German Court Orders Encrypted Email Service Tutanota To Backdoor One Account
from the end-to-end-crypto-is-still-your-friend dept
A legal requirement to add backdoors to encrypted systems for "lawful access" has been discussed for many years. Last month, the EU became the latest to insist that tech companies should just nerd harder to reconcile the contradictory demands of access and security. That's still just a proposal, albeit a dangerous one, since it comes from the EU Council of Ministers, one of the region's more powerful bodies. However, a court in Germany has decided it doesn't need to wait for EU legislation, and has ordered the encrypted Web-email company Tutanota to insert a backdoor into its service (original in German). The order, from a court in Cologne, is surprising, because it contradicts an earlier decision by the court in Hanover, capital of the German state of Lower Saxony, and Tutanota's home town. The Hanover court based its ruling on a judgment by the Court of Justice of the European Union (CJEU), the EU's highest court. In 2019, the CJEU said that:
a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an 'electronic communications service'
Despite this, in the Tutanota case the Cologne court applied a German law for telecoms. Tutanota's co-founder Matthias Pfau explained to TechCrunch:
"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.
"From our point of view -- and law German law experts agree with us -- this is absurd. Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service."
Given that ridiculous logic, it's no surprise that Tutanota will be appealing to Germany's Federal Court of Justice. But in the meantime the company must comply with the court order by developing a special surveillance capability. Importantly, it only concerns one account -- allegedly involved in an extortion attempt -- that seems to be no longer in use. Moreover, as the TechCrunch article explains, the monitoring function will apply to future emails that the account receives. And even then, it will only deliver any unencrypted emails that are present, because Tutanota is not able to decrypt users' emails that apply end-to-end encryption, which is entirely under the user's control, not Tutanota's.
That means the practical effect of this court order is extremely limited: to future unencrypted emails of just one quiescent account. But independently of its real-life usefulness, this order sets a terrible precedent of a court ordering an Internet company to insert what amounts to a backdoor in an account. That's why it is vital that Tutanota's appeal prevails -- for both the company, and for the EU Internet as a whole.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, email, encrypted email, encryption, eu, germany, lawful access
Companies: tutanota
Reader Comments
Subscribe: RSS
View by: Time | Thread
Planes, cars, same thing right?
"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.
Gotta love that grossly dishonest conflation tactic. 'Yes you're not technically(or legally) a telecom provider, however if someone squints just right you do some of the same things and that means a law aimed at telecom companies applies to you too'.
They might as well argue that since planes and cars are both involved in transportation the same rules and laws should apply to both, and hopefully the higher up judges will see through such a dishonest argument, throwing it out as the garbage it is.
[ link to this | view in chronology ]
From the “ nobody gives a faggot fuck” dept.
[ link to this | view in chronology ]
No country is gonna be content until it has full access to all ordinary citizens communications (as long as all government, politician and friends remain top secret and inaccessible) and courts are doing whatever they are told to do make this happen. As is always the case, those that want this are the problem, up to no good in every self-serving way possible, and shit scared of everyone finding out and spreading it everywhere!
[ link to this | view in chronology ]
Re:
Rule of thumb, never send in an email what you don't want the world to know.
If you must use email, use locally managed keys and encrypt the shit out of it, because at the very least the resulting cyphertext will be sitting around for all to see for years to come.
Never trust encryption services provided by someone else. Far too easy for rulings like this one to backdoor, and an obvious sitting duck for any alphabet soup agency wanting to invade the privacy of their citizenry.
[ link to this | view in chronology ]
Re: Re:
Also, never use email services subject to German law.
That's the take away from this ruling.
The Germans are perfectly willing to give the legal OK for backdoors. Ergo their services are monitored and anything that goes through their pipes is known about instantly in the BND.
[ link to this | view in chronology ]
Re: Re: Re:
And it's the same with British and US and you name what services. Remember Lavabit, the US based mail service? They were forced to divulge the private key of their webserver (which they printed on paper with 1pt size iirc). And they shut down operations in response.
My initial reaction reading the headline was suspicion as well. Though not all things seem lost. Tutanota seems to have fortified itself against government overreach rather successfully. Sure, unencrypted mails are prey. But they have established an opt-in end to end encrypted system, which doesn't seem broken yet. Going forward, I expect eyes to be closely looking whether the system is deliberately broken. If that happens, then I'd say is the time to jump ship.
But what other ship to choose? Ultimately, no third party can be trusted. Your only option is to operate the server yourself and have the data encrypted at rest and transmission. Then, when the government comes knocking down your door, you can choose to not divulge the secrets, which will return you a few months in jail, but nothing will be revealed. And make sure to swear in your contacts.
[ link to this | view in chronology ]
So, you think that email is sacred and beyond reach of a court?
That's your implicit alternative, and it's just your usual SILLY, not at all based in reality, opposed to obvious necessity, besides that this has been adequately "due processed".
