Fight for privacy and secure your mail with Tutanota

All nonprofits manage sensitive data, from donor information to employment records. Some organizations, however, work with data that requires an extra layer of privacy and protection. For example, if a political advocacy group, human rights organization, or nonprofit that help people escape domestic violence were to have its data compromised, the consequences could be life-or-death.

Enter Tutanota, one of TechSoup Canada’s newest donor partners. Tutanota is a secure, web and app based email service that allows users to send and receive encrypted emails and attachments. Tutanota helps over two million users share their emails securely and is now offering Tutanota Premium as a donation to eligible nonprofits:

Organizations seeking to communicate privately online can now do so easily without worrying about mass surveillance and/or illegal spying.

Preventing Misuse of Data with Encryption

The Little Red Door, a US cancer charity, fell victim to a cybersecurity attack in January 2017. The charity’s server and backup drives were hacked by a cybercriminal organization, and because the extracted data was not encrypted, all of the agency’s information were stripped, encrypted by the hackers and held for ransom. The criminals then threatened to leak patients’ data, which includes diagnostic, clinical information and grief letters, out to the public unless their ransom was paid.

Unfortunately, nonprofit data breaches are becoming more and more common, the Privacy Rights Clearinghouse reports. The Society of Corporate Compliance and Ethics, and the Health Care Compliance Association also found the same disturbing trend in their 2016 Survey, Data Breach Incidents, Causes, and Response, where 63% of nonprofits surveyed suffered a data breach within the one year period covered by the report. These data breaches included hacking, a vendor or other third party being breached, or human errors such as accidentally emailing confidential information to the wrong recipient. As the Little Red Door case study demonstrates, these data breaches present a huge threat to the personal data of our clients, donors, staff, and volunteers, and can damage our ability to secure future funding as well.

“Hackers don't discriminate, and no matter how small your business or how noble your nonprofit's mission, you could be vulnerable”

- Michael Wolfe, CTO of Ontario Systems

Thankfully, encryption solves a lot of the privacy and security challenges nonprofits are facing. Encryption is the process of converting electronic data into an encoded form, called ciphertext, using an encryption algorithm and an encryption key. Ciphertext can only be viewed in its original form by authorized parties that have the proper cipher/encryption key to decrypt it.

Encryption works to keep data private and secure, whether it’s in transit (i.e. being sent via email) or simply stored on a computer drive. Even if unauthorized parties somehow gain access to your network or system, they won’t be able to read your files unless they have the correct key. It is highly recommended for organizations to use end-to-end encryption on sensitive information in order to protect their data, as Michael Wolfe, CTO of Ontario Systems, explains: “Hackers don't discriminate, and no matter how small your business or how noble your nonprofit's mission, you could be vulnerable”.

How does Tutanota work?

Tutanota works like any other webmail service, such as Gmail or Outlook, except that it includes automatic, end-to-end encryption on all data (e.g. emails, contacts and attachments). Using one master password, Tutanota users can login to their secure inbox from any web browser on any device, and unlock their private key to decrypt their information.

Since Tutanota only requires one password to login to the secure inbox and decrypt messages, this password never travels through the Internet in plain text and is never seen by Tutanota servers. Tutanota servers only need a fingerprint (hash) of the password to allow user authentication, and as hashes are non-invertible, servers are unable to decrypt messages or reconstruct a password from the hash.

Tutanota uses a symmetrical algorithm (AES 128 bit) to encrypt emails to external recipients, and a hybrid method of symmetrical and asymmetrical algorithm (AES 128 bit and RSA 2048 bit) to encode emails between Tutanota users. This means that all emails, whether it’s to external recipients or to other Tutanota users, are stored encrypted on Tutanota’s servers. This state of the art encryption technology is what allows organizations, such as Noria Research, a nonprofit that researches international politics, the ability to protect sensitive information and communications with stakeholders.

“We work directly with people … in critical situations. We need to have a secure communication channel between our HQ in Paris and our researchers on the ground. On top of that, we need to provide our local contacts with an easy and secure way to share information with us.

Tutanota offers us the freedom to operate securely"

- Noria Research

To help visualize the encryption process, here are a few examples of how emails are encrypted in Tutanota:

Example 1: Sending and receiving encrypted emails to other Tutanota users

In the image below, Alice and Bob are registered with Tutanota. Since emails to other Tutanota users are always encrypted by default, when Alice sends an email to Bob, it’s encrypted on Alice’s Tutanota client, stored encrypted on the server, and can only be decrypted by Alice or Bob.

Sending encrypted emails to internal users

Example 2: Sending encrypted emails to external recipients

In this example, Alice is registered with Tutanota, and Carol is not. When Alice wants to send an encrypted email to Carol, Alice needs to enter a password before sending, and exchanges this password to Carol via a secondary channel (e.g., a call, text, or other means). Once Alice sets her password, the email is encrypted on Alice’s Tutanota client, stored encrypted on the server and sent via Simple Mail Transfer Protocol (SMTP) to Carol. Carol receives the password through a secondary channel, enters the password in a secure Tutanota email link, decrypts Alice’s message and is able to reply confidentially.

Sending encrypted emails to external users

Example 3: Sending and receiving non-confidential emails from external recipients

Continuing with example #2, Alice is registered with Tutanota and Carol is using an external client. When Alice wants to send non-confidential emails to Carol, Alice unchecks the “encrypt” option when composing an email. Non-confidential emails are then stored encrypted on Tutanota’s server and sent via SMTP.

Sending non-confidential emails

Receiving non-confidential emails

Is my organization eligible for a donation of Tutanota Premium?

This program is available to eligible Canadian Registered Charities registered with the Canada Revenue Agency, Canadian nonprofits incorporated either provincially or at the federal level and Canadian public libraries with a library symbol from Library and Archives Canada. For a more detailed breakdown of eligible and ineligible organizations, check out Tutanota program details (for smaller orgs and for larger orgs).

How many donations of Tutanota Premium can I request?

For eligible TechSoup Canada members, organizations may request one subscription of Tutanota Premium per fiscal year (July 1 to June 30). Organizations may renew their subscriptions with this donation each year.

Not registered with TechSoup Canada, but think you are eligible for donations of Tutanota?

The first step is to register with TechSoup Canada — it’s free and simple. Once we have processed your registration, we will let you know if you qualify for Tutanota.

Registering with us also grants you access to discounts and donations from up to 30 other donor partners, which includes popular software like office productivity suites, graphic design software, accounting packages and security programs. Find out how the donations program can work for an organization like yours!

{link_name} handles all validations and customer service for TechSoup Canada customers. Visit {link_name}arrow