leowolfert - Fotolia

Encrypted mail service Tuta says it was wrongly accused of being a front for intelligence services

German encrypted email service Tuta, formerly known as Tutanota, has denied claims by a former Canadian police intelligence officer accused of passing secrets to criminals that it was compromised by intelligence services

A German encrypted email service has denied claims by a former Canadian police intelligence officer under trial for selling sensitive secrets to criminals that it acted as a “storefront” for law enforcement and intelligence agencies.

Cameron Ortis, a former Royal Canadian Mounted Police (RCMP) intelligence officer, who is charged with allegedly passing on sensitive operational information, claimed in a court hearing that the email service, Tutanota, was lined up to collect intelligence on organised criminals.

The claims were categorically denied by the encrypted email provider, now renamed Tuta, which said the allegations were “completely false”.

“Tutanota and Tuta has never and will never operate a ‘storefront’ for any intelligence or law enforcement agency. This would completely contradict our mission as a privacy protection organisation,” the company said in a statement.

Storefront aimed to attract criminals

In court transcripts released on Friday 10 November, Ortis testified that he had been approached by a counterpart at a foreign intelligence agency with information about an encrypted messaging service that was being used as a “storefront” for intelligence agencies.

He told the court in Ottawa that a storefront was a fake business, either online or bricks and mortar, covertly set up by an intelligence or law enforcement agency.

“The common goal is to attract criminals or targets of different kinds of investigations to that storefront in order for them to engage in their services,” Ortis told the court.

Ortis, former director general of RCMP’s National Intelligence, told the court that he was approached by his counterpart at a foreign agency in autumn 2014.

He said he was briefed that a storefront was being set up to attract targets to an online encrypted email service, Tutanota, to gather intelligence.

He said the foreign agency would be able to feed the intelligence, including intercepted emails, through the Five Eyes intelligence network – a collaboration between the US, UK, Canada, Australia and New Zealand – back to the Royal Canadian Mounted Police.

The information that would be gathered was compelling and demonstrated clearly a direct and grave threat, he said.

“I could corroborate much of the information by looking at existing OR [Operation Research] files and RCMP holdings,” he said in the hearing on 3 November. “I was given a strict caveat not to share the information with anyone,” he added.

No basis for claims

Tuta, formerly known as Tutanota, said there was no basis for Ortis’s claims. The company said its entire source code is published on GitHub, and can be peer reviewed to ensure there are no hidden backdoors in Tuta’s end-to-end encryption.

According to Tuta’s transparency report, the company only responds to court orders issued by German courts.

It publishes a “warrant canary” confirming that its services have not been subjected to an order from the US National Security Agency and that its encryption has not been subject to any backdoors.

Tuta has received orders from German courts to hand over inventory data, which can include banking data, credit card data and PayPal usernames, and real-time metadata, which can include the email addresses of the sender and receiver of emails, and the time messages were sent, but not the content.

The email service has also been ordered to disclose encrypted emails, however Tuta points out that it does not have access to decryption keys and is unable to handover decrypted messages.

“The key is encrypted with the user’s password. We never know the password as only a hash of the password is transmitted to the server. Thus, we cannot know the decryption key,” said Tuta spokesperson Hanna Bozakov.

Phantom Secure

Prosecutors allege that Ortis used his position in a secret unit within the RCMP to attempt to sell intelligence gathered by Canada and the Five Eyes to people linked to organised crime.

Ortis has been accused of sharing information with Vincent Ramos, the CEO of Phantom Secure, a Canadian company that made encrypted BlackBerry phones for use by criminals.

Canadian, Australian and US law enforcement agencies took down Phantom Secure in a joint operation in March 2018. Ramos pleaded guilty to racketeering and was sentenced to nine years.

The RCMP arrested Ortis in September 2019, when he was charged with seven counts under the Security of Information Act (SOIA) and the criminal code.

The charges, which Ortis has denied, included unauthorised communication of special operational information, in breach of the SOIA, and preparatory acts, which included those for the unlawful and unauthorised communications of safeguarded information.

Ortis was also charged with breach of trust by a public officer and unauthorised use of a computer under the Canadian Criminal Code.

Read more on Privacy and data protection