But your fantasy keeps being that GOOGLE can read everyone's email to make money advertising while gov't is prohibited from it even for obvious good purposes. -- NO, it's not "slippery slope": it's SAME as other areas of a person's life. NOT off-limits when have probable cause and so on.
I've no idea how you kids think society could work without ability of courts to order (even) invasive searches. Again, you live in a fantasy world, not the grim reality most do.
[ link to this | view in chronology ]
Re: So, you think that email is sacred and beyond reach of a cou
A pro tip, do not use a webmail, or any unencrypted email service if you want privacy. Also, if the service provides key management, check it out carefully to determine that they do not have access to the keys, or better yet manage your own keys.
[ link to this | view in chronology ]
Re: So, you think that email is sacred and beyond reach of a cou
Shut the fuck up, troll
[ link to this | view in chronology ]
Don't feed the troll and give them the attention they so desperately desire, even to give them a well earned swearing at, just flag and move on.
[ link to this | view in chronology ]
Re: So, you think that email is sacred and beyond reach of a cou
"But your fantasy keeps being that GOOGLE can read everyone's email to make money advertising while gov't is prohibited from it even for obvious good purposes"
No, the reality is that although Google was mentioned in a case related to this story, this story is not about Google. It's about Tutanota.
However, if you voluntarily use Google's (or someone else's) services and agree to have your email scanned while it's on their property, in return for advertising which keeps the service free of charge, that's your choice. They have thousands of competitors in that space if you disagree, and there's nothing to stop you from creating your own email service if you wish, which is a relatively trivial thing to do for anyone with real knowledge.
Meanwhile no matter where your email is stored, the government shouldn't get automatic access to spy on you just because they decide they fancy a look. Forcing the backdooring of accounts in order to enable this places everyone at risk, and ironically for you could involve blocking Google and others from making the accounts hidden from their own scanning, the exact opposite of what you claim to want.
Once again, we apologise that the real arguments being made are not compatible with your wild fantasies, and I'm sorry that you once again lost the ability to parse facts and ideas as soon as you saw Google being mentioned..
[ link to this | view in chronology ]
When will the nerds rebel?
At what point will the nerds decide to give the clueless a taste of their own medicine? Why should us nerds thanklessly work harder to accommodate the wishful thinking of the clueless, particularly the arrogantly clueless like politicians, bureaucrats, lawyers and judges.
Perhaps we nerds should nerd a private communications mechanism, through the Internet. The nerds can just communicate among ourselves and let the clueless wallow in their own failings.
Food for thought.
[ link to this | view in chronology ]
Re: When will the nerds rebel?
The endgame of that is that any appearance that communication is taking place that the clueless in power can't understand will be criminalized. Including using words that are too big - because any communication that goes over the heads of the clueless might as well be encrypted.
If Pol Pot could execute anyone in his population that appeared to be literate - which extended to anyone who wore eyeglasses! - why can't a 21st-century regime criminalize anything but messages written on postcards in words of one syllable?
Nerd harder!
[ link to this | view in chronology ]
The leprechaun and the ribbon
It does remind me of the old story of the lad who got a leprechaun to reveal his pot of gold hidden under a tree in the woods. To mark it, he tied a yellow ribbon around the tree.
Having left and returned later with a wheelbarrow and a pack mule, every tree in the forest featured a yellow ribbon tied around it.
The response to this problem, thus, would be to quadruple communication traffic with bunches of redundant encrypted communication, not that this isn't done already by spammers selling penis pills (still -- lately some have been getting through the Gmail filters).
Essentially it's like adding an NSA Haiku to all your communications.
[ link to this | view in chronology ]
Rebelling nerds
We actually have that stuff already. You can make an encryption block with multiple accounts and multiple passwords, so that when you are forced to open it for a court order, it's just a letter to grandma.
We also have encryption that looks like garbage in unused data sectors, so it would be impossible to differentiate communications files from the garbage between them.
Want to put your communications into pictures of cats or porn? We can do that too. Twenty-first century steganography can hide communications anywhere. The terrorists don't use it because they don't need to.
The nerds are safe and will be safe for a long time while the I'm not a nerd but I disagree crowd catches up. But nerds are also worried about the non-nerd civilian communities who struggle to make all these tricks work. All our efforts to catch the world up with end-to-end encryption (and the password management hygiene necessary for that to work) have proven to be unsuccessful.
Stupid tragedy of the commons.
[ link to this | view in chronology ]
Re: Rebelling nerds
"But nerds are also worried about the non-nerd civilian communities who struggle to make all these tricks work. All our efforts to catch the world up with end-to-end encryption (and the password management hygiene necessary for that to work) have proven to be unsuccessful."
Or, in the words of Bruce Schneier;
"I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'."
The reason door locks work so well is because all the user needs to know is "insert and turn key". The reason computer security works less well is because the user doesn't know what the key is, where to find it, and how to keep it out of the hands of others.
[ link to this | view in chronology ]