Transparency Report & Warrant Canary for the secure email service Tuta (formerly Tutanota)

2016-01-01 / Updated: 2024-01-01
Tuta's transparency report is updated every six months. Here you will find information on surveillance orders by German courts as well as our Warrant Canary. While in Germany a gag order like in the USA is not legally possible, we would like to give you peace of mind by publishing the Warrant Canary.
SIGN UP

The Tuta Transparency Report is updated every six months. We only release individual mailboxes if we receive a valid German court order. The encrypted data stored in Tuta mailboxes can not be decrypted by us.

Between the 1st of July 2023 and the 31st of December 2023 Tuta (formerly Tutanota) has

  • received requests for inventory data in 120 cases.
  • released inventory data in 6 case.
  • received requests for real time traffic data in 20 cases.
  • released real time traffic data because of a German court order in 12 cases.
  • received requests for stored content data in 19 cases.
  • released stored encrypted content data because of a German court order in 16 cases.
  • received requests for real time content data in 19 cases.
  • released real time content data because of a German court order in 10 cases.

Previous Transparency Reports

Between the 1st of January 2023 and 30th of June 2023 Tutanota has

  • received requests for inventory data in 116 cases.
  • released inventory data in 5 case.
  • received requests for real time traffic data in 15 cases.
  • released real time traffic data because of a German court order in 6 cases.
  • received requests for stored content data in 20 cases.
  • released stored encrypted content data because of a German court order in 16 cases.
  • received requests for real time content data in 9 cases.
  • released real time content data because of a German court order in 4 cases.

Between the 1st of July 2022 and 31st of December 2022 Tutanota has

  • received requests for inventory data in 89 cases.
  • released inventory data in 7 case.
  • received requests for real time traffic data in 33 cases.
  • released real time traffic data because of a German court order in 26 cases.
  • received requests for stored content data in 22 cases.
  • released stored encrypted content data because of a German court order in 15 cases.
  • received requests for real time content data in 16 cases.
  • released real time content data because of a German court order in 13 cases.

Between the 1st of January 2022 and 30th of June 2022 Tutanota has

  • received requests for inventory data in 98 cases.
  • released inventory data in 3 case.
  • received requests for real time traffic data in 26 cases.
  • released real time traffic data because of a German court order in 19 cases.
  • received requests for stored content data in 24 cases.
  • released stored encrypted content data because of a German court order in 11 cases.
  • received requests for real time content data in 21 cases.
  • released real time content data because of a German court order in 15 cases.

Between the 1st of July 2021 and 31th of December 2021 Tutanota has

  • received requests for inventory data in 121 cases.
  • released inventory data in 1 case.
  • received requests for real time traffic data in 27 cases.
  • released real time traffic data because of a German court order in 15 cases.
  • received requests for stored content data in 37 cases.
  • released stored encrypted content data because of a German court order in 24 cases.
  • received requests for real time content data in 30 cases.
  • released real time content data because of a German court order in 16 cases.

Between the 1st of January 2021 and 30th of June 2021 Tutanota has

  • received requests for inventory data in 109 cases.
  • released inventory data in 6 cases.
  • received requests for real time traffic data in 23 cases.
  • released real time traffic data because of a German court order in 13 cases.
  • received requests for stored content data in 32 cases.
  • released stored encrypted content data because of a German court order in 21 cases.
  • received requests for real time content data in 16 cases.
  • released real time content data because of a German court order in 12 cases.

Between the 1st of July 2020 and 31th of December 2020 Tutanota has

  • received requests for inventory data in 92 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 20 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 37 cases.
  • released stored encrypted content data because of a German court order in 34 cases.
  • received requests for real time content data in 18 cases.
  • released real time content data because of a German court order in 0 cases.

