I understand. What do you think your browser does with your user name and password when you login to every web site in the world? It transmits that data to the web site in EXACTLY the same way.

My point is this: assume the end user WANTS this feature. They WANT Microsoft’s cloud service to synchronise that IMAP email to the service. What should be done differently?

IMAP is a pretty old protocol. It authenticates by username and password. There isn’t a way, that I’m aware of, to get email data out of a IMAP service without first logging in.

So, the argument you’re making seems to have nothing to do with this email service. You appear to make the argument that nobody should ever give Microsoft any passwords because you don’t trust them to control access to it.

If we focus on an email sync service, it MUST work this way. We can argue whether email sync services should ever exist. Whether you should ever give anyone your email password. But IF you’re going to let service A read your imap email from service B, you are going to give your service B password to service A and service A is going to use it. That’s how that is going to work.

Right. What is the point that the article is trying to make?

It seems like nobody should send any data to Microsoft under any circumstances. Because TLS is how we do that and apparently that's not good enough. The "terrifying screenshot" (from the article) is irrelevant. The screenshot shows that MS does exactly what they say they do.

The article says "the movement of this data will of course be securely encrypted right...? Not quite". That "Not quite" is unreasonable.

The data is being transmitted to Microsoft using TLS—the same TLS that Tuta uses in HTTPS and MTA-STS. If TLS protects data when Tuta uses it, then TLS protects data when Microsoft uses it. You can't brag about Tuta using TLS everywhere, then say that data protected by TLS isn't protected enough when Microsoft does it.

The article never mentions that Tuta has a way to log you into your email account without transmitting a password. (It simply says Tuta doesn't have access to your credentials). Five paragraphs about AT&T and NSA and GDPR and HIPAA and other stuff, but nothing says Tuta can do this same job more securely. I would have been far more impressed with a screenshot of the equivalent authentication messages between the Tuta client and Tuta server, showing how Tuta does it without sending your password over a TLS connection.

Not to mention the scary quotation "no reasonable expectation of privacy" that is attributed to absolutely no one and has no reference or links at all.

Microsoft sends passwords around. Tuta doesn't. That's a point the article could make clearly without dragging in all these superfluous concepts.