Tutanota has been served with a court order to backdoor its encrypted email service – a situation founder Matthias Pfau described to The Register as “absurd.”
Our friends at Heise reported auf Deutsch that a court in Germany last month ordered Tutanota to help investigators monitor the contents of a user’s encrypted mailbox. The site has until the end of the year to add functionality to perform this surveillance.
Such a peephole would destroy the unique selling point of Tutanota: it encrypts all data stored in people’s mailboxes in such a way that it can’t retrieve the contents beyond some metadata. It also allows people to wrap their outgoing and incoming messages in end-to-end encryption that, again, Tutanota can’t break.
The site can, say, provide the cops access to new incoming non-encrypted emails for a particular inbox, though it can’t hand over its encrypted contents. We imagine Tutanota could alter its code to capture a copy of the user’s password during login so that someone else can unlock it later, though it’s not clear if the court order goes this far. In any case, if the user never logs in again, the mailbox contents will remain enciphered, and the court order can’t be fulfilled.
Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us
Heise reported Tutanota is considering challenging the order. Pfau today told us he’s not taking the matter lying down despite being legally compelled to act in accordance with the order.
“According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox,” Pfau told The Register. “Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”
Pfau also added that in June the Hannover Regional Court had struck down a lower district court’s ruling that Tutanota was to be backdoored. While angry police workers reportedly threatened to attack Pfau, sending him menacing emails promising to abduct him from his home and throw him into “provisional detention” unless he obeyed their orders, the regional court dismissed the district court’s ruling – leaving police powerless to follow through.
Will there be no end to govt attempts to break encryption? Hand over your data or the kiddies get it, threaten Five Eyes spies
Tutanota’s successful legal argument at the time was that it did not qualify as a “provider of telecommunications services” within EU law. Pfau explained to The Register how the German police were attempting to counter that: “Although we are no longer a provider of telecommunications services, [they say] we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection.”
He added: “From our point of view – and German law experts agree with us – this is absurd.”
In September, not long after Pfau’s personal battles with police, unidentified persons launched a series of DDoS attacks against Tutanota. Those attacks resulted in the email service going down for a while, prompting irritated users to moan until it came back up.
Backdoored encryption is a hot topic in the Western world, particularly the UK. Only this morning a little-known state agency called the Children’s Commissioner published a report demanding end-to-end encryption be backdoored to keep children safe. The request illustrates the level of threat facing ordinary people wishing to stay secure online.
History has taught us that encryption backdoors do not work; inevitably, the backdoors (such as the one in the NSA’s Clipper chip) are found by people who weren’t supposed to know about them, or can be abused by those who do. That creates a far greater danger to internet security than whatever breaking end-to-end encryption solves. ®