> Tutanota will Beschwerde gegen den Beschluss einlegen, diese hat jedoch keine aufschiebende Wirkung
Tutanota wants to appeal in court against this, but is forced to comply (right now).
> "Tutanota sieht sich nun gezwungen, bis Jahresende eine Funktion zu programmieren...dieses Postfach zu überwachen."
Tutanota sees no other possibility than to program a function (until the end of the year) that can monitor this inbox.
and that nothing else will change for the other users
> "Für die anderen Nutzer soll sich dadurch nichts ändern, ihre Mails sollen weiter standardmäßig verschlüsselt werden"
For other users nothing changes.
> "betrifft die Überwachungsmaßnahme nur die neu eingehenden unverschlüsselten E-Mails"
Only the new mails will be stored unencrypted. Already encrypted mails can't be unencrypted and it's only for this inbox.
> Für die anderen Nutzer soll sich dadurch nichts ändern, ihre Mails sollen weiter standardmäßig verschlüsselt werden. Gleichwohl sieht Tutanota eine einmalige Umgehung der Verschlüsselung als Datenschutz- und Sicherheitsrisiko für letztlich alle Kunden an.
For other users nothing changes. Tutanota sees through this "onetime" circumvention of the encryption a big risk in data protection and security for all other users.
And I agree. I won't feel good using a secure mail provider that promises to encrypt all my mails so that nobody else can read them, knowing they once had to implement a backdoor to circumvent exactly that.
It's not decrypting mails. Right now it looks like every incoming mail is encrypted with the public key of the recipient. What they need to do is more in the line of
def encrypt_mail(email):
if email.user=="badperson":
store(email)
else:
store(encrypt(email))
Rather stupid to be honest since it's not obvious how new mails could help the car salesman (don't know what zulieferer should be in english... supplier?) in any way shape or form. Or do they want to know if the blackmailer sends more blackmails? Don't know, don't care. I'm just always shocked how such verdicts come to be.
They will do what reddit did, keep "sensitive" additions to your system closed, and if you are not distributing it, you are not required to publish it. Just watch out for AGPL.
I mean if your code is open source, and you get an order to insert a backdoor of some kind, how can you put the backdoor in the open source code without violating a nondisclosure clause in the government’s order?
Law overrides contract, so if distributing those changes is prohibited, then not distributing those changes to code is not a violation of the open source licence, the relevant clauses of the licence contract can not be legally binding.
So you'd just [be required to] keep a non-open fork of that code even if the license (e.g. AGPL) would prohibit that.
I don't think a law requiring you to not distribute the changes overrides the license clauses terminating your license for not distributing them? It's not the license givers problem that you can't comply with the license, don't use it then?
Of course, not using that license and stopping the use of that code is also a completely valid (though costly) option.
If the licence giver believes that you're violating the contract, they are free to try and enforce that contact in court. A German court would almost certainly rule that the clause is unenforceable at least as it applies to that particular order-related modification (the licence requirements would still be valid for unrelated modifications). There is a nontrivial legal question whether that would imply that the requirement voids the licence as a whole or just the specific clause. Specific terms (e.g. AGPL clause 12) may suggest that it would void the whole licence, but I wouldn't be certain on how German courts would consider it given these specific circumstances; a German lawyer might have a good idea but I do not.
But in any case, contractual obligations are not an excuse for noncompliance with other legal requirements. If it does turn out that executing the order is incompatible with a particular license, then you must execute the order anyway and decide what's the best way to handle the consequences. Breaching a contract is a legally valid option as well, and in some cases that may even be the best option, if the expected liabilities/damages are less than the consequences of complying with it.
Tutanotas business is predicated on privacy, and on relying on open source. If the government requires them to disconnect from both, they are destroying the entire business. Imagine if they lost the right to use their foss systems because of this and the cost of starting a closed source replacement. Tutsnkta will already vanish overnight from every single privacy respecting app list. They could get sued for misrepresentation also. Shouldn’t the government at least be liable for compensating them for damages?
This is sever-side code, so you handle this email address the same way you handle other secrets, like your database password: put them in configuration instead of hardcoding them.
