Court forces e-mail provider Tutanota to release unencrypted messages

[steven36]

The e-mail provider Tutanota advertises to be the “world’s most secure e-mail service”.

 

The company offers encrypted e-mail communication and claims to have six million customers relying on this security promise.

 

However, on October 2, 2018, the district court of Itzehoe asked managing director Matthias Pfau to provide the e-mails of Tutanota unencrypted and in real time to the police [4].

Why?

 

In the previous months hackers blackmailed several companies based in Schleswig-Holstein, using an e-mail address from Tutanota.

So the investigators wanted to read the e-mails to get the cyber criminals on the track.

 

So this case leads to a dispute between security authorities, who claims that too secure encryption methods avoids the tracking of suspect, and privacy advocates, who want more data to be encrypted to better protect citizens and businesses from criminals, espionage and data hunger by tech companies.

How Tutanota works?

Tutanota’s service works like this: when two users write an e-mail, it is automatically protected with the most secure end-to-end encryption. Only sender and receiver can read the message.
However this works only between tutanota users: mail providers like Google or Hotmail do not have such protection.

 

If a customer receives an e-mail from a person who does not have a Tutanota account, according to provider FAQ, the message was automatically encrypted as soon as it lands on Tutanota servers.

The court request

Therefore, the district court asked to Tutanota that the entire contents of the e-mails be sent out without end-to-end encrypted.

The company initially refused, however, five months later, the court ruled that Tutanota must hand over the data and imposed a fine of $ 1,000.

 

Now Tutanota has to program a new function for the prosecutors: If an account has a valid legal order from a German court, the company must also create a copy of the e-mails that the investigators can read.

Obiously, authorities still cannot read mails sent with end-to-end encryption between Tutanota users.

So what?

In this reddit thread on /r/privacytoolIO [1], Tutanota team attended the conversation, basically confirming concerns of privacy conscious users:

 

Hi there, Tutanota team here. We came across this discussion and would like to clarify some points:

 

• End-to-end encrypted emails are not affected.
• End-to-end encrypted data (calendar, contacts, etc) are not affected.
• This applies only to non-encrypted emails received/sent after the court has been issued.
• A valid German court order is required for this, 4 have been issued in the first half of 2019.

 

This applies only to non-encrypted emails received

 

So all emails received from every other email provider except for tutanota?

 

Yes, unless they use the e2e feature, which also works with external email addresses.

 

My 2 cents

 

In a privacy context, relying on just one security layer is wrong.

Thinking that with a secure provider your messages are secured and confidential means overstimate your privacy model.

So, reinforce every sensible message with an additional layer of security, using (for example) PGP encryption [2], suitable also from webmails and with providers less privacy-focused (like Gmail), using a specific browser extension [3].

 

References

 

1. Tutanota seems to be forced to provide access to emails soon.
2. The GNU Privacy guard
3. Mailvelope
4. Gericht zwingt E-Mail-Anbieter, Daten herauszugeben – Digital – Süddeutsche.de

 

Source

 

[mp68terr]

ProtonMail is likely working the same way.

Outgoing mails are encrypted but incoming mails from non-ProtonMail users are likely in plain-text before to be encrypted. Might have miss them but did not see (not aware of) Swiss court orders, as much as German ones.

[steven36]

12 minutes ago, mp68terr said:

Outgoing mails are encrypted but incoming mails from non-ProtonMail users

Only there encrypted if you send or receive the email to another  ProtonMail user .  same as if you use Tutanota if you know no one with a Tutanota it's no better then using a normal inbox  if they ask for info.  ProtonMail helped out the police before without court order even . Only thing its good for is use with other ProtonMail users . If its not encrypted the data is up for grabs .  The masses dont have these emails so being able to email with encryption  is niche to say the lest.