Enough Is Enough: What Happens When Law Enforcement Bends Laws to Access Data Thumbnail
Encryption 30 March 2021

Enough Is Enough: What Happens When Law Enforcement Bends Laws to Access Data

By Matthias PfauGuest AuthorGuest Author
Tutanota co-founder Matthias Pfau explains how a recent court order is a wake-up call to end the encryption debate once and for all

In a world increasingly reliant on the Internet in our day-to-day lives, there’s no turning back on encryption.

Encryption is a critical security tool for citizens, businesses, and governments to communicate confidentially and reliably. In some professions, such as the health and legal sectors, encryption is a requirement to protect sensitive client information. Journalists also rely on encryption to securely communicate with sources, which is critical to guarantee the freedom of the press and free speech.

In fact, the right to privacy is enshrined in many democratic countries’ constitutions and is highly valued across societies. Strong encryption helps enable citizens to exercise that right.

But time and again, the user trust guaranteed by encryption finds itself under attack. My company, Tutanota, has recently found itself in the crosshairs – and our experience is a chilling lesson on why we need to stop the encryption debate once and for all.

Law enforcement agencies and governments are increasingly asking for access to data to catch criminals, they say, including when the data is encrypted. Some are even trying to force companies to create so-called backdoors to encryption so that the authorities can gain access to encrypted communications upon request. While we all want to prevent crime online, there simply isn’t a magic key that would give access to the “good guys” without also making sensitive user data available to anyone else that wants it – including criminals. Strong encryption is binary: it’s either on or off. It either works for everyone or for no one. Weakening encryption only for criminals is technically impossible.

When the Encryption Debate Hits Home

At Tutanota, an encrypted email service I co-founded based in Germany, we encrypt as much data as we can using end-to-end encryption. Contacts in the Tutanota address book, entries in the Tutanota Calendar, and emails sent from Tutanota accounts to other Tutanota accounts are all automatically end-to-end encrypted. While we encrypt all the data we handle inside of Tutanota end-to-end, the realities of email protocols mean we can encrypt emails that are sent with the standard unencrypted email protocol only after they reach our servers and then store them encrypted within the users’ mailboxes.

In Germany, law enforcement agencies have the power to require Internet Service Providers to hand out “live data” if compelled to by a judge. However, the underlying law for such an order does not apply to email services. Last year, German law enforcement officials demanded that Tutanota hand over the data from one of its users under this law. As we are not an ISP, we lodged objections against this order.

Despite precedent in the European Court of Justice and the underlying law, the Regional Cologne Court upheld the order to Tutanota based on the argument that we would be “involved in providing an Internet service.” While law experts agree that this argumentation is absurd as we provide the email service completely on our own – without having any contract with any ISP – the order was still upheld by the court. For this single account, we were ordered to copy unencrypted incoming and outgoing emails before they were encrypted.

Fortunately, the court order does not affect or undermine the security of the end-to-end encrypted emails in Tutanota. However, this approach to accessing unencrypted emails is disturbing on many levels. Two stand out in particular:

  1. Forcing a company to hand over data before it is encrypted significantly breaches the privacy and confidentiality that users expect.
  2. Granting access to data meant to be encrypted could set a dangerous precedent be used to force companies to compromise end-to-end encryption. 

That is why we are appealing against this before the German Federal Court

The Right to Privacy Includes the Right to Encryption

Tutanota was not built to protect criminals. It was founded to protect our right to privacy guaranteed in the German constitution. This means we must protect our users from any kind of snooping or requirements that would undermine their security and privacy – even if it is the government that wants to gain access to their private communication.

Preventing companies from offering the highest levels of security and privacy online puts businesses and users at incredible risk of harm. That’s why Tutanota is challenging the court’s decisions. We want to make sure that the ruling is not used as a precedent for German law enforcement agencies to force companies to undermine the security and privacy of their services.

What we need in today’s Internet is not less encryption, but more. We must remain vigilant to make sure that law enforcement agencies cannot bend the laws the way they want to get access to data. To uphold the right to privacy and security of users, granted to every citizen by the German constitution, we must all protect our rights to use strong encryption.

The European GDPR specifically mentions end-to-end encryption as the best tool to protect citizens’ data from various threats online. Germany as well as the European Union must make sure that neither service providers nor criminals can abuse citizens’ data stored online.

European citizens and businesses rely on unbreakable end-to-end encryption.

End Note: The Challenge of Interoperable End-to-End Encrypted Email

Email protocols have one unique benefit compared to encrypted messaging apps, which is also its greatest weakness: interoperability. You can send emails to everyone even when they use a completely different email service, or when they host their mail server themselves. This interoperability is the main reason why email, despite being invented in the 1970s, is still one of the most used communication tools.

Interoperability, however, also comes with its own challenges, including that it is very hard to properly secure the email protocol. Automatic end-to-end encryption of emails between different email services remains impossible to this day.

Image by Aneta Pawlik via Unsplash

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Strengthening the Internet 12 March 2024

Nevada Wants to Reduce Online Protections for Children: All Internet Users Should Benefit from Strong Encryption

Protect children online by supporting end-to-end encryption in Facebook Messenger. Join us in the fight against weakening online protection...

Strengthening the Internet 31 January 2024

Keeping Kids Safe Online: Navigating the New Parents’ Guide to Encryption

Do you know how you're keeping your kids safe online? Using encryption, there are simple changes you can make...

Encryption 21 September 2023

Techxit: The UK Declares Its Exit from the High-Tech Startup World

No one in their right mind would now want to start up a high-tech company in the UK. With...