With end-to-end encryption, where encryption happens in an open source client, this conflict would be more interesting.
Unless you can prove your running copy is the same as the provided code (which is pretty hard for server software), you can always keep a private forked copy with the backdoor and run that
Not a lawyer and I am just speculating but in the US I believe it would likely result in the court compelling the maintainer of the libraries in question to comply with the original order, or issue new orders to compel the parties in question given the new information.
Forks are generally required to maintain the original licensing of the originating source. That would be like taking part of the Windows source code and "forking" it with the only change being the licensing. Just because you forked it and changed the license doesn't make it true.
Also: what would forking have to do with anything? If youre compelled to put a backdoor in code to be able to intercept messages from a particular person, a better argument would be to just say "lol idk how 2 do codez" as opposed to "lol im gonna fork, fuck off"
German native here. Your translation is mostly correct.
The court seems to have forced Tutanota to store new incoming non-encrypted emails in plaintext for a specific mailbox that was used to blackmail an automotive supplier.
But the article is not entirely clear on whether that is for that specific mailbox only. At one point, the article mentions that storing emails in plain text could be used on "specific mailboxes" (plural).
> Ein Urteil des Landgerichts Köln zwingt das hannoversche Unternehmen nun jedoch zum Einbau einer Funktion, mit der Ermittler einzelne Postfächer überwachen und Mails im Klartext lesen können.
IANAL, but if I am not mistaken, German law requires telecommunication providers (above a certain threshold) to provide law enforcement with a way to look into customer communication via the provider. Meaning here, they need to implement a way for law enforcement to look into any mailbox they can come up with a warrant for.
> So hatte im Sommer das Landgericht Hannover entschieden, dass Tutanota im rechtlichen Sinn keine „Telekommunikationsdienste“ erbringt oder daran mitwirkt – und deshalb auch nicht zur Telekommunikationsüberwachung verpflichtet werden kann
In the summer the Landgericht Hannover judged that Tutanota isn't a "Telekommunikationsdienste" (telecommunication providers) and they also don't take part in one. That is why Tutanota calls bullshit.
> Das Kölner Gericht sieht Tutanota dennoch als „Mitwirkenden“ bei der Erbringung von Telekommunikationsdiensten. Folglich müsse das Unternehmen die Überwachung ermöglichen.
Cologne now says the opposite and says they "take part" in providing telecommunication without clarification.
>The court seems to have forced Tutanota to store new incoming non-encrypted emails in plaintext
This makes sense as AFAIK Tutanota messages between users are encrypted on the client side, not the server side. I guess they could try to backdoor that too but I'd think someone would be able to sniff that in the network traffic?
You are missing the entire point of why this is a horrible thing to begin with! They have to develop new encryption circumvention technology for this one surveillance which weakens encryption for everyone using the encryption technology.
Its exactly like if you were to force the creator of PGP to build a backdoored version of PGP with the right windows signatures or something. You could just say, "it will only be for new emails for the specific mailbox, as the rest are already encrypted", but then you are missing the point entirely.
BTW germany is currently in the process of shoving a new law though the EU which will effectively destroy all encrypted services in europe (by means of forcing backdoors/secondary keys). Just for context.
My German is extremely rusty, but the whole dispute here seems to stem from the discussion wether or not the company has to comply with what we normally call 'lawfull-intercept' as part of telecom regulations. They contest the notion that they are a telecom provider.
It’s not so late here in Europe yet. At least not for hackers :) And there ought to be some German-speaking persons over the pond as well. We’ll see :)
> "Tutanota sieht sich nun gezwungen, bis Jahresende eine Funktion zu programmieren...dieses Postfach zu überwachen."
and that nothing else will change for the other users
> "Für die anderen Nutzer soll sich dadurch nichts ändern, ihre Mails sollen weiter standardmäßig verschlüsselt werden"
As other users have pointed out, it will only be for new emails for the specific mailbox, as the rest are already encrypted
> "betrifft die Überwachungsmaßnahme nur die neu eingehenden unverschlüsselten E-Mails"
We may have to wait until tomorrow for some more native speakers to wake up and translate.