Tutanota launches Secure Connect service for whistleblowers

Service launched on Press Freedom Day

Secure email firm Tutanota has launched a free open-source, secure two-way form which news organisations and bloggers can add to their websites as a service to allow parties to communicate with journalists securely and anonymously.

Released to coincide with Press Freedom Day (May 3^rd) Secure Connect looks like a standard contact form, the difference being that all information, including any attachments, is end-to-end encrypted automatically.

Secure Connect provides a random, anonymous address and a password, enabling the whistleblower to access his or her message and also to receive replies from the website, without having to provide identifying information like an email address or phone number.

To prevent websites tracking the IP address of the sender, Tutanota recommends that senders of information use Tor. For higher security whistleblowers should take additional measures too.

"As a whistleblower you shouldn't leave any traces. This means that you should only store the data on encrypted volumes. It is also a good idea to use a hardened and stripped down system (e.g. boot from non-writable flash media) and delete the data after you are sure that you submitted the data successfully to the right person," said co-founder Matthias Pfau.

Some newspapers already offer secure communications channels for whistleblowers. For example the Guardian has a service called SecureDrop, but Pfau said Secure Connect is designed to be easy to install by websites and blogs and also simple for whistleblowers to use with Tor.

"SecureDrop is way harder to setup as you have to install it on your own server. That's why it is only used by big news agencies so far. Tutanota Secure Connect is much easier to set up and to use," he told Computing.

"SecureDrop is a great tool - it can only be accessed via the Tor browser to guarantee anonymity of the sources - but for most news sites it is too complicated to set up," he added.

"With Tutanota Secure Connect, you don't have to securely setup a server, and you neither have to maintain and monitor it. This makes the installation for news agencies very easy - it's just a few clicks in our web interface."

We certainly found the pre-release trial preview offered to journalists very straightforward and easy to use.

Asked why a whistleblower should trust the system, Pfau answered that all the code is open source.

"The entire encryption process can be checked and verified on GitHub," he said. Which is all well and good if you are an expert coder or cryptographer, but less helpful for most people. Let's hope security experts put the code through its paces soon.

Secure Connect is free for news sites and journalists.

"We believe in the human right to privacy and freedom of speech - a secure and private form to communicate online is critical to achieve free speech," Pfau said. "With Secure Connect we want to support journalists, activists and whistleblowers for the important work they are doing for all of us."