Between the 1st of January 2020 and 30th of June 2020 Tutanota has

  • received requests for inventory data in 93 cases.
  • released inventory data in 2 cases.
  • received requests for real time traffic data in 5 cases.
  • released real time traffic data because of a German court order in 0 cases.
  • received requests for stored content data in 24 cases.
  • released stored encrypted content data because of a German court order in 22 cases.
  • received requests for real time content data in 5 cases.
  • released real time content data because of a German court order in 0 cases.

Between the 1st of July 2019 and 31th of December 2019 Tutanota has

  • received requests for inventory data in 74 cases.
  • released inventory data in 5 cases.
  • received requests for real time traffic data in 27 cases.
  • released real time traffic data because of a German court order in 12 cases.
  • lodged objections against requests for real time traffic data in 12 cases*
  • received requests for stored content data in 35 cases.
  • released stored encrypted content data because of a German court order in 33 cases.
  • lodged objections against requests for stored encrypted content data in 33 cases*
  • received requests for real time content data in 12 cases.
  • released real time content data because of a German court order in 9 cases.
  • lodged objections against requests for real time content data in 9 cases*

* The Court of Justice of the European Union (CJEU) had decided on 13.06.2019 that internet based email services are not to be regarded as telecommunication services. Therefore we lodged objections against all requests that are based on the assumption that we are a telecommunication service.

Between the 1st of January 2019 and 30th of June 2019 Tutanota has

  • received requests for inventory data in 59 cases.
  • released inventory data in 3 cases.
  • received requests for traffic data in 15 cases.
  • released traffic data because of a valid German court order in 9 cases.
  • received requests for stored content data in 20 cases.
  • released stored encrypted content data because of a valid German court order in 18 cases.
  • received requests for real time content data in 4 cases.
  • released real time content data because of a valid German court order in 4 cases.

Between the 1st of July 2018 and 31th of December 2018 Tutanota has

  • received requests for inventory data in 93 cases.
  • released inventory data in 2 cases.
  • received requests for traffic data in 15 cases.
  • released traffic data because of a valid German court order in 6 cases.
  • received requests for content data in 19 cases.
  • released encrypted content data because of a valid German court order in 16 cases.

Between the 1st of January 2018 and 30th of June 2018 Tutanota has

  • received requests for inventory data in 64 cases.
  • released inventory data in 2 cases.
  • received requests for traffic data in 21 cases.
  • released traffic data because of a valid German court order in 15 cases.
  • received requests for content data in 15 cases.
  • released encrypted content data because of a valid German court order in 12 cases.

Between the 1st of July 2017 and 31th of December 2017 Tutanota has

  • received requests for inventory data in 44 cases.
  • released inventory data in 7 cases.
  • received requests for traffic data in 15 cases.
  • released traffic data because of a valid German court order in 8 cases.
  • received requests for content data in 5 cases.
  • released encrypted content data because of a valid German court order in 5 cases.

Between the 1st of January 2017 and 30th of June 2017 Tutanota has

  • received requests for inventory data in 23 cases.
  • released inventory data in 2 cases.
  • received requests for traffic data in 5 cases.
  • released traffic data because of a valid German court order in 2 cases.
  • received requests for content data in 4 cases.
  • released encrypted content data because of a valid German court order in 4 cases.

Between the 1st of July 2016 and 31st of December 2016 Tutanota has

  • received requests for user data in 25 cases.
  • released encrypted user data because of a valid German court order in 2 cases.

Between the 1st of January 2016 and 30th of June 2016 Tutanota has

  • received requests for user data in 30 cases.
  • released encrypted user data because of a valid German court order in 1 case.

Since Tutanota's launch in March 2014 until the 1st of January 2016 Tutanota has

  • received requests for user data in 15 cases.
  • released encrypted user data because of a valid German court order in 3 cases.

Warrant Canary

Tuta (formerly Tutanota) has never received any National Security Letters or FISA court orders, and we have not been subject to any gag order by a FISA court. We have never placed any backdoors in our hardware or software and have not received any requests to do so.

We publish our web client, desktop clients and iOS & Android apps as open source so that everyone can verify that Tuta (formerly Tutanota) does what we promise: Protect your encrypted emails to the maximum.



