Is Tutanota a honeypot?

Isn’t the testimony quite literally reported in the link above? We don’t have the full link but it is quite clear.

We know next to nothing about the nature of the alleged leaks, it’s hard to judge based off of that.
RCMP says that whatever was supposedly leaked “jeopardized lives,” which is very common for police organizations to claim whenever they are undergoing a PR nightmare, same shit the NSA pulled during Snowden. Ortis claims that he was doing this in the name of Canada’s safety.
He allegedly wanted to sell his information for $20,000 to one of these police targets: the owner of Phantom Secure, which was selling modified phones that were being marketed towards criminals and eventually got shut down as part of the Trojan Shield operation (the one that involved getting criminals to use the Anom phone). [CBC article]
[CP24 article about Tuta denying the claims]

Let’s momentarily assume that Ortis is totally guilty of all this. If he is, he was behaving very unethically. Snowden demonstrated how to bring up these concerns in as reasonably ethical of a manner as possible by going to the press and letting them make the decisions on what should be shared publicly. Ortis however was trying to make money off this information.

To me, this sounds similar to when an intelligence analyst was convicted for warning their friend’s husband that he was being investigated by authorities. [ post]

I find it pretty hard to trust someone like that when they claim some service is a honeypot with no evidence, and show no actual interest in actual safety like they claim. RCMP does lots of shady and probably illegal shit as well, but going to their investigative targets trying to sell that information is just totally wrong. I would not take this claim seriously because we have no reason to trust him.

At the end of the day, you should still be cautious about your email usage and be cognisant that you are trusting your provider to keep everything secure and private, and that they are required by law to cooperate with law enforcement. Services that claim to not cooperate with the law are the real honeypots because they directly try to advertise themselves as services criminals can use to evade consequences.


Tutanota and Proton are honeypots. Ok, you can switch to Yahoo or gmail.

Cybersecurity companies are all the time finding activities by Russian hackers, North Korean hackers, Chinese hackers, etc. I may be wrong, but I’ve never ever heard of researchers uncovering hacking activities from the western agencies. Why is that? I don’t know, but the trust placed in audits should probably be limited to exposure to western intelligence as well.

Happens all the time from Russian/Chinese researchers, you just have to be looking for it because it only gets reported in their local spheres.

That being said, cybersecurity companies in those kinds of countries can often be compelled to “toe the party line,” which isn’t usually the case with western independent researchers, so they tend to make more fantastical claims that aren’t taken seriously by other experts.


It will be interesting if something like this comes out against Proton as well in the next 6 months or so.
Possibly an intentional discrediting of the 2 biggest encrypted email providers.

That’s what I’m saying. Western researchers find nothing on western agencies because we don’t do anything wrong, we’re the good guys, of course. Right?

Considering that’s not the case, these are the possible scenarios I can think of. Western researchers are finding stuff out and being told to blame it on others; finding stuff out and being told to shut up; or being told where not to look in the first place. Or, fourth option, western agencies are so good that nobody ever finds out anything and Russian/Chinese researchers make out 100% of their claims. Is either this last option or we can’t really trust western researchers much more than we trust the Russian/Chinese ones.

1 Like

Hmmm… is techlore a honeypot? Since, contextually, Henry mentioned having to “pick enemies …
& the lesser of two evils” on going with google advanced security @4:55

I guess no matter what one does there’s always a case for infiltration, mutiny, commandeering, and betrayal? perhaps teachably similar to war …nobody ever really knows whose on whose side… until the casualty count adds up, and cyber attacks stop?

My personal theory would be that “western” agencies just don’t specifically target “western” targets at the same frequency that some of these non-democratic regimes target individual people with spyware like Pegasus, etc.

Therefore much less evidence of their attacks exists in the world in the first place to be analyzed by experts.

We also have a lot more evidence that when it comes to surveillance of citizens in countries like the United States, the government simply prefers methods like snooping over the network on the infrastructure which is outside of the user’s control rather than breaking into individual devices. So I think that’s why you don’t encounter many examples of the latter happening.

1 Like

I don’t really think there’s any. Hell, even if they might be, I’ll take my chances with tuta over giving my data to google/microsoft which both glow very hard in the dark.

Or buying data from data brokers. It’s too easy. How data brokers sell personal info of US military personnel • The Register

Update to the story for anyone interested. Cameron Ortis has been found guilty of violating the secrets act. [CBC]

In one of the recent Firewalls don’t stop dragons editions, a former NSA guy was talking about their use of zero days. So maybe that settles it?

Psyvacy did a post about this a while back which I thought did a good job of exploring this kind of thing.