In a ruling from November, the Cologne Regional Court had pressured the privacy email provider Tutanota to integrate a function allowing investigators to read emails in plain text and monitor mailboxes. As such, Tutanota must develop a backdoor enabling the police to monitor a mailbox by the end of 2020. The case relates to a blackmail email sent to an auto supplier from Tutanota mailbox. Responding to the demand, a spokeswoman for the Hanover-based email company said they would file a complaint against this decision. However, as this does not suspend the court ruling, Tutanota had to begin developing this function.
Will the Other Tutanota Users be Affected?
The question is, how will this affect other Tutanota users? Bypassing the encryption would pose significant security and privacy risks to all Tutanota users. In a Reddit thread on r/tutanota, a Tutanota spokesperson said: “This ruling requires Tutanota to hand out newly incoming and outgoing non-encrypted emails of one suspected criminal before these are being encrypted. The ruling does not affect any other mail account. It also does not affect encrypted data or emails sent with end-to-end encryption. Only the user can access the key, so we cannot decrypt any data.”The post also adds that Tutanota will file an appeal against the decision and that the provider is also preparing an appeal to the BGH (Federal Court of Justice).
Why it Matters Where Your Secure Email Provider is Located?
Tutanota is one of the few secure email providers that encrypt all incoming emails by default. However, like other companies in the encrypted email industry, Tutanota has to respond to court requests like this one. The problem for Tutanota is that it is based in Germany, a member of the 14 Eyes, an international surveillance alliance known for collecting and sharing mass surveillance data for decades. The same, for instance, is not the case with CTemplar. This secure email provider is based out of Iceland. While CTemplar would also have to follow any similar demands from a court in Iceland, it doesn’t bear the risk of sharing user’s data with other countries’ intelligence services. This is because Iceland is outside the 14 Eyes and has no MLAT treaties with other countries, has no data retention laws for webmail, and legally allows for total anonymity (for instance, email services in the United States and Switzerland, where some secure email providers are hosting from) are required to track user IP).