Of German Email Encryption Tool Tutanota and Other PETs

I’ve written updates before on encryption for communications and why the legal profession should be interested in tools and trends like encrypted ephemeral messaging, Edward Snowden’s warnings for legal professionals, and the upcoming Chrome extension for end-to-end email encryption.

Much of the whys and wherefores around encryption and Privacy Enhancing Technologies (“PETs”) and their place in legal practice are part of a broader conversation around lawyers’ digital competency — such as what Amy Salyzyn often writes about here on Slaw. This in turn engages the larger topic of internet security (and for a general background see this recent article written by folks at NYU Law which covers key moments of modern internet security history, from the so-called “crypto wars” to the post-Snowden era).

For lawyers, it is settled that using technology requires you to either have a reasonable understanding of the technology used in the lawyer’s practice or access to someone who has such an understanding. I say it’s settled because that is pretty much a direct quote from a Federation of Law Societies of Canada guideline issued thirteen years ago. But it sounds sort of, well, like a gigantic platitude.

What do we exercise when it comes to technological choice really? Can I exclude being an email user? Can I choose to run a practice without a computer? And what constitutes a reasonable understanding of these systems? 

Many (most?) of the communications technologies we use are mysteries to us non-expert users. We didn’t invite advances in technology, but they turned up and updated our devices with the newest firmware anyway. They brought electronic banking, e-discovery and electronic filing to us whether we asked for it or not. And who is choosing to be part of this “Internet of Things”? Or is that car you just bought and that new internet router, or that tablet you just downloaded apps on smuggling inter-connectivity into your life in ways you’re not really sure about? Did you choose to rely on a global cell phone system that uses SIM card technology that the NSA and GCHQ hacked? Or did that just happen to you, as it did for the other people who use AT&T, T-Mobile, Verizon, Sprint and 450 other wireless network providers around the world who got one of the 2 billion SIM cards produced by Gemalto last year?

Increasingly, and alarmingly, it seems a reasonable understanding (at least with respect to data privacy and security) is most fundamentally a recognition that we are vulnerable — probably in more ways than we appreciate, and probably in some way that your retainer should broadly disclaim if we use anything more advanced than a stapler in your office. But how is that protection? How is that anything but a pact of abnegation of risk?

Since there is only so much profit in preaching fear, I’ll focus on some tools and a couple of updates in the realm of Privacy Enhancing Technology that might materially contribute to client confidentiality.

Tutanota recently announced that it is leaving Beta as of March 24, 2015, claiming the company is “confident that no security issues remain in the code”. The encrypted email service lets you quickly engage in encrypted email correspondence. Tutanota (Latin for “secure note”) has iOS and Android apps, and uses a key that you arrange with your correspondents. It’s hosted on German data centers, was released as open source in September 2014, and while you are currently limited to an email on a Tutanota domain, you will soon be able use their encrypted webmail service using your own domain name — and according to their forums it may be as early as April or May this year.

Tutanota is one of a few encryption email services sprinting to the finish line. Last year I wrote about the Google “End-To-End” extension, but there is also the swiss-based Protonmail — which is still in Beta — as well as Lavaboom, which I have been trying to get beta access to for some time, but is also still under wraps.

As with all “zero knowledge” tools, these services don’t store your password/key on their servers, so the encrypted data is more secure from coerced access.

I’m also going to share a link to this list of major security software programs and operating systems. Perhaps a bit overkill, but depending on your clients, perhaps not. The list includes:

1. Tor, for browser security.
2. Tails operating system that runs from a USB stick or SD card on a host OS and avoids storing data locally.
3. SecureDrop, which is used by the Globe and Mail and is designed to allow journalistic sources to share documents without compromising themselves (SecureDrop just today announced a new release as 0.3).
4. VeraCrypt is a popular emerging variant of TrueCrypt which ceased enigmatically last year. These let you encrypt your hard disk if you’re using a conventional disk to store information.