Court rules encrypted email provider Tutanota must monitor messages in blackmail case
The Federal Court of Justice (BGH) in Germany has ruled that encrypted email provider Tutanota must monitor for three months the messages of accounts implicated in a blackmail case.
The decision, which impacts two accounts in all, comes months after the Regional Court of Cologne ruled that Tutanota must provide said emails. Tutanota had asked BGH to re-examine that decision given that Tutanota does not consider itself a telecommunications service and therefore should not be required to monitor them under German law.
The Cologne decision also appeared to contradict an earlier ruling from the Hanover Regional Court, which affirmed Tutanota did not provide telecommunications services, according to Tutanota.
BGH ruled late last month that the Tutanota request was admissible, but unfounded. BGH found that providers like Tutanota that provide “over-the-top” services are also considered to be providing telecommunications services under the Code of Criminal Procedure. The ruling only surfaced in German press in recent days.
BGH’s dismissal of Tutanota’s appeal means Tutanota must provide unencrypted incoming and outgoing emails of the two implicated accounts. But the legal circumstances surrounding the decision could set a precedent for broader surveillance for users of Tutanota and other email providers like it, Tutanota warned.
“We consider this decision to be absurd,” Tutanota told CyberScoop in a statement Friday.
The decision will only impact unencrypted incoming and outgoing emails, as Tutanota can’t decrypt data that has already been encrypted, Tutanota added. It also said this should serve as a warning that for customers interested in maintaining their privacy, encryption is paramount.
“This ruling shows again how important end-to-end encryption is,” Tutanota said. “All data transmitted without end-to-end encryption can be accessed by third parties.”
The decision comes as nations around the world have sought to weaken encryption to benefit law enforcement investigations. Just last October the U.S., U.K., Australia, New Zealand, Canada, India and Japan issued a joint announcement advocating for increasing law enforcement access to encrypted data. Other efforts to require tech companies to provide law enforcement access to encrypted devices and services have accumulated on Capitol Hill as well.