German e2e encrypted email provider Tutanota has been ordered by a
regional court to develop a function that allows it to monitor an
individual account.

The encrypted email service provider has been fighting a number of such
orders in its home country.

The ruling, which was reported in the German press late last month,
contradicts an earlier Hanover court finding that Tutanota, a provider
of web-based email, is not a telecommunications service.

The order by the Cologne court comes under a German law (known as “TKG”)
which requires telecommunications service providers to disclose data to
law enforcement/intelligence agencies if they receive a lawful intercept
request.

The Cologne court ruling also runs counter to a 2019 decision by
Europe’s top court, the CJEU, which found that another web-based email
service, Gmail, is not an ‘electronic communications service’ as defined
in EU law — meaning it can’t be subject to common EU rules for telcos.

Tutanota co-founder Matthias Pfau described the Cologne ruling as
“absurd” — and confirmed it’s appealing.

“From our point of view — and law German law experts agree with us —
this is absurd. Neither does the court state what telecommunications
service we are involved in nor do they name the actual provider of the
telecommunications service.

“The telecommunications service cannot be email, because we provide it
completely ourselves. And if we were to participate, we would have to
have a business relationship with the actual provider.”

Despite the absurdity of a regional court treating an email provider as
an ISP — in apparent contradiction of earlier CJEU guidance — Tutanota
is nonetheless required to comply with the order, and develop a
surveillance function for the specific inbox, while its appeal
continues.

A spokeswoman for Tutanota confirmed it has told the court it will
develop the function by the end of this year — whereas she suggested its
appeals process is likely to take “months” more to run its course.

“We are going to the higher court in parallel. We are already preparing
an appeal to the Bundesgerichtshof [Germany’s Federal Court of
Justice],” she added.

The Cologne court order is for a surveillance function to be implemented
on a single Tutanota account that had been used for an extortion
attempt. The Tutanota spokeswoman said the monitoring function will only
apply to future emails this account receives — it will not affect emails
previously received.

She added that the account in question appears to no longer be in use.

While after-the-fact monitoring seems unlikely to make any difference to
the specific (extortion) case, the suspicion is the court wants to
create a precedence — raising the hackles of security watchers who are
worried about the risk of digital service providers being compelled to
bake backdoors into their services in the region.

Last month a draft resolution of the Council of the European Union
triggered substantial concern that EU lawmakers are considering a ban on
e2e encryption as part of an anti-terrorism security push. However the
draft document discussed only “lawful and targeted access” — while
expressing support for “strong encryption”.

Returning to the Tutanote surveillance order, it can only be made to
apply to unencrypted emails linked to the specific account.

This is because the email service provider applies e2e encryption to its
own users’ content — meaning it does not hold decryption keys so is
unable to decrypt the data — though it also allows users to receive
emails from email services that do not apply e2e encryption (hence it
can be compelled to provide that data in plain text).

However, if the EU were to legislate to compel e2e encryption service
providers to provide decrypted data in response to lawful intercept
requests, it would effectively outlaw the use of e2e encryption.

That’s the scenario of most concern — though no such law has yet been
proposed by any EU institutions. (And would very likely face fierce
opposition in the European parliament, as well as more broadly, from
academia, civil society, consumer protection, and privacy and digital
rights groups, among others.)

“According to the ruling of the Cologne Regional Court, we were obliged
to release unencrypted incoming and outgoing emails from one mailbox.
Emails that are encrypted end-to-end in Tutanota cannot be decrypted by
us, not even after the court order,” noted Pfau.

“Tutanota is one of the few mail providers that encrypts the entire
mailbox, also calendar and contacts. The encrypted data cannot be
decrypted by us, because only the user has the key to decrypt it.”

“This decision shows again why end-to-end encryption is so important,”
he added.

https://techcrunch.com/2020/12/08/german-secure-email-provider-
tutanota-forced-to-monitor-an-account-after-regional-court-ruling/

On Thu, 14 Mar 2024 01:21:16 +0000, anonymous wrote:

>German e2e encrypted email provider Tutanota has been ordered by a
>regional court to develop a function that allows it to monitor an
>individual account.
>
>The encrypted email service provider has been fighting a number of such
>orders in its home country.
>
>The ruling, which was reported in the German press late last month,
>contradicts an earlier Hanover court finding that Tutanota, a provider
>of web-based email, is not a telecommunications service.
>
>The order by the Cologne court comes under a German law (known as “TKG�)
>which requires telecommunications service providers to disclose data to
>law enforcement/intelligence agencies if they receive a lawful intercept
>request.
>
>The Cologne court ruling also runs counter to a 2019 decision by
>Europe’s top court, the CJEU, which found that another web-based email
>service, Gmail, is not an ‘electronic communications service’ as defined
>in EU law — meaning it can’t be subject to common EU rules for telcos.
>
>Tutanota co-founder Matthias Pfau described the Cologne ruling as
>“absurd� — and confirmed it’s appealing.
>
>
>“From our point of view — and law German law experts agree with us —
>this is absurd. Neither does the court state what telecommunications
>service we are involved in nor do they name the actual provider of the
>telecommunications service.
>
>“The telecommunications service cannot be email, because we provide it
>completely ourselves. And if we were to participate, we would have to
>have a business relationship with the actual provider.�
>
>Despite the absurdity of a regional court treating an email provider as
>an ISP — in apparent contradiction of earlier CJEU guidance — Tutanota
>is nonetheless required to comply with the order, and develop a
>surveillance function for the specific inbox, while its appeal
>continues.
>
>A spokeswoman for Tutanota confirmed it has told the court it will
>develop the function by the end of this year — whereas she suggested its
>appeals process is likely to take “months� more to run its course.
>
>“We are going to the higher court in parallel. We are already preparing
>an appeal to the Bundesgerichtshof [Germany’s Federal Court of
>Justice],� she added.
>
>The Cologne court order is for a surveillance function to be implemented
>on a single Tutanota account that had been used for an extortion
>attempt. The Tutanota spokeswoman said the monitoring function will only
>apply to future emails this account receives — it will not affect emails
>previously received.
>
>She added that the account in question appears to no longer be in use.
>
>While after-the-fact monitoring seems unlikely to make any difference to
>the specific (extortion) case, the suspicion is the court wants to
>create a precedence — raising the hackles of security watchers who are
>worried about the risk of digital service providers being compelled to
>bake backdoors into their services in the region.
>
>Last month a draft resolution of the Council of the European Union
>triggered substantial concern that EU lawmakers are considering a ban on
>e2e encryption as part of an anti-terrorism security push. However the
>draft document discussed only “lawful and targeted access� — while
>expressing support for “strong encryption�.
>
>Returning to the Tutanote surveillance order, it can only be made to
>apply to unencrypted emails linked to the specific account.
>
>This is because the email service provider applies e2e encryption to its
>own users’ content — meaning it does not hold decryption keys so is
>unable to decrypt the data — though it also allows users to receive
>emails from email services that do not apply e2e encryption (hence it
>can be compelled to provide that data in plain text).
>
>However, if the EU were to legislate to compel e2e encryption service
>providers to provide decrypted data in response to lawful intercept
>requests, it would effectively outlaw the use of e2e encryption.
>
>That’s the scenario of most concern — though no such law has yet been
>proposed by any EU institutions. (And would very likely face fierce
>opposition in the European parliament, as well as more broadly, from
>academia, civil society, consumer protection, and privacy and digital
>rights groups, among others.)
>
>“According to the ruling of the Cologne Regional Court, we were obliged
>to release unencrypted incoming and outgoing emails from one mailbox.
>Emails that are encrypted end-to-end in Tutanota cannot be decrypted by
>us, not even after the court order,� noted Pfau.
>
>“Tutanota is one of the few mail providers that encrypts the entire
>mailbox, also calendar and contacts. The encrypted data cannot be
>decrypted by us, because only the user has the key to decrypt it.�
>
>“This decision shows again why end-to-end encryption is so important,�
>he added.
>
>https://techcrunch.com/2020/12/08/german-secure-email-provider-
>tutanota-forced-to-monitor-an-account-after-regional-court-ruling/

As the Tuta guys provide the encryption software,
you never can be sure it includes no backdoors.

Use standard PGP/GnuPG software and you're safe.

On Thu 14 Mar 2024 11:48 am, Nomen Nescio wrote:
> As the Tuta guys provide the encryption software,
> you never can be sure it includes no backdoors.

As the PGP/GnuPG guys provide the encryption software,
you never can be sure it includes no backdoors.

On Thu, 14 Mar 2024, Anonymous wrote:

> On Thu 14 Mar 2024 11:48 am, Nomen Nescio wrote:
>> As the Tuta guys provide the encryption software,
>> you never can be sure it includes no backdoors.
>
> As the PGP/GnuPG guys provide the encryption software,
> you never can be sure it includes no backdoors.
>
>
If you want to be safer, encrypt on your own computer and do not trust any
service that does it for you.

If you want to be even safer than that, move to pen and paper and one time
pads. ;)

Anonymous <nobody@yamn.paranoici.org> wrote:
>On Thu 14 Mar 2024 11:48 am, Nomen Nescio wrote:
>> As the Tuta guys provide the encryption software,
>> you never can be sure it includes no backdoors.
>
>As the PGP/GnuPG guys provide the encryption software,
>you never can be sure it includes no backdoors.

Then check out the source code and compile it yourself.

GnuPG for Developers <https://wiki.gnupg.org/>
<https://github.com/Wikinaut/utils/wiki#user-content-How_to_compile_GnuPG_gpg_from_the_sources>

On 3/13/2024 6:21 PM, anonymous wrote:
> German e2e encrypted email provider Tutanota has been ordered by a
> regional court to develop a function that allows it to monitor an
> individual account.

[snipped]

Instead of an encryption service, use PGP.

--
David E. Ross
<http://www.rossde.com/>

Demonstrators worldwide are demanding that Israel stop
fighting in Gaza. Why does it seem that no one is demanding
that Hamas stop fighting? And where are the demonstrations
against Russia fighting in the Ukraine.