The e-mail provider Tutanota can be forced by court order to publish messages from its customers unencrypted to investigators. This became known through research by "Süddeutsche Zeitung", NDR and WDR. The start-up from Hannover presents itself as "the world's most secure e-mail service." As a German-based company, however, it faces a legal situation that makes it even difficult for providers who deliberately collect little data about their customers makes to withdraw inquiries from investigators.
The district court of Itzehoe had reported to Tutanota at the beginning of October 2018: Managing Director Matthias Pfau had been asked by a letter to enable investigators to read certain e-mails from a customer in real time, according to the reports. The request involved inbound and outbound email that is not end-to-end encrypted, but which is protected from outside access by Tutanota servers using corporate-grade encryption. On the other hand, Tutanota can not decrypt the contents of messages that use end-to-end encryption because both parties are using the service.
Background of the court claim were according to the WDR ransomware attacks on companies from Schleswig-Holstein, where a mail address of Tutanota was used. This address wanted to monitor investigators. Reference was made in the context of the request to § 100a of the Code of Criminal Procedure and § 110 of the Telecommunications Act (TKG), it is said. The TKG regulates which data providers must pass on, but it is in many respects outdated or vague.
Matthias Pfau initially refused to comply with the demand of the district court. Then, however, the court ruled that Tutanota had to hand over the data and imposed a 1,000 euro fine - and the Federal Constitutional Court ruled that Peacock moved not to fight back.
A problematic verdict for privacy-oriented services
In a legal dispute over the Berlin-based provider Posteo, the Federal Constitutional Court ruled in January that mail providers must be able to issue IP addresses of their customers to prosecutors - even if they do not want to levy them, as in the case of Posteo. Similar to Tutanota, Posteo also promotes customers for its mailboxes with a focus on data economy and IT security. Posteo announced after the judgment from Karlsruhe an "architectural solution" that "does not affect the safety and the rights of our customers".
Tutanota reacted to the conflict with the district court Itzehoe with a new function, it is said in the media reports: If an account for a valid order of a German court is present, the enterprise could in addition a copy of not end-to-end encrypted emails that investigators can read. Retroactively, however, such copies could not be created - and the contents of end-to-end encrypted mail remained unreadable for Tutanota and investigators.
The Spiegel said Matthias Pfau, the described function exist at Tutanota since June. It is selectively and only for individual accounts turned on, if there is a corresponding valid court order. "We try to protect privacy as much as possible and are therefore not happy to have to install such a feature," says Pfau.
Practically, the feature was already used. This can be seen in Tutanota's latest Transparency Report, which informs customers about regulatory inquiries from the first half of 2019. There are four requests for "real-time content data" the speech. And it also means that in four cases "real-time content data" was issued due to a valid court order. Once it should have gone to the mailbox, which was associated with the ransomware attacks in Schleswig-Holstein, told the SPIEGEL.
