Tutanota is being forced by a German court to develop a backdoor that will be used by authorities to monitor individual mailboxes and read emails in plain text.
Note: Headline changed from “Encrypted email provider Tutanota forced to backdoor its service” to “German court forcing Tutanota to let authorities read emails in plain text” after a request from Tutanota.
The US government has always been remembered for its role in forcing telecom providers into giving it user information after Edward Snowden’s leak. However, they’re not the only ones using such tactics.
In the latest of this sort, a prominent German encrypted email service provider named Tutanota is being forced by a German court to share access of its user emails with local law enforcement authorities to monitor individual mailboxes.
According to German-language news site Heise Online, with the ruling made by the Cologne Regional Court, the company has already been cornered and has started developing a backdoor that would be used by the “State Criminal Police Office of North Rhine-Westphalia” in monitoring user emails allowing them to read them unencrypted in plain text.
But what led to this?
Apparently, a blackmail email was reportedly sent to an auto supplier by someone using the Tutanota email service. This led the authorities to demand such a function. It is noteworthy that all past emails are secure and cannot be decrypted in any way therefore the choice to continue with the service lies with users.
For the future, all emails will still be encrypted but they can be decrypted if the authorities smell anything suspicious and want to investigate.
Talking about the legal aspect of the ruling, Heise Online states,
The Cologne judgment is noteworthy because it differs from the case law of other courts. In the summer, the Hanover Regional Court decided that Tutanota does not provide or participate in any “telecommunications services” in the legal sense – and therefore cannot be obliged to monitor telecommunications. The Hanoverian judges again referred to a landmark judgment of the European Court of Justice (ECJ) from 2019. According to this, e-mail services are not communication services.
Tutanota is fighting back
To conclude, currently, a complaint has been filed by Tutanota and is awaiting its process. If successful, the mail provider will stop developing the monitoring backdoor/function otherwise it may have to suffer defeat on this front due to legal implications.
This will surely make users switch to alternative email providers proving to be a major hit for its revenues and reputation as well.
Nevertheless, we have contacted Tutanota for their response to the story therefore stay tuned as this article will be updated accordingly.
Update – Response from Tutanota
Tutanota has responded to our email and confirmed that the issue is ongoing and the company is fighting the decision in court.
The Tutanota’s representative further explained that:
This is not a backdoor to the encryption itself. Newly received/sent emails from this particular account must be copied before these are being encrypted. We can’t decrypt any encrypted data, and nothing changes in regards to our end-to-end encryption.
According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted in Tutanota already or sent end-to-end encrypted cannot be decrypted by us, not even after the court order.
Tutanota is one of the few mail providers that encrypts the entire mailbox, also calendar and contacts. The encrypted data cannot be decrypted by us, because only the user has the key to decrypt it.