. I actually had a similar idea for a master thesis project last year where customer data could be stored in untrusted cloud storage and could only be accessed by legitimate users. (That project sadly did not take off owing to the industrial partner pulling out of the planned thesis project.)
Ok, so everything is stored encrypted in untrusted cloud storage. Problem solved. Or, is it? The first issue I see is that the web interface to access the emails is delivered from the same provider that stores the emails. It would be easy to deploy a web interface that decrypted at the client’s site but that had a backdoor to get access to the decrypted content. The company thought about that, the web application will be open source (if I remember correctly), will be evaluated and certified, and there will be a browser plug-in to assess the integrity of the application. They did not say which protection profile they will have their software be evaluated against, and they did not seem aware of the costs involved in software evaluation and certification. Given that the company currently runs on 50,000 EUR funding, they will need to limit the number of evaluations or secure additional funding quickly.
The second issue is the boundary of the system. Given that not everybody you communicate with will opt to use a closed system for communication, most of the emails you send and received will be transferred via SMTP servers, and the cloud storage provider will have to store your incoming emails (and be able to read, copy and modify them) until you transfer them into your protected storage. The same holds for outgoing emails.
A major challenge I see is functionality. As explained to me at the exhibition, the web client needs to provide all mail-related functionality. It does not just provide, e.g., an IMAP proxy to secure storage, so that you could continue to use your favourite email client. All the functionality that you currently like in your Google Mail, Yahoo Mail, Hotmail, Outlook, etc. does not yet exist in Tutanota. It will have to be designed, developed, integrated, tested, and released by the handful of people running this startup company.
So, who are the customers? According to talks at their booth at CeBIT, it will not be large enterprise customers (too demanding, too risky). It will not be large numbers of private end-users (too capital-intensive, too low revenue). They target small and medium companies that today mostly use hosted IMAP or Exchange servers and who use Outlook as their front-end. Good luck.
For an investor, even government bonds with a negative yield do not look that bad in comparison. I might be wrong, so let’s have another look at the product a year from now.
