German provider encrypted email Tutanota must give access to content mails

A court decision forces the German encrypted mail service Tutanota to give researchers real-time access to the contents of unencrypted mails. Developers of the service now have to build in functionality for this.

A year ago, Tutanota received a letter from the Amtsgericht van Itzehoe in the German state of Schleswig-Holstein requesting that the police give access to the contents of certain encrypted messages. The police wanted to see the contents of emails from criminals who use malware to blackmail companies in the state.

The criminals used an email address from Tutanota. This service provides end-to-end encryption if both sender and receiver have a Tutanota account. This means that messages on users’ devices are encrypted and only decrypted at the recipient. Tutanota itself cannot then view the content. In an email conversation, if one of the two parties does not have an account with Tutanota, there can be no end-to-end encryption: the company encrypts a message as soon as it reaches its servers. Tutanota must provide on-demand access to this category of messages.

The company said it would not comply with the court’s request. “I thought the claim was wrong when we received the letter and I think it is still wrong today,” Tutanota director Matthias Pfau told Süddeutscher Zeitung. Earlier this year, the German court ruled that Tutanota must provide the data and pay a fine of 1,000 euros. Developers of the service are now creating a feature that will make copies of emails for police to read if a valid order comes in from a German court. This does not therefore concern message traffic between two Tutanota users that is protected with end-to-end encryption: no access can be given to it.

The mail service will not appeal the decision, because it would have virtually no chance of success legally. The cause lies with the German Telekommunikationsgesetz, which is said to contain too broad rules for access to communication. Those rules are said to have originated in the provision of access to telephone lines by telecom providers, but according to case law they apply more broadly.

Last year, for example, the Berlin e-mail provider Posteo tried to defend itself against the transfer of customer IP addresses to the Public Prosecution Service. Posteo did not store these addresses at all, but at the end of January 2019 the judge ruled that the service must do this and release data at the request of authorities.