Why are data protection laws important?
Tutanota encrypts your entire mailbox end-to-end so that no-one but yourself has access to your private mails. Tutanota protects your personal data to the maximum because we believe in everybody's right to privacy. As there is no law against whispering into someone's ear to hold a private conversation, in our opinion the same must be true for an online conversation. Tutanota's automatic end-to-end encryption allows you to do just that: Hold a private conversation online.
Due to the encryption in Tutanota no one can access your data, not even we can access your encrypted data. However, we do have access to metadata - sender and recipient of an email, date of emails sent. So even though we have very little data, it is important to know what German authorities can and cannot ask for and under what circumstances.
Mass surveillance vs. individual investigation
In democratic societies such as Germany, the law must allow the authorities to investigate criminals while at the same time protect citizens' right to privacy and freedom of speech. However in recent years, we regularly hear calls from politicians - also German politicians - to limit citizens' right to privacy for increased state surveillance powers to counter terrorism. Even though mass surveillance has been proven useless to fight terror, there are still politicians claiming to know better.
Fortunately there are also many institutions, particularly in Germany as we have experienced the injustice of living under all-round surveillance in East Germany, who do understand the necessity of privacy in a democratic society and its impact on freedom of speech.
German constitution guarantees right to privacy
Firstly, the right to privacy is guaranteed by the German constitution and, thus, regularly being defended by the Federal Constitutional Court in Germany. For instance, in 2008 German politicians introduced a data retention law. The Federal Constitutional Court declared this law as unconstitutional in 2010. In 2015, a new data retention law was introduced. The law explicitly states that the German data retention does not include email communication. Politicians hope that by excluding emails from the data retention law it will not be declared unconstitutional this time. The Federal Constitutional Court has yet to decide about this. However, the data retention law is not being enforced because of a court ruling that the law violates EU law.
Legal situation in Germany
In Germany there are several laws that force companies like Tutanota to protect their users' data from illegal access. Data privacy regulations in the European Union (EU) are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz).
This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=we) are not allowed to collect any personal information without express permission from an individual (=you), (i.e. name, date of birth, IP address). In Germany there is no law that could force us to submit to a gag order or to implement a backdoor.
It is also noteworthy that the previous German Federal Data Protection Act already covered a lot of aspects of the new European General Data Protection Regulation (GDPR), which came into effect on May 25th 2018. This regulation requires that companies protect personal information they handle. Sending out personal information such as a private home address, bank details, or CVs of applicants could lead to fines under GDPR. It is recommended to protect mails containing personal information with proper end-to-end encryption.
Find out here how Tutanota can help you to make your company use GDPR compliant emails with built-in automatic encryption.
However, there are laws that allow authorities like the police forces to ask for data of suspects of a crime. There are three different kinds of data the authorities can ask for.
1. Inventory data
Personal data such as name, address and payment data are inventory data. In Germany, email service providers have an exceptional status when it comes to the storage of inventory data. Unlike telecommunications companies, email providers are not obliged to store inventory data (§ 111 TKG).
Thus, Tutanota can not be forced to collect and store inventory data. This is why we are able to not ask for any identifiable information upon registration so that you can use our secure mail service anonymously with a free account.
German law even explicitly calls on operators of data processing systems (§ 3a of the German Federal Data Protection Act) to avoid storing personal data whenever possible. § 3a of the Federal Data Protection Act – Data avoidance and data minimization:
"The collection, processing and use of personal data and the selection and design of data processing systems must follow the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous to the extent that this is possible according to the intended purpose."
When Can Inventory Data Be Requested?
If the data is available to a German mail provider, §113 TKG rules that the provider has to make the data accessible to German authorities if they deliver a request. Several authorities are allowed to ask for inventory data. Legitimate reasons for such requests are the persecution of criminal offences or the defense of public safety or order.
2. Traffic data
Traffic data consists of
- email addresses of sender and recipient
- IP addresses of mail servers
- size of delivered data
- start and end of connection
Email providers are only allowed to store these so called log-files for seven days and only for the following two purposes:
- for detecting, isolating and eliminating technical errors (§ 100, para. 1 TKG), for example, when sending or receiving emails,
- for detecting misuse of the system (§ 100, para. 3 TKG), e.g. by spammers.
Basically, traffic data refers to all data which is generated during a telecommunication process. Just like content data, traffic data is subject to the secrecy of telecommunications: A judge has to order that traffic data of an individual account has to be released to the authorities. Such a request is only issued when there is suspicion of a serious crime.
German law also does not permit traffic data to be stored solely for the purpose of law enforcement, thus, there is no data retention law for email providers in Germany. The authorities can only request data that is being stored for operational reasons. They are not allowed to ask us to collect additional traffic data.
According to the law, at Tutanota we only store the logs of the mail servers for seven days. This means we do not store individual ip addresses of the sender and the recipient, but only the ip addresses of the sending and receiving mail servers. This enables you to use Tutanota anonymously to protect your right to privacy when communicating online.
3. Content data
This term refers to your mails: subject, body and attachments. In Tutanota all mails are end-to-end encrypted and only you hold the decryption keys. So even when presented with a German court order, we can only pass on encrypted data.
When Can Content and Traffic Data Be Requested?
Content and traffic data can only be requested by a German judge (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO) if a German court finds that there is a reasonable cause to suspect that an email account user has been committing a serious crime, that is for example bribery, dissemination, purchase and possession of pornographic writings involving children and juveniles or commercial handling of stolen goods. The law specifies that in case of imminent danger, the public prosecution also has this right. Supporting forces of the public prosecution are not authorized to request content data.
Monitoring of Content and Traffic Data (TKÜ)
The German judge can either issue a seizure of a mailbox or a monitoring of the mailbox (TKÜ), or both. A seizure order under criminal law (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO) refers to the encrypted mailbox content. An order for monitoring a mailbox (TKÜ) refers to all emails received and sent from the relevant mailbox starting with the time of the order.
Beyond legality: Vault7 and Germany
The vault7 leaks revealed what has long been suspected by the security community: The CIA copies and stores the entire Internet traffic to use it for surveillance and spying purposes. This form of mass surveillance has been executed from the US-consulate in Frankfurt. What the CIA did is illegal under German law.
The CIA most likely picked Frankfurt for their attacks because this is where the DE-CIX internet exchange point is located. Through here all Internet traffic for Europe and its surroundings, including non-EU states is routed. This means that all internet traffic from the European continent, the Middle East and Africa is routed through Frankfurt making it a high-profile target to the CIA.
End-to-end encryption stops mass surveillance
If anything, Vault7 has proven how important end-to-end encryption is. It is very easy for secret services - not just the CIA - and malicious attackers to get access to not-encrypted internet traffic, copy it and scan it for important information. But when the data that is routed through Frankfurt, for example, is end-to-end encrypted, they copy only gibberish - data that they can not scan, can not use and can not abuse. Vault7 once again taught us that encryption is the top-notch choice when taking measures to protect your privacy.
Privacy is a basic human right and we at Tutanota fight to protect your privacy with encryption. We successfully defend your private communication against mass surveillance and illegal access by state agencies and attackers alike.
In addition, in Germany there is no law that could force us to submit to a gag order or to implement a backdoor.
For transparency reasons we want you to know the following: The content of your emails is protected with strong end-to-end encryption and will always stay private. However, German authorities have the ability to request traffic data and (if available) inventory data of individual accounts of suspected criminals.
You can find details on this in our Transparency Report.