Is the new Outlook safe for privacy or does it spy on your personal data?

Which secure email client actually protects your data from AI scanning in 2025?

The German Federal Office for Information Security (BSI) released a study on December 15, 2025, titled “IT Security in the Digital Consumer Market: Focus on Email Programs.” While the report confirms that most email clients function securely on a technical level, it overlooks critical privacy concerns regarding data harvesting and surveillance capitalism.

Technical Findings: The Baseline Security is Strong

The BSI examined twelve popular email clients. Their technical assessment offers reassuring news for the average consumer. The infrastructure of these tools is generally robust.

• Encryption Standards: Nine out of twelve programs support end-to-end encryption. This ensures that interception during transmission remains difficult for external attackers.
• Malware Protection: Eleven of the free clients utilize active filters. These tools scan incoming messages to block junk, phishing attempts, and dangerous content from unknown senders.
• Vulnerability Management: Every tested program features an accessible update function. Security patches install automatically or via simple notifications through app stores and package managers.

Caroline Krohn, Head of Digital Consumer Protection, emphasized that providers must prioritize “security-by-default.” The consensus is that technical processes are maturing. Attackers cannot easily breach the transmission layer of these clients.

The Critical Oversight: Data Sovereignty and Privacy

While the BSI focuses on external threats, the report fails to address internal threats posed by the service providers themselves. As your advisor, I must highlight that security does not equal privacy. A secure vault is useless if the bank manager is selling photocopies of your deposits.

The study ignores three major privacy violations inherent in modern “free” email services:

Credential Transmission (The Outlook Issue)

The “New Outlook” client transmits login credentials, including those from third-party accounts (like IMAP), directly to Microsoft servers. It routes emails through Microsoft infrastructure even when you use a different provider. This grants the corporation full access to data that should remain local.

AI Analysis and Scanning

Major providers like Google (Gmail) and Microsoft utilize Artificial Intelligence to scan email content. The BSI report does not critique how these algorithms analyze personal correspondence to train models or categorize user behavior.

Third-Party Data Sharing

Terms of service agreements often authorize data sharing with hundreds of partners. For example, specific clauses allow Microsoft to share data with over 600 external companies for advertising purposes. This transforms an email client into a surveillance tool.

Strategic Recommendations for the User

The BSI suggests that consumers “choose a suitable email program” based on their report. This advice is dangerous if you value data confidentiality.

You must distinguish between local storage and cloud processing.

• High Privacy: Clients like Thunderbird, Proton Mail, and Tuta Mail prioritize local data handling and zero-access encryption. They do not monetize user data.
• Low Privacy: Clients like Gmail and Outlook (New) function as data collection points. While they are secure against hackers, they are intrusive regarding personal profiling.

The BSI report accurately assesses that email clients are technically hardened against hackers. However, it fails to warn you about the business models of the providers. For true security, you must look beyond “phishing filters” and examine the Terms of Service. If a provider routes your credentials to their cloud or scans your text for “smart features,” your privacy is compromised regardless of the encryption protocol used.