The same privacy preserving features of Tutanota enjoyed by privacy conscious individuals, make it ideal for fraudsters.
We experience a large number of fraudulent ecommerce orders using Tutanota email domains. I'm not shocked to think that this could be an example of an algorithm gone awry based on the signals it received.
It shouldn't be the role of the ISP, but in the UK content blocking is legally mandated. E.g., "The Digital Economy Act 2017 placed the requirement for ISP filtering into law and introduced a requirement for ISPs to block pornographic sites with inadequate age verification." https://en.wikipedia.org/wiki/Web_blocking_in_the_United_Kin...
Yeah I'm not sure how much ISPs still bother with that. Up until a year or so ago my ISP was pretty good at blocking torrent sites but now I can visit e.g. 1337x.to with no problems.
I think this is talking about 3's adult content filter which is different and has existed for ages and has always been shit (I assume most people disable it).
How can an ISP be sure an end-to-end encrypted communication channel isn't being used for porn?
It is encrypted. By design they have no idea what it is being used for. It would be very easy to set up a ring of pornography distributors using email (at least in the UK, in civilised countries they'd probably be put out of business by the open internet).
By this interpretation, any TLS channel, even to a supposedly "clean" domain, can be used for porn. Btw, nothing prevents you from emailing porn over Gmail or any of the other "allowed" email providers.
That is not really true, ISPs are relied on by non-technical customers who have neither the personal chops nor a 24/7 technical assistant to help them.
Whether ISPs succeed in any way is an entirely different ballgame, but this is absolutely the job of the ISP, especially in their role of email provider. Its ability to properly discriminate and aggressively block or plonk messages isvery much one of the reasons people like gmail.
> Whether ISPs succeed in any way is an entirely different ballgame, but this is absolutely the job of the ISP, especially in their role of email provider.
They aren't providing email in this example, as far as I can tell. They're providing internet access to an email service. Or they should be.
I have two colleagues who regularly send me emails from that domain.
For the first , I assumed it was her own domain. When I saw messages
from a second person I assumed they might both work for the same
company. Now I figured it's an ISP. I checked it out and it looks like
a good, legit service for people who don't want creeps and advertisers
grubbing through their messages. Three UK have no place blocking
traffic from legitimate users and must identify problematic use on a
per case basis.
Modern legal systems usually limit criminal liability to individuals
[1]. Companies engaging in acts of collective punishment (That goes
for you too Cloudflare) should at least try to raise their ethical
standards to those expected by International Law.
> Modern legal systems usually limit criminal liability to individuals [1]. Companies engaging in acts of collective punishment (That goes for you too Cloudflare) should at least try to raise their ethical standards to those expected by International Law.
There is no "criminal liability", and blocking malfeasants on the internet has always been a heuristic fight. If a service originates an extremely high rate of fraud versus legitimate uses, it's a good heuristic for fraud. It's a shame for legitimate users, but it's also how it's always worked.
And more generally minor (or self-hosted) MTA have always had that issue, it's not news that they get delivered less reliably than big "trusted" mail hosts, and that they can get blacklisted real fast.
Just because it's not "criminal" doesn't mean they're not dicks. And
"if you want to make an omelet you gotta break eggs" is neither a
reason nor an excuse. It's a sob story you tell yourself to feel
better about not being smart enough to figure out a solution that
doesn't harm others.
Cloudflare are just technically not able to deliver what they pretend
to. They profess to offer protection for vulnerable users of the
internet who are service providers. In doing so they harm millions of
other vulnerable users who are clients. They rob Peter to pay Paul,
and then take a moral stand on Free Speech.
Free Speech is a two sided affair. The freedom to write/speak must be
matched by the freedom to read/listen.
Cloudflare trample all over the latter and act like it's
nothing... because "if you wanna make an omelet you gotta break some
eggs". They simply kick the can down the road and so are hypocritical
and grandiose.
Yeah... any e-commerce system with significant volume's likely to end up with a deny-list for basically all these sorts of services. You lose one real order for every 1,000 fraud attempts, at worst. Easily worth it.
