German court forces encrypted email provider Tutanota to create backdoor for blackmail case

Written by Shannon Vavra

A German regional court has ordered end-to-end encrypted email provider Tutanota to monitor an account belonging to a suspicious user in a blackmail case.

This is the latest surveillance-related court ruling that the email provider is fight in court, and comes amid a larger and protracted campaign by governments around the world to weaken encryption. The US Department of Justice, for example, has coordinated with Australia and other countries in recent years to try to give law enforcement more access to encrypted data.

Tutanota said he plans to appeal the November ruling from a Cologne regional court, arguing it contradicts an earlier ruling from another German court. This first court, the Hanover Regional Court, determined earlier this year that Tutanota does not provide telecommunications services, suggesting that he cannot be compelled to monitor them under German law. The latest Cologne judgment could also contradict a 2019 judgment of the Court of Justice of the European Union which Gmail is not an electronic communication service.

In the meantime, Tutanota must comply with the court ruling, which means he must develop the surveillance feature by the end of the year, according to German IT magazine, c’t.

Tutanota co-founder Matthias Pfau said the move would not affect other users’ emails, but could set a dangerous precedent for email security and privacy. If more similar cases emerge in the months and years to come, the concern is that this case could pave the way for more intrusive surveillance.

“This decision again shows why end-to-end encryption is so important,” Pfau said via email. “According to the decision of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing e-mails from a letterbox. End-to-end encrypted emails in Tutanota cannot be decrypted by us.

The Cologne affair is rooted in the idea that encryption can thwart law enforcement investigations. Although Tutanota is not a telecommunications service provider, it is “involved in the provision of telecommunications services and therefore must always allow… data collection,” Pfau said.

“From our point of view – and German legal experts agree with us – this is nonsense,” Pfau said. “The court also does not state which telecommunications service we are involved in or name the actual provider of the telecommunications service.”

This is not the first time that German authorities have sought to increase their visibility on otherwise protected technologies.

German police in recent years used a so-called “state Trojan horse” virus to bypass encryption on suspects’ smartphones for law enforcement investigations, according to German media Süddeutscher Zeitung. But in a victory for privacy advocates earlier this year, the German Constitutional Court ruled that telecommunications mass surveillance foreign nationals outside Germany was unconstitutional. As a result, Germany’s foreign intelligence service BND must stop monitoring emails from foreign nationals abroad.

The decision marks a worrying moment for privacy advocates, according to Alex Vukcevic, director of protection labs and quality assurance at German security firm Avira.

“Tutanota is in a very unenviable position, where they offer a solution with excellent privacy protection, which must now be compromised in light of the decision taken by [the] tribunal, ”Vukcevic said. “The implication here is clear: This is a continuing trend to open previously secure channels of communication for law enforcement around the world. As online privacy advocates, we see this development with suspicious eyes. “

The move could have dangerous national and economic security implications, according to Blake Moore, vice president of strategy and operations at Wickr.

“This case demonstrates a critical lack of understanding of the importance of E2EE [end-to-end encryption]Says Moore, who previously worked at Cyber ​​Command in the US Department of Defense. “By forcing Tutanota to develop a monitoring function for the specific inbox described in the case, the court has set a dangerous precedent and seriously undermines efforts by governments and businesses to protect information through E2EE. “

The Tutanota decision comes as private sector entities around the world face pressure from multiple governments to provide law enforcement with means to access encrypted data. In October 2020, the US, UK, Australia, New Zealand, Canada, India and Japan joined together in a joint announcement to advocate for increased access to the encrypted date for the police.

Encryption experts and cybersecurity practitioners, however, have called the efforts in vain, saying that undermining the encryption of certain targets, regardless of their specificity, could weaken data protection for all users of the same service, and thus threaten national security.

Efforts to weaken encryption in the United States, which the Justice Department re-energized last year, have so far resulted in a slew of bills that have yet to be passed.

The Cologne decision is a reminder that security experts could call on governments to adopt better security policies, Istvan Lam, co-founder and CEO of Tresorit, the end-to-end encrypted file sharing tool, told CyberScoop.

“[I]This is yet another example of the growing pressure on end-to-end encrypted services, and a clear sign that there is still work to be done to properly categorize service providers and understand how end-to-end encryption works. for the security of the digital economy, ”says Lam, whose company has regional offices in Germany.

Correction, 12/10/20: The title of this article has been updated to clarify what Tutanota must do in response to a German court order. A previous version incorrectly said that Tutanota had to create a “backdoor”.

Leave a Reply

Your email address will not be published.