In Tuta’s October 21st, 2025 blog[1] they talk about a U.S. “Government encryption backdoor”.
Beginning of this year, this government backdoor was debated heavily and for a short while it looked like Section 702 could expire at the end of December 2024, but US officials reauthorized it for two more years. So the government backdoor to encryption in the US still exists.
What specific back door are they referencing, I’ve found no further specifics in the blog?
This doesn’t imply any backdoor to encryption.
There is no mention of encryption, only that of the NSA being allowed to collect data about foreign and domestic persons’ communications.
I missed it being an encryption backdoor somehow. I’m not sure if that’s really accurate, but my understanding is that it is a backdoor in the sense that it provides a loophole for spying on Americans “incidentally” and without warrants.
I’m not aware of any technical or explicit encryption backdoor there, but I might just be uninformed.
Yeah, I’ll wait some time before pinging Tuta’s account here in the case that anyone spots some obvious mention that we’ve missed.
Though, in the case of public key cryptography, maybe you could extrapolate that a man in the middle attack could be conducted? But that feels like a stretch.
Yeah, the law in question also mainly talks about using data from existing (software company’s?) databases but I wouldn’t put it past the NSA to be intercepting HTTPS traffic armed with a Root CA’s private key but that’s a whole other discussion.
Tuta has made a mistake with this statement and should issue a correction. Given they are a German company this is likely a language issue or just a good old fashioned typo.
In any case, it is factually incorrect as written.
@Tuta_Official was “Government encryption backdoor” mistake in your latest blog[1] or did you just mean that the U.S. government has access to a lot of data about people?
IMO, the folks here are being very generous toward Tuta. The inaccuracies and misleading text surrounding Section 702 in that blog post suggest a misunderstanding of basic concepts and lack of editorial oversight. This is very disappointing and damaging to Tuta’s reputation as a serious secure service provider. I hope they fix this soon so as to limit the damage.
I try to extend a lot of grace for a mistake, especially from folks with otherwise good reputations.
The real test is how they react once the mistake is brought to their attention. If they acknowledge it and correct it; that’s fantastic. If they double down….well then they fail the test and lose all credibility.
I once told Tuta about a mistake they did
They acknowledged it
But they didn’t change it
Maybe they are careful now after that but
At best they just barely passed the test, at worst they would have already lost the credibility
I decided to reach out directly to get this settled as I would love to see what they really meant and I can easily envision them not visiting this forum and seeing this thread.
But they didn’t change it
I referenced this thread suggesting that they can reply publicly here if they wish.
Either this was written by AI, or is just very rushed.Another mistake here
At present, Chat Control has been put on hold in the EU Commission since Hungary could not get a majority due to opposition from the Netherlands.
I don’t remember if this statement was true before, but in any case Hungary presided the council back in 2024. That’s why it seems written by AI, with outdated knowledge.
What a great discussion - and very sorry about the mistake in our blog post. We’ve now updated to this. Curious to hear your thoughts!
Government overreach
Though not a government encryption backdoor, overreach from the authorities that amount to illegal surveillance has been in existence for a long time already in the USA. And it went quite unnoticed… Under FISA Section 702 the NSA can scoop up foreign communication in bulk. FBI Director Wray even admitted that the FBI uses this information to run so-called backdoor searches for investigations on US citizens - without getting a warrant for these searches. In 2024, this backdoor access for the US government institution, the FBI, was up for debate, but, unfortunately, nothing changed.
In the US, the NSA is known for its immense surveillance power. What is less known is that the FBI can easily access NSA data scoops, collected under the Foreign Intelligence Surveillance Act (FISA). The FBI can use this data to investigate US citizens. Section 702 allows the Feds to warrantlessly spy on foreigners to prevent crimes and terrorists’ attacks. However, chat messages, phone calls, texts, and emails of US citizens communicating with a foreigner are also monitored and kept in a database that the FBI, CIA and NSA can sift through without a warrant.
Beginning of 2024, this government overreach to citizens data was debated heavily and for a short while it looked like Section 702 could expire at the end of December 2024, but US officials reauthorized it for two more years.
The FBI was heavily lobbying to keeping unlimited access active. FBI director Christopher Wray said:
“A warrant requirement would amount to a de facto ban, because query applications either would not meet the legal standard to win court approval; or because, when the standard could be met, it would be so only after the expenditure of scarce resources, the submission and review of a lengthy legal filing, and the passage of significant time — which, in the world of rapidly evolving threats, the government often does not have.”
In other words: most FBI searches via Section 702 to investigate US citizens are not supported by probable cause. This on its own should be enough to stop the FBI from using this database of citizens data.
Warrantless searches of NSA collections by the FBI are another proof how access - once it is there - will be used and why backdoors to encryption would undermine everybody’s security and right to privacy.
Thank you for correcting the text (and restoring my faith in Tuta)! It seems to me that you have adequately addressed the factual errors in the original post.
I still think it is possible that someone who is unfamiliar with the concepts of this post could be confused by the US government’s overloading of the word “backdoor” in the term “backdoor search” (which I believe was probably the root of the problem in the original text). Maybe put “backdoor searches” in quotes to emphasize that this usage of “backdoor” is unrelated and (IMO) less-than-standard. But I am nitpicking at this point – feel free to ignore.
Suggestion:
Under FISA Section 702 the NSA can scoop up foreign communication in bulk. FBI Director Wray even admitted that the FBI uses this information to run so-called “backdoor searches” (unrelated to encryption backdoors) for investigations on US citizens - without getting a warrant for these searches. In 2024, this access for the US government institution, the FBI, was up for debate, but, unfortunately, nothing changed.
Thanks again.
We are grateful that your team took time to implement this fix.
FISA, at least in theory, has implemented protections against incidental collection of American personal data. For example, there are so-called procedures for whoever is collecting the data in bulk to minimize incidental collection and remove it. Given from what we know about the Snowden disclosures, it is very likely the some government agencies did this without properly minimizing incidental collection, which is illegal.
If there is damning evidence that an American’s data is collected under a FISA program, lets say by the NSA, they are not allowed to use that evidence in court because of 4th Amendment violations. What can happen instead is that they can turn it over to the FBI, who will then start collecting evidence the “right way” so it can be admissible in court. We don’t know if this is the actual process because such data is not supposed to be looked at or collected in the first place.
Then again, I am also nitpicking here. We don’t really know if the American government is following their own rules or not (which makes sense given their past record)
Of course, we’ve also changed that. We’re happy that our blog post led to this discussion - it’s important to understand what the authorities can and can’t do, but also to know that there are lots of options to do things without proper judicial oversight, which is extremely dangerous. Because without it, you need to trust that ALL officials are doing things as they are supposed to do it - which unfortunately is not guaranteed…