German secure email provider Tutanota forced to monitor an account, after regional court ruling

German e2e encrypted email provider Tutanota has been ordered by a regional court to develop a function that allows it to monitor an individual account.

The encrypted email service provider has been fighting a number of such orders in its home country.

The ruling, which was reported in the German press late last month, contradicts an earlier Hanover court finding that Tutanota, a provider of web-based email, is not a telecommunications service.

The order by the Cologne court comes under a German law (known as "TKG") which requires telecommunications service providers to disclose data to law enforcement/intelligence agencies if they receive a lawful intercept request.

The Cologne court ruling also runs counter to a 2019 decision by Europe's top court, the CJEU, which found that another web-based email service, Gmail, is not an 'electronic communications service' as defined in EU law -- meaning it can't be subject to common EU rules for telcos.

Tutanota co-founder Matthias Pfau described the Cologne ruling as "absurd" -- and confirmed it's appealing.

"The argumentation is as follows: Although we are no longer a provider of telecommunications services, we would be involved in providing telecommunications services and must therefore still enable telecommunications and traffic data collection," he told TechCrunch.

"From our point of view -- and law German law experts agree with us -- this is absurd. Neither does the court state what telecommunications service we are involved in nor do they name the actual provider of the telecommunications service.

"The telecommunications service cannot be email, because we provide it completely ourselves. And if we were to participate, we would have to have a business relationship with the actual provider."

Despite the absurdity of a regional court treating an email provider as an ISP -- in apparent contradiction of earlier CJEU guidance -- Tutanota is nonetheless required to comply with the order, and develop a surveillance function for the specific inbox, while its appeal continues.

A spokeswoman for Tutanota confirmed it has told the court it will develop the function by the end of this year -- whereas she suggested its appeals process is likely to take "months" more to run its course.

"We are going to the higher court in parallel. We are already preparing an appeal to the Bundesgerichtshof [Germany's Federal Court of Justice]," she added.

The Cologne court order is for a surveillance function to be implemented on a single Tutanota account that had been used for an extortion attempt. The Tutanota spokeswoman said the monitoring function will only apply to future emails this account receives -- it will not affect emails previously received.

She added that the account in question appears to no longer be in use.

While after-the-fact monitoring seems unlikely to make any difference to the specific (extortion) case, the suspicion is the court wants to create a precedence -- raising the hackles of security watchers who are worried about the risk of digital service providers being compelled to bake backdoors into their services in the region.

Last month a draft resolution of the Council of the European Union triggered substantial concern that EU lawmakers are considering a ban on e2e encryption as part of an anti-terrorism security push. However the draft document discussed only "lawful and targeted access" -- while expressing support for "strong encryption".

Returning to the Tutanote surveillance order, it can only be made to apply to unencrypted emails linked to the specific account.

This is because the email service provider applies e2e encryption to its own users' content -- meaning it does not hold decryption keys so is unable to decrypt the data -- though it also allows users to receive emails from email services that do not apply e2e encryption (hence it can be compelled to provide that data in plain text).

However, if the EU were to legislate to compel e2e encryption service providers to provide decrypted data in response to lawful intercept requests, it would effectively outlaw the use of e2e encryption.

That's the scenario of most concern -- though no such law has yet been proposed by any EU institutions. (And would very likely face fierce opposition in the European parliament, as well as more broadly, from academia, civil society, consumer protection, and privacy and digital rights groups, among others.)

"According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox. Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us, not even after the court order," noted Pfau.

"Tutanota is one of the few mail providers that encrypts the entire mailbox, also calendar and contacts. The encrypted data cannot be decrypted by us, because only the user has the key to decrypt it."

"This decision shows again why end-to-end encryption is so important," he added.