anonymous
2024-03-14 01:21:16 UTC
German e2e encrypted email provider Tutanota has been ordered by a
regional court to develop a function that allows it to monitor an
individual account.
The encrypted email service provider has been fighting a number of such
orders in its home country.
The ruling, which was reported in the German press late last month,
contradicts an earlier Hanover court finding that Tutanota, a provider
of web-based email, is not a telecommunications service.
The order by the Cologne court comes under a German law (known as âTKGâ)
which requires telecommunications service providers to disclose data to
law enforcement/intelligence agencies if they receive a lawful intercept
request.
The Cologne court ruling also runs counter to a 2019 decision by
Europeâs top court, the CJEU, which found that another web-based email
service, Gmail, is not an âelectronic communications serviceâ as defined
in EU law â meaning it canât be subject to common EU rules for telcos.
Tutanota co-founder Matthias Pfau described the Cologne ruling as
âabsurdâ â and confirmed itâs appealing.
âFrom our point of view â and law German law experts agree with us â
this is absurd. Neither does the court state what telecommunications
service we are involved in nor do they name the actual provider of the
telecommunications service.
âThe telecommunications service cannot be email, because we provide it
completely ourselves. And if we were to participate, we would have to
have a business relationship with the actual provider.â
Despite the absurdity of a regional court treating an email provider as
an ISP â in apparent contradiction of earlier CJEU guidance â Tutanota
is nonetheless required to comply with the order, and develop a
surveillance function for the specific inbox, while its appeal
continues.
A spokeswoman for Tutanota confirmed it has told the court it will
develop the function by the end of this year â whereas she suggested its
appeals process is likely to take âmonthsâ more to run its course.
âWe are going to the higher court in parallel. We are already preparing
an appeal to the Bundesgerichtshof [Germanyâs Federal Court of
Justice],â she added.
The Cologne court order is for a surveillance function to be implemented
on a single Tutanota account that had been used for an extortion
attempt. The Tutanota spokeswoman said the monitoring function will only
apply to future emails this account receives â it will not affect emails
previously received.
She added that the account in question appears to no longer be in use.
While after-the-fact monitoring seems unlikely to make any difference to
the specific (extortion) case, the suspicion is the court wants to
create a precedence â raising the hackles of security watchers who are
worried about the risk of digital service providers being compelled to
bake backdoors into their services in the region.
Last month a draft resolution of the Council of the European Union
triggered substantial concern that EU lawmakers are considering a ban on
e2e encryption as part of an anti-terrorism security push. However the
draft document discussed only âlawful and targeted accessâ â while
expressing support for âstrong encryptionâ.
Returning to the Tutanote surveillance order, it can only be made to
apply to unencrypted emails linked to the specific account.
This is because the email service provider applies e2e encryption to its
own usersâ content â meaning it does not hold decryption keys so is
unable to decrypt the data â though it also allows users to receive
emails from email services that do not apply e2e encryption (hence it
can be compelled to provide that data in plain text).
However, if the EU were to legislate to compel e2e encryption service
providers to provide decrypted data in response to lawful intercept
requests, it would effectively outlaw the use of e2e encryption.
Thatâs the scenario of most concern â though no such law has yet been
proposed by any EU institutions. (And would very likely face fierce
opposition in the European parliament, as well as more broadly, from
academia, civil society, consumer protection, and privacy and digital
rights groups, among others.)
âAccording to the ruling of the Cologne Regional Court, we were obliged
to release unencrypted incoming and outgoing emails from one mailbox.
Emails that are encrypted end-to-end in Tutanota cannot be decrypted by
us, not even after the court order,â noted Pfau.
âTutanota is one of the few mail providers that encrypts the entire
mailbox, also calendar and contacts. The encrypted data cannot be
decrypted by us, because only the user has the key to decrypt it.â
âThis decision shows again why end-to-end encryption is so important,â
he added.
https://techcrunch.com/2020/12/08/german-secure-email-provider-
tutanota-forced-to-monitor-an-account-after-regional-court-ruling/
regional court to develop a function that allows it to monitor an
individual account.
