Tutanota releases iOS encrypted email app after notifying NSA

The German encrypted email service Tutanota has released its iOS app, weeks after its Android app came out. The delay in the release of the iOS app was apparently due to the need for those publishing open-source apps of this kind to first notify the NSA and the U.S. Commerce Department of their existence — it seems Apple is more strict about making sure this measure has been taken.

Tutanota, already available as a free webmail service and paid-for Outlook plugin, uses encryption based on open-source implementations of algorithms using 128-bit AES and 2048-bit RSA, though PGP compatibility should also be introduced somewhere down the line.

It automatically encrypts and decrypts the emails that users send to other Tutanota users. If a Tutanota user sends an email to someone not using the system, it can also be sent encrypted (the email is encrypted in the sender’s client and she has the only key) but the password will need to be shared with the recipient via phone, in person or using some other method. Unencrypted emails sent to a Tutanota user are also encrypted with the recipient’s public key once they reach the company’s German servers.

Currently, the downside is that users have to use a “tutanota.de” email address, which isn’t necessarily an attractive option for everyone, but company founder Matthias Pfau told me the firm will soon add other domain options. Those wanting to use their own domains will also get to do so at some point, but that will be a paid-for premium feature.

Pfau said the iOS and Android apps had been submitted to their respective app stores at the same time, but [company]Apple[/company] requires suppliers of open-source security software using cryptographic functions with asymmetric algorithms to — as U.S. export regulations dictate — notify the Commerce Department’s Bureau of Industry and Security (BIS) and the NSA’s ENC Encryption Request Coordinator of what they’re putting out there. This seems to be about notification only, rather than seeking approval from these agencies as such.

I wasn’t previously aware of this requirement, but here’s what the rules say (PDF) about “publicly available encryption source code”:

You must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the publicly available encryption source code or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location.

Anyhow, should you use Tutanota? Well, the fact that you need a special email address is in itself a limiting factor: chances are people know your existing email address and will default to using that. There are several encryption systems out there that rely on pre-shared passwords (such as OX Guard) and, while they do avoid the difficulties of dealing with the PGP key system, unless you can exchange passwords in person you’re arguably less secure than if you were using PGP – it really depends on whether you’re under heavy targeted surveillance.

In theory, you don’t need to trust Tutanota to use its system, as you would hold your key (and the company wouldn’t be able to remind you of it if you lose it). The company has had a security scare in the past, with a researcher finding a cross-site scripting vulnerability, but that flaw was patched up and Tutanota subsequently went open-source and published its code. That means it can be freely audited, though it doesn’t necessarily mean that it has been thoroughly audited. Pfau told me a couple bugs had been flagged this way, but they had nothing to do with the service’s security.

Today in Cleantech

Well, the preliminary verdict is in from the Commerce Department in the trade case against Chinese solar manufacturers and they’ll face a very small tariff, ranging from 2.9 to 4.73 percent. It would seem that in an election year, the Obama administration would rather not face an all out trade war with China, though we may still see higher tariffs against China if the Commerce Department finds that Chinese companies are dumping panels sold below manufacturing cost on the U.S. market (today’s ruling centered around the claim that China was providing export subsidies to Chinese companies). Today’s winners are domestic solar installers, who had feared having to pay much higher prices for solar panels. A government commentary from China’s Xinhua News Agency described the ruling as having “some degree of rationality,” which sounds like diplospeak for, “a tiny tariff is just fine so that trade can continue fairly unchanged and the Commerce Department can look like it did something.”

Today in Cleantech

As we await next week’s decision from the Commerce Department on whether to slap tariffs on China for dumping solar panels on the U.S. market that were sold below manufacturing cost, a slew of editorials on the topic are being penned. Melanie Hart and Kate Gordon at the Center for American Progress lay out a nuanced argument that takes into account the possibility that production will shift to the U.S. to avoid tariffs and that solar panels are not a manufacturing process where low Chinese labor holds much of an advantage anyway (just 3-4 percent of a solar panel’s production cost is labor). They conclude that if the Commerce Department finds illegal behavior, China should pay the price of tariffs.  On the other side is an editorial today from The Oregonian (Oregon is home to panel manufacture, SolarWorld), arguing that tariffs risk a trade war with China that could kill U.S. renewable energy exports, not to mention the fear that domