German court forces encrypted email provider Tutanota to provide messages in blackmail case
A regional court in Germany has ordered the end-to-end encrypted email provider Tutanota to monitor an account belonging to a user under suspicion in a blackmail case.
It’s the latest surveillance-related court decision the email provider is fighting in court, and comes amid a broader, protracted campaign from governments around the world to weaken encryption. The U.S. Department of Justice, for instance, has coordinated with Australia and other nations in recent years to try giving law enforcement more access to encrypted data.
Tutanota said it plans to appeal the November ruling from a regional court in Cologne, arguing that it contradicts an earlier decision from another German court. That first court, the Hanover Regional Court, determined earlier this year that Tutanota does not provide telecommunications services, suggesting it cannot be forced to monitor them under German law. The latest ruling from Cologne also could contradict a 2019 ruling by the Court of Justice of the European Union that Gmail is not an electronic communications service.
In the meantime, Tutanota must abide by the court’s decision, meaning it must develop the monitoring functionality by the end of the year, according to German computer magazine, c’t.
Tutanota’s co-founder, Matthias Pfau, said the ruling would not affect other users’ emails, but that it could set a dangerous precedent for email security and privacy. If other similar cases surface in the months and years to come, the concern is that this case could pave the way for more intrusive monitoring.
“This decision shows again why end-to-end encryption is so important,” Pfau said via email. “According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”
The case in Cologne is rooted in the idea that encryption can stymie law enforcement investigations. While Tutanota is not a telecommunications service provider, it is “involved in providing telecommunications services and must therefore still enable … data collection,” Pfau said.
“From our point of view — and German law experts agree with us — this is absurd,” Pfau said. “Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service.”
It’s not the first time German authorities have sought to increase their visibility over otherwise protected technologies.
German police in recent years have used a so-called “state trojan” virus to bypass encryption on suspects’ smartphones for law enforcement inquiries, according to German news outlet Süddeutscher Zeitung. But in a win for privacy advocates earlier this year, Germany’s Constitutional Court ruled that mass surveillance of telecommunications of foreign nationals outside of Germany was unconstitutional. As a result Germany’s foreign intelligence service, BND, has to halt monitoring of emails of foreign nationals abroad.
The decision marks a concerning moment for privacy advocates, according to Alex Vukcevic, the director of protection labs and quality assurance at Germany-based security firm Avira.
“Tutanota is in a very unenviable situation, where they are offering a solution with excellent privacy protection, that now has to be compromised in light of the decision made by [the] court,” Vukcevic said. “The implication here is clear: it is a continued trend towards opening up previously protected communication channels for law enforcement around the globe. As advocates for online privacy, we see this development with wary eyes.”
The decision could have dangerous implications for national and economic security, according to Blake Moore, the vice president of strategy and operations at Wickr.
“This case demonstrates a critical lack of understanding of the importance of E2EE [end-to-end encryption],” says Moore, who previously worked at the U.S. Department of Defense’s Cyber Command. “By requiring Tutanota to develop a surveillance function for the specific inbox outlined in the case, the court has set a dangerous precedent and seriously undermines the efforts that governments and corporations take to protect information through E2EE.”
The Tutanota ruling comes as private sector entities around the world are facing pressures from multiple governments to provide ways for law enforcement to access encrypted data. In October 2020 the U.S., U.K., Australia, New Zealand, Canada, India and Japan banded together in a joint announcement meant to advocate for increased access to encrypted date for law enforcement.
Encryption experts and cybersecurity practitioners, however, have called the efforts vain, saying that undermining encryption for some targets, no matter how specific, could weaken data protection for all users of the same service, and thus threaten national security.
The efforts to weaken encryption in the U.S., which the Department of Justice has reinvigorated in the last year, have so far culminated in a series of bills that have not yet become law.
The Cologne decision is a reminder that security experts could step up in calling on governments for better security policies, Istvan Lam, the co-founder and CEO of Switzerland-based Tresorit, the end-to-end encrypted file sharing tool, told CyberScoop.
“[I]t is yet another example of the increasing pressure on end-to-end encrypted services, and a clear sign that there is still work to be done when it comes to correctly categorizing service providers and understanding how end-to-end encryption works for the security of the digital economy,” says Lam, whose business has regional offices in Germany.
Correction, 12/10/20: The headline of this article has been updated to clarify what Tutanota must do in response to a German court order. A previous version incorrectly said Tutanota must create a “backdoor.”
