German secure email provider Tutanota forced to monitor account after regional court ruling – TechCrunch
German e2e encrypted email provider Tutanota was ordered by a regional court to develop a function allowing it to follow an individual account.
The encrypted messaging service provider has fought a number of such orders in its home country.
The decision, which was reported in the German press at the end of last month, contradicts a previous one Judgment of the Hanover court that Tutanota, a web-based e-mail provider, is not a telecommunications service.
The Cologne court order falls under a German law (known as “TKG”) which requires telecommunications service providers to disclose data to law enforcement / intelligence agencies if they receive a request for legal interception.
The Cologne court ruling also runs counter to a Decision 2019 by the highest European court, the CJEU, which concluded that another web-based e-mail service, Gmail, is not an ‘electronic communication service’ as defined in EU law, which means that it cannot be subject to common EU rules for telecommunications operators.
Tutanota co-founder Matthias Pfau called Cologne’s move “absurd” – and confirmed it was attractive.
“The argument is this: although we are no longer a provider of telecommunications services, we would be involved in the provision of telecommunications services and therefore still have to allow the collection of telecommunications and traffic data”, a- he told TechCrunch.
“From our point of view – and German legal experts agree with us – this is nonsense. The court also does not state which telecommunications service we are involved in or name the actual provider of the telecommunications service.
“The telecommunications service cannot be email because we provide it entirely ourselves. And if we were to participate, we should have a business relationship with the actual supplier.
Despite the absurdity of a regional court treating an email provider like an ISP – in apparent contradiction to previous CJEU guidelines – Tutanota is nonetheless required to comply with the order and develop an oversight function for the box. specific reception, while his call continues.
A spokeswoman for Tutanota confirmed she told the court she would expand the feature by the end of this year – while she suggested her appeals process should take “months” longer to run its course.
“We are going to the higher court in parallel. We are already preparing an appeal to the Bundesgerichtshof [Germany’s Federal Court of Justice], “she added.
The Cologne court order provides for the implementation of a monitoring function on a single Tutanota account that had been used for an extortion attempt. The Tutanota spokeswoman said the monitoring feature will only apply to future emails that account receives – it will not affect previously received emails.
She added that the account in question no longer appears to be in use.
While after-the-fact surveillance seems unlikely to make a difference in the specific case (extortion), the suspicion is that the court wants to set a precedent – raising the thorns of security watchers worried about the risk of vendors digital services are forced to backdoors in their services in the region.
Last month a draft resolution Council of the European Union has raised serious concerns that EU lawmakers are considering banning e2e encryption as part of a counterterrorism security campaign. However, the draft document only addressed “lawful and targeted access” – while expressing support for “strong encryption”.
Going back to the Tutanote watchdog order, it can only be applied to unencrypted emails linked to the specific account.
This is because the email service provider applies e2e encryption to the content of its own users – meaning it does not hold decryption keys and is therefore unable to decrypt data – although it also allows users receive emails from messaging services that do not apply e2e encryption (therefore, you may be required to provide this data in clear text).
However, if the EU were to legislate to require e2e encryption service providers to provide decrypted data in response to lawful interception requests, it would effectively ban the use of e2e encryption.
This is the most worrying scenario, although no such law has yet been proposed by the European institutions. (And would most likely face fierce opposition in the European Parliament, as well as more generally, from academia, civil society, consumer protection, and privacy and digital rights groups, between others.)
“According to the decision of the Cologne Regional Court, we were forced to release unencrypted incoming and outgoing emails from a letterbox. End-to-end encrypted emails in Tutanota cannot be decrypted by us, even after the court order, ”noted Pfau.
“Tutanota is one of the few email providers to encrypt the entire mailbox, as well as the calendar and contacts. The encrypted data cannot be decrypted by us, because only the user has the key to decrypt it.
“This decision again shows why end-to-end encryption is so important,” he added.