A German court has mandated that Tutanota, a provider of end-to-end encrypted email services, create a feature enabling the monitoring of a specific user account.

The email service has been actively contesting similar directives within Germany.

This recent decision, publicized in German news outlets last month, contrasts with a previous ruling from a Hanover court which determined that Tutanota does not qualify as a telecommunications service.

The order originates from a Cologne court and is based on German law (“TKG”) that requires telecommunications providers to share data with law enforcement and intelligence agencies when presented with a valid legal request.

The Cologne court’s decision also diverges from a 2019 ruling by the Court of Justice of the European Union (CJEU), which established that Gmail, another web-based email service, does not fall under the definition of an ‘electronic communications service’ as outlined in EU law—and therefore isn’t subject to standard EU regulations for telecommunications companies.

Matthias Pfau, a co-founder of Tutanota, characterized the Cologne ruling as “absurd” and confirmed that the company is filing an appeal.

“The reasoning presented is this: Despite no longer being classified as a telecommunications service provider, we are purportedly involved in the provision of such services and must therefore facilitate the collection of telecommunications and traffic data,” he explained to TechCrunch.

“From our perspective—and legal experts specializing in German law concur—this is illogical. The court fails to specify which telecommunications service we are involved in, nor does it identify the actual provider of that service.

“Email itself cannot be the telecommunications service in question, as we provide it entirely independently. Furthermore, any participation on our part would necessitate a business relationship with the true provider.”

Despite the perceived inconsistency of a regional court classifying an email provider as an Internet Service Provider—seemingly in opposition to prior CJEU guidance—Tutanota is obligated to adhere to the order and develop a surveillance capability for the designated inbox, pending the outcome of its appeal.

A Tutanota spokesperson stated that the company has informed the court it will implement the function by the end of the current year, while noting that the appeals process is anticipated to extend for “several months.”

“We are simultaneously pursuing a case in a higher court and are already preparing an appeal to the Bundesgerichtshof [Germany’s Federal Court of Justice],” she added.

The Cologne court’s order pertains to the implementation of a surveillance function on a single Tutanota account that was reportedly used in an extortion attempt. The spokesperson clarified that the monitoring function will only apply to incoming emails to this account going forward—previously received emails will remain unaffected.

She also indicated that the account in question does not appear to be currently in use.

Although monitoring past communications is unlikely to impact the specific extortion case, concerns are rising that the court intends to establish a precedent, prompting worry among security experts about the potential for digital service providers being compelled to incorporate backdoors into their services within the region.

Recently, a draft resolution from the Council of the European Union sparked significant concern that EU legislators are considering a prohibition on end-to-end encryption as part of a broader security initiative aimed at combating terrorism. However, the draft document focused on “lawful and targeted access” while still affirming support for “strong encryption.”

Regarding the Tutanota surveillance order, it can only be applied to unencrypted emails associated with the specified account.

This is due to the fact that the email service employs end-to-end encryption for its users’ content, meaning it does not possess the decryption keys and is therefore unable to decrypt the data—although it does allow users to receive emails from services that do not utilize end-to-end encryption (and can thus be compelled to provide that data in a readable format).

However, if the EU were to enact legislation requiring end-to-end encryption providers to supply decrypted data in response to lawful intercept requests, it would effectively render the use of end-to-end encryption illegal.

This potential scenario is the primary source of concern, although no such law has yet been proposed by any EU institution. (Such a law would likely encounter substantial opposition within the European parliament, as well as from academic, civil society, consumer protection, and digital rights organizations, among others.)

“Based on the Cologne Regional Court’s ruling, we are required to release unencrypted incoming and outgoing emails from a single mailbox. Emails that are end-to-end encrypted within Tutanota cannot be decrypted by us, even with a court order,” Pfau explained.

“Tutanota is among the few email providers that encrypts the entire mailbox, including calendar and contacts. This encrypted data remains inaccessible to us, as only the user holds the decryption key.”

“This decision underscores the critical importance of end-to-end encryption,” he concluded.