German Court Orders Encrypted Email Service Tutanota To Backdoor One Account

from the end-to-end-crypto-is-still-your-friend dept

A legal requirement to add backdoors to encrypted systems for "lawful access" has been discussed for many years. Last month, the EU became the latest to insist that tech companies should just nerd harder to reconcile the contradictory demands of access and security. That's still just a proposal, albeit a dangerous one, since it comes from the EU Council of Ministers, one of the region's more powerful bodies. However, a court in Germany has decided it doesn't need to wait for EU legislation, and has ordered the encrypted Web-email company Tutanota to insert a backdoor into its service (original in German). The order, from a court in Cologne, is surprising, because it contradicts an earlier decision by the court in Hanover, capital of the German state of Lower Saxony, and Tutanota's home town. The Hanover court based its ruling on a judgment by the Court of Justice of the European Union (CJEU), the EU's highest court. In 2019, the CJEU said that:

a web-based email service which does not itself provide internet access, such as the Gmail service provided by Google, does not consist wholly or mainly in the conveyance of signals on electronic communications networks and therefore does not constitute an 'electronic communications service'

Despite this, in the Tutanota case the Cologne court applied a German law for telecoms. Tutanota's co-founder Matthias Pfau explained to TechCrunch:

"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.

"From our point of view -- and law German law experts agree with us -- this is absurd. Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service."

Given that ridiculous logic, it's no surprise that Tutanota will be appealing to Germany's Federal Court of Justice. But in the meantime the company must comply with the court order by developing a special surveillance capability. Importantly, it only concerns one account -- allegedly involved in an extortion attempt -- that seems to be no longer in use. Moreover, as the TechCrunch article explains, the monitoring function will apply to future emails that the account receives. And even then, it will only deliver any unencrypted emails that are present, because Tutanota is not able to decrypt users' emails that apply end-to-end encryption, which is entirely under the user's control, not Tutanota's.

That means the practical effect of this court order is extremely limited: to future unencrypted emails of just one quiescent account. But independently of its real-life usefulness, this order sets a terrible precedent of a court ordering an Internet company to insert what amounts to a backdoor in an account. That's why it is vital that Tutanota's appeal prevails -- for both the company, and for the EU Internet as a whole.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: backdoors, email, encrypted email, encryption, eu, germany, lawful access
Companies: tutanota

Russia's War On Encryption Stumbles Forth With Ban Of Tutanota

from the what-are-you-so-afraid-of dept

The Russian government continues to escalate its war on encrypted services and VPNs. For years now, Putin's government has slowly but surely taken steps to effectively outlaw secure communications, framing the restrictions as essential for national security, with the real goal of making it harder than ever for Russian citizens to dodge the Putin government's ever-expanding surveillance ambitions.

The latest case in point: starting last Friday, the Russian government banned access to encrypted email service Tutanota, without bothering to provide the company with much of any meaningful explanation:

In a blog post, the company notes that Tutanota has been blocked in Egypt since October of last year, and that impacted users should attempt to access the service via a VPN or the Tor browser:

"Encrypted communication is a thorn in the side to authoritarian governments like Russia as encryption makes it impossible for security services to eavesdrop on their citizens. The current blocking of Tutanota is an act against encryption and confidential communication in Russia.

...We condemn the blocking of Tutanota. It is a form of censorship of Russian citizens who are now deprived of yet another secure communication channel online. At Tutanota we fight for our users’ right to privacy online, also, and particularly, in authoritarian countries such as Russia and Egypt.

Except VPNs have been under fire in Russia for years as well. Back in 2016 Russia introduced a new surveillance bill promising to deliver greater security to the country. Of course, as with so many similar efforts around the world the bill actually did the exact opposite -- not only mandating new encryption backdoors, but also imposing harsh new data-retention requirements on ISPs and VPN providers forced to now register with the government. As a result, some VPN providers, like Private Internet Access, wound up leaving the country after finding their entire function eroded and having some of their servers seized.

Last year Russia upped the ante, demanding that VPN providers like NordVPN, ExpressVPN, IPVanish, and HideMyAss help block forbidden websites that have been added to Russia's censorship watchlist. And last January, ProtonMail (and ProtonVPN) got caught up in the ban as well after it refused to play the Russian government's registration games. While Russian leaders want the public to believe these efforts are necessary to ensure national security, they're little more than a giant neon sign advertising Russian leaders' immense fear of the Russian public being able to communicate securely.

Filed Under: encryption, russia
Companies: tutanota