PS: The Transparency Report is updated every six months. The warrant canary is always up to date. If there was any request stated above, we would immediately take down the canary. However, such a request is not possible according to German law.

Guide to Types of Requested Data:

1. Inventory Data

Personal data such as name, address and payment data are inventory data. However, Tuta can not be forced to collect inventory data. This is why we are able to not ask for any identifiable information upon registration so that you can use our secure mail service anonymously with a free account. German law even explicitly calls on operators of data processing systems (§ 3a of the German Federal Data Protection Act) to avoid storing personal data whenever possible. § 3a of the Federal Data Protection Act – Data avoidance and data minimization: "The collection, processing and use of personal data and the selection and design of data processing systems must follow the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous to the extent that this is possible according to the intended purpose."

When Can Inventory Data Be Requested?

If the data is available to a German mail provider, the provider has to make the data accessible to German authorities if they deliver a request. Several authorities are allowed to ask for inventory data. Legitimate reasons for such requests are the persecution of criminal offences or the defense of public safety or order.

2. Traffic Data

Traffic data consists of:

• email addresses of sender and recipient

• IP address of the Tutanota client

• delivery time

Just like content data, traffic data is subject to the secrecy of telecommunications. Only German judges are allowed to request traffic data. This is only possible in case of serious criminal acts like murder, child pornography, robbery, bomb threats and blackmail (see § 100a StPO). By default, we don't record IP addresses of our users. Therefore, IP addresses can only be recorded for a single user account after we received a valid German court order for a real time monitoring (TKÜ), but not for the past. There is no data retention law for email providers in Germany.

3. Content data

This term refers to your emails: subject, body and attachments. All emails in Tuta are stored end-to-end encrypted and only you hold the decryption keys. Just like traffic data, content data can only be requested by a German judge (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO) in case of serious criminal acts (see above for examples). A German judge can either issue a seizure of a mailbox or a real time monitoring of the mailbox (TKÜ), or both. A seizure order under criminal law (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO) refers to the encrypted mailbox content. An order for real time monitoring of a mailbox refers to all emails received and sent from the relevant mailbox starting with the time of the order until a specified date (usually three months). In case of real time monitoring (TKÜ), we have to provide contents of emails. Emails that are sent end-to-end encrypted with Tuta can only be delivered in encrypted form. Emails that are sent unencrypted are delivered in plain text if they arrive after we have received a valid German court order for a real time monitoring (TKÜ). Plain text emails that have arrived before that have already been encrypted on the server and cannot be decrypted by us.

SIGN UP
Author
Black and white picture of Matthias thinking and looking to the right side.
Matthias is co-founder and developer of Tuta, focusing on backend development, architecture and email processing. He writes code and political comments to fight for our human right to privacy. He wants to create an encrypted cloud collaboration platform which is so easy to use and so secure that it locks out all the spies. We all deserve a better internet - one where privacy is the default.
Top posts
Threat Modeling In 2024: Your Guide For Better Security
10 Best Private Email Services in 2024
Google Pays 1150 Times More for Its Search Monopoly Than for Lobbying in the EU & US
Why Use A Password Manager - And Our Top 3!
Anonymous email: Create an email address without a phone number.
The Illusion Of "Swiss Privacy" Being The Best
10 best free email accounts in 2024
Latest posts
The Russian Hacker Group Sandworm is Back: New Kapeka Malware Secretly Infecting Systems Since 2022
Google Search Is A Problem: How Google Is Crushing Tuta.
20 years ago Gmail revolutionized email. It’s time for a new revolution!
If You Want Privacy, the US Congress Is Saying You Are A Criminal
Terminate subscription
Company
Community
Team
Jobs
Terms
Privacy
Legal notice
Development
Changelog
Roadmap
Security
Encryption
Open Source
GitHub
Features
Secure Email
Encrypted Calendar
Business
Support
Forum
Press
Support
Language
English
Translate