Similar reason lots of US servers used to (? still do ?) block entire IP blocks representing large parts of Asia. If 1% of your legit traffic is coming from those blocks, but 95+% of abuse, brute-force, and exploit attempts, it's a no-brainer to just blackhole them, unless you're at such a huge scale that 1% of legit traffic is still a very large number in absolute terms.
then it should be up to your company to say "hey we don't allow emails from X" and not do business with them. Like someone said in a previous thread "ISPs shoudl be dumb pipes", otherwise they get a nanny complex. Credit cards seem to be doing the same thing these days, acting like nannies.
not really, only for illegal and particularly reprehensible/gray areas. Porn is an accepted expression of freedom of speech and is protected speech. Visa/MC/Amex don't need to be the police.
The question is one of ratio, and false positives versus false negatives.
If 90% of tutanota-orginated emails are fraudulent, tutanota is an excellent fraud indicator, even though it will block legitimate emails.
If 10% of gmail-originated emails are fraudulent, gmail is a terrible fraud indicator, even though it will let fraudulent emails pass through, possibly more than the count of fraudulent emails coming from tutanota.
But if you block Tutanota the fraudsters will just switch to Gmail, and all you accomplished is that you inconvenienced legit Tutanota users.
I wonder why so many companies drag their feet when implementing actually useful anti-fraud measures (like supporting Verified-by-Visa) and instead block random email providers.
> drag their feet when implementing actually useful anti-fraud measures (like supporting Verified-by-Visa)
Most ecommerce merchants are non-technical, and utilise 3rd party platforms (Shopify, Bigcommerce etc) that in combination with their Payment Gateway don't support these systems.
I can safely say that every order my business has received with a Tutanota address has turned out to be fraud. It is a really strong indicator for a fraudulent transaction.
There are many other signals, but for some reason this is a really strong one.
We see a similar trend with Aleeas, and Simplelogin.
We still get fraud from Gmail and Outlook addresses, but it is picked up using other indicators, IP, IP owner, Shipping Address, phone number reachability, carrier, Payment Methods, name, useragent, "for lease" or "for sale" status of the delivery address etc etc...
The question is, does blocking Tutanota reduce total fraud, or does it just make fraudsters to move to a different email hoster and you end up with the same total fraud?
Real-world ecommerce systems often end up with quite a long list of email domains that either provide some weight to a "fraud or not?" algo, or are outright banned.
You don't just block tutanota, you block a big, long list of high-abuse email sources, periodically updated.
It surprises me that this would be effective, since setting up an email host that's just capable of receiving emails should be trivial.
Then again, maybe I am overestimating fraudsters, and by blocking email hosts that make it too easy to sign up you can get rid of a significant chunk of them...
Their game is high-volume-low-cost/effort, which I think is the main reason that this approach does significantly cut fraud volume (admittedly at, typically, a tiny cost in lost sales).
A lot of them are just stuffing stolen credit card numbers to try to find which ones still work, anyway, so they don't care about breaking into your system in particular, they just want to find any system that will let them attempt a charge. If they're finding enough of those using cheap or free anonymous accounts from low-credibility email address providers, they have no reason to spend more time or effort on it.
Blocking these providers doesn't mean you won't still see better-targeted fraud attempts, but it cuts down on a ton of the low-effort but high-volume automated crap—and that stuff can kill a merchant payment processing account in a weekend, if you're not pretty good at blocking it.
Consider when you’re tempted to ‘what about’ an issue that there’s an important distinction you’ve missed rather than see it as evidence of some grand injustice - in this case that GMail processes orders of magnitudes more email than Tutanova.
Ecommerce service itself should be using Tutanota if fraudsters want the most privacy benefits.
If not, Tutanota is like any other email provider, possibly with better privacy policy.
You can register an account for free. You don't need to provide anything when registering an account, just choose an E-Mail and a password. Is that what you mean with "privacy preserving"?
We experience a large number of fraudulent ecommerce orders using Tutanota email domains. I'm not shocked to think that this could be an example of an algorithm gone awry based on the signals it received.