German Court Strong-arms Privacy Email Provider Tutanota to Help Monitor Mailboxes

In a ruling from November, the Cologne Regional Court had pressured the privacy email provider Tutanota to integrate a function that would allow investigators to read emails in plain text and monitor mailboxes.

As such, Tutanota must now develop what is essentially a backdoor that would enable the police to monitor a mailbox by the end of 2020.

The case itself relates to a blackmail email sent to an auto supplier from Tutanota mailbox.

Responding to the demand, a spokeswoman for the Hanover-based email company said they will file a complaint against this decision. However, as this does not suspend the court ruling, Tutanota had to begin developing this function.

Will the Other Tutanota Users be Affected?

The question is, how will this affect other Tutanota users? Bypassing the encryption would pose  significant security and privacy risk to all Tutanota users.

In a Reddit thread on r/tutanota, a Tutanota spokesperson said:

“This ruling requires Tutanota to hand out newly incoming and outgoing non-encrypted emails of one suspected criminal before these are being encrypted.

The ruling does not affect any other mail account. It also does not affect already encrypted data or emails that are sent with end-to-end encryption. Only the user has access to the key so we are not able to decrypt any data.”

The post also adds that Tutanota will file an appeal  against the decision and that the provider is also preparing an appeal to the BGH (Federal Court of Justice).

Why it Matters Where Your Secure Email Provider is Located?

Tutanota is one of the few secure email providers that encrypts all incoming emails by default. However, like other companies in the encrypted email industry, Tutanota has to respond to court requests like this one.

The problem for Tutanota is that it is based in Germany, which is a member of the 14 Eyes, an international surveillance alliance known for collecting and sharing mass surveillance data for decades.

The same, for instance, is not the case with CTemplar. This secure email provider is based out of Iceland. While CTemplar would also have to follow any similar demands from a court in Iceland, it doesn’t bear the risk of sharing user’s data with other countries’ intelligence services.

This is because Iceland is outside the 14 Eyes and has no MLAT treaties with other countries, has no data retention laws for webmail and legally allows for total anonymity (for instance email services in the United States and Switzerland, where some secure email providers are hosting from) are required to track user IP).