German court forces mail provider Tutanota to install backdoor

Full text search in encrypted mail

First, a little context. Tutanota Is one of the few email services that encrypt incoming mail by default, like Protonmail, and That is, mail is stored encrypted on servers. The provider cannot decrypt it, even if it wants to.

but decree The Cologne Regional Court demanded the implementation of “a function with which one can track individual mailboxes and read emails in plain text.”

This is not a good precedent for the European legal system.

Tutanota wants to file a complaint to this decision, but it does not have a suspensive effect, that is, the very fact of filing a complaint does not suspend the previous decision, which must be fulfilled.

“Therefore, we had to start developing the monitoring function,” said a spokeswoman for the company in comments for c’t magazine. If the complaint is successful, the feature will be removed.

The decision of the Cologne Regional Court is a dangerous precedent for the European legal system. This decision differs from decisions of other courts. For example, in the summer the Hanover District Court decidedthat Tutanota does not provide or participate in any “telecommunications services” in the legal sense and therefore cannot be obliged to monitor telecommunications. The judges of Hanover referred to the famous Gmail solution European Court of Justice of 13 June 2019 (case C-193/18). According to him, e-mail services are not communication services. Consequently, Google is not obligated to register a telecommunications identifier for Gmail and establish any interception interfaces.

However, a Cologne court called Tutanota a “participant” in telecommunications services, although the company considers the ruling absurd and will fight to overturn it.

Tutanota Work Team

Anyway, by December 31, 2020, Tutanota is obliged to program a function that will give the State Criminal Police Office of North Rhine-Westphalia access to users’ mailboxes, including the particular user who started this story.

We are talking about the investigation of a criminal case in which a suspect sent a threatening letter to a car dealer using the services of a secure mail service.

Tutanota assures that this incident will change nothing for other users. Their mail will still be encrypted by default when it arrives at the server. However, the company considers one-off encryption to be a data protection and security threat for all customers.

Here is a diagram of how messages are encrypted and stored on the server in the case of using end-to-end encryption (left) and without it (right):

Unlike PGP, some metadata is also encrypted, not just the message body.

The company emphasizes that the backdoor will allow you to view the content only new incoming unencrypted emails… It cannot decrypt previously encrypted data as well as other end-to-end encrypted emails in Tutanota. Relatively speaking, the “backdoor” is the following algorithm:

 def encrypt_mail(email):
if email.user=="badperson":

Perhaps the Hanoverian Tutanota now regrets that it did not choose another jurisdiction. On the other hand, this story can be seen as a kind of PR for a company that is trying to do everything in its power. IN one of the interviews they say they may consider moving to another country (Switzerland), but this is unlikely to happen: “The legal situation and the German constitution are generally very good and protect people’s privacy. Community activism also helps us prevent or weaken problematic laws (surveillance). ”

The company periodically publishes transparency report and canary certificate for your service. A canary certificate is the only way to legally divulge information that is not allowed to be divulged.

Encryption is the only reason why the police used the legal procedure at all. Some believe that on open channels they would use wiretapping more widely without bothering to obtain permits. And only cryptography protects society from the arbitrariness of law enforcement agencies.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *