Tuta & Proton: An Open Source Client Does Not Result in an Open Source Service
Yesterday I came across a post from Tuta providing a comparison of their email service to others:
For context, Tuta provides its email clients as open source, but it does not provide sources for the back-end server-side parts of their service. You can’t set up your own instance. You can’t see how their back end operates. I remember Tuta advertising as “Open Source” before, but I thought they had improved how they represent themselves.
The blog post linked in the social post doubles down on this, with a bullet point list of Tuta Mail “Pros” which include “Open source” as the first “Pro”, with another specifically about the open source clients.
In my view, inferring that “Tuta Mail” is open source, just because the clients are open source, is silly. If I used Thunderbird with Gmail or Outlook, does that count as them being open source? Is every web service open source if accessed with Firefox? No. That’s dumb.
I should note, this is not uncommon. A competitor in this space, Proton Mail, is arguably more egregious with their use of open source, with the Proton Mail homepage stating:
Open source and independently audited
All Proton services are open source and independently audited for security. […]
I’ve noted this in more detail on isitreallyfoss, and have noted details to update Tuta’s entry.
I called Tuta out on their Mastodon post, and received the following reply:
Hi there! Thanks for your feedback. We plan to open source our server side as well but right now it is not because: With the client code being open source, everybody can build the client themselves, run it locally and verify that the open source code is being used. If we published the server code open source, this would not be the case: No one would be able to verify that the open source server code is actually running on our server - so publishing it is a bit pointless.
Open source has a lot of benefits. The ability for sources to be used for trust & verification is just one of them. But when advertising their service as open source they are marketing using all the perceived benefits, not just the one achieved by providing their client source code. Can I host their offering elsewhere? Can Tuta mail be forked and maintained by others? No.
The verification part caught my eye though; it’s something they touch on within their open source page:
Our choice to publish the entire client code on GitHub for all Tuta apps – Windows, macOS, Linux, Android, iOS and web clients – means that anyone can audit the code and verify that Tuta protects the security and privacy of your data to the maximum. It’s a guarantee that there is no backdoor in the end-to-end encryption. […]
With this in mind, I checked the reproducibility status for the Tuta app on F-Droid, only to find that no builds are reported as reproducible. It doesn’t look to be too far off being reproducible, but for being stated as a key reason for having open source clients, it does not seem to be a priority. From my view, it does not seem to “guarantee that there is no backdoor” since there is no external reproducibility status for their clients, and therefore trust in Tuta is required since they could just provide modified versions of their clients. That’s unless you build & use your own clients from source, which I can’t imagine too many Tuta customers do.
To be clear, it’s great that they provide their clients as open source, but I just think it’s misleading (and IMO purposefully so for marketing) to label the whole Tuta/Proton mail services as open source, just because you provide open source clients.
Wonder why pedantic folks like me care about this? Read more here.