There are only a handful of trusted end-to-end encrypted email providers. Of those, Tuta (which has long been known as “Tutanota” but recently rebranded ) is one of the more well-known. This week, the company found itself on the defensive after being labeled a “front” for law enforcement and intelligence services. In attempt to clear its name, the company released an official statement denying that it was a honeypot operation, after a former, highly placed Canadian intelligence official alleged in court that was the case.
The cop in question, Cameron Ortis, formerly ran a “highly secret unit” within the Royal Canadian Mountain Police, but is now on trial for allegedly having attempted to sell government intelligence to criminals, CBC reports.
Ortis has denied that he was actually attempting to sell state secrets. In his testimony, which was made public this week, Ortis instead said that he was involved in a special operation. As part of that operation, agents used Tuta, which he described as a “storefront”—or a kind of honeypot—to lure in prospective criminals for surveillance, he said. CBC describes the former government official’s allegations like this:
…according to Ortis, [another agent] briefed him about a “storefront” that was being created to attract criminal targets to an online encryption service. A storefront, said Ortis, is a fake business or entity, either online or bricks-and-mortar, set up by police or intelligence agencies. The plan, he said, was to have criminals use the storefront — an online end-to-end encryption service called Tutanota — to allow authorities to collect intelligence about them.
“So if targets begin to use that service, the agency that’s collecting that information would be able to feed it back, that information, into the Five Eyes system, and then back into the RCMP,” Ortis claimed during his testimony. Ortis was referencing the Five Eyes intelligence-sharing alliance, of which Canada is a prominent member.
Tuta has vehemently denied the allegations against it. In a blog post published Monday, the company stressed that there was no “backdoor” in its service and said that Ortis’ allegations were a “complete and utter lie”:
This weekend Tutanota was called a “storefront” and a “honeypot” – without any evidence. Tutanota – or now Tuta – is the encrypted email service with a focus on privacy, open source and transparency. It is not linked to any secret service and there is no backdoor included. It is not even necessary to trust our words, as our entire client code is published so that anyone can verify that there is no backdoor.
It’s true that Tuta hosts its client-side code on Github, though the company has never fully open-sourced its server-side code. The company has stated that this shouldn’t matter since all of its encryption occurs on the client side, and that’s what counts when it comes to user privacy. In its statement, Tuta added that it would be watching Ortis’ “case with great interest” and that it was “actively working with…[its] legal team to fight” the “slanderous claims” that had been made against it.
It’s not clear what evidence (if any) Ortis has that Tutanota is a “storefront,” as he’s claimed.
That said, the story is interesting for its connection to another episode involving law enforcement’s attempts to backdoor a well-known privacy service. One of the people that Ortis is accused of spilling government secrets to is Vincent Ramos, the former CEO of Phantom Secure—an encrypted phone company that police say frequently sold its devices to drug cartels and other crime syndicates. It was previously reported that the FBI once tried to force Ramos to install a backdoor into his software so that the agency could spy on Sinaloa Cartel members. Canadian law enforcement was notably involved in the investigation into Phantom Secure and Ramos and assisted with his arrest. In 2019, Ramos was sentenced to nine years in prison.