The company Tutanota is one of the few mail providers that encrypt all incoming messages by default. Now a ruling by the Regional Court of Cologne is forcing the Hanover-based company to install a "back door" that allows investigating authorities to read the mails of individual customers in plain text.
In response to the ruling, Tutanota has already announced that it will file an appeal. However, this does not have a suspensive effect. A press spokeswoman therefore explained to c't that the development of the monitoring function has already had to be started. If the appeal is successful, the function will be removed again from the Software from Tutanota.
Regional Court of Hanover decides differently
Experts are surprised by the ruling of the Regional Court of Cologne. In the summer of 2020, the Regional Court of Hanover still ruled that Tutanota does not provide or participate in "telecommunication services" in the legal sense. Therefore, according to the judges' legal understanding, the company could not be forced to perform telecommunications surveillance. The decision of the Hanover judges was based on a landmark ruling of the European Court of Justice (ECJ) of 2019, according to which e-mail services are not communication services.
Deviating from this, the Cologne court judges that Tutanota participates in the provision of telecommunication services and can therefore be forced to integrate a monitoring function into its service. According to c't, however, the verdict does not mention the name or the operator of the telecommunications service in which Tutanota is to participate. Tutanota therefore calls the verdict "absurd".
Blackmail mail to automotive supplier
Specifically, the case concerns an extortion e-mail sent to an automotive supplier with a Tutanota account. The State Office of Criminal Investigation of North Rhine-Westphalia therefore wants to monitor the mailbox, which forces Tutanota to integrate a corresponding option into its service by the end of the year.
According to Tutanota, the other users are not affected. Their mailboxes are still encrypted by default. Nevertheless, from the company's point of view, the monitoring function is a security and data protection risk for all users of the service, even for one-time use.