The encrypted email service provider has been fighting a number of such
orders in its home country.
The ruling, which was reported in the German press late last month,
contradicts an earlier Hanover court finding that Tutanota, a provider
of web-based email, is not a telecommunications service.
The order by the Cologne court comes under a German law (known as âTKGâ)
which requires telecommunications service providers to disclose data to
law enforcement/intelligence agencies if they receive a lawful intercept
request.
The Cologne court ruling also runs counter to a 2019 decision by
Europeâs top court, the CJEU, which found that another web-based email
service, Gmail, is not an âelectronic communications serviceâ as defined
in EU law â meaning it canât be subject to common EU rules for telcos.
Tutanota co-founder Matthias Pfau described the Cologne ruling as
âabsurdâ â and confirmed itâs appealing.
âFrom our point of view â and law German law experts agree with us â
this is absurd. Neither does the court state what telecommunications
service we are involved in nor do they name the actual provider of the
telecommunications service.
âThe telecommunications service cannot be email, because we provide it
completely ourselves. And if we were to participate, we would have to
have a business relationship with the actual provider.â
Despite the absurdity of a regional court treating an email provider as
an ISP â in apparent contradiction of earlier CJEU guidance â Tutanota
is nonetheless required to comply with the order, and develop a
surveillance function for the specific inbox, while its appeal
continues.
A spokeswoman for Tutanota confirmed it has told the court it will
develop the function by the end of this year â whereas she suggested its
appeals process is likely to take âmonthsâ more to run its course.
âWe are going to the higher court in parallel. We are already preparing
an appeal to the Bundesgerichtshof [Germanyâs Federal Court of
Justice],â she added.
The Cologne court order is for a surveillance function to be implemented
on a single Tutanota account that had been used for an extortion
attempt. The Tutanota spokeswoman said the monitoring function will only
apply to future emails this account receives â it will not affect emails
previously received.
She added that the account in question appears to no longer be in use.
While after-the-fact monitoring seems unlikely to make any difference to
the specific (extortion) case, the suspicion is the court wants to
create a precedence â raising the hackles of security watchers who are
worried about the risk of digital service providers being compelled to
bake backdoors into their services in the region.
Last month a draft resolution of the Council of the European Union
triggered substantial concern that EU lawmakers are considering a ban on
e2e encryption as part of an anti-terrorism security push. However the
draft document discussed only âlawful and targeted accessâ â while
expressing support for âstrong encryptionâ.
Returning to the Tutanote surveillance order, it can only be made to
apply to unencrypted emails linked to the specific account.
This is because the email service provider applies e2e encryption to its
own usersâ content â meaning it does not hold decryption keys so is
unable to decrypt the data â though it also allows users to receive
emails from email services that do not apply e2e encryption (hence it
can be compelled to provide that data in plain text).
However, if the EU were to legislate to compel e2e encryption service
providers to provide decrypted data in response to lawful intercept
requests, it would effectively outlaw the use of e2e encryption.
Thatâs the scenario of most concern â though no such law has yet been
proposed by any EU institutions. (And would very likely face fierce
opposition in the European parliament, as well as more broadly, from
academia, civil society, consumer protection, and privacy and digital
rights groups, among others.)
âAccording to the ruling of the Cologne Regional Court, we were obliged
to release unencrypted incoming and outgoing emails from one mailbox.
Emails that are encrypted end-to-end in Tutanota cannot be decrypted by
us, not even after the court order,â noted Pfau.
âTutanota is one of the few mail providers that encrypts the entire
mailbox, also calendar and contacts. The encrypted data cannot be
decrypted by us, because only the user has the key to decrypt it.â
âThis decision shows again why end-to-end encryption is so important,â
he added.
https://techcrunch.com/2020/12/08/german-secure-email-provider-
tutanota-forced-to-monitor-an-account-after-regional-court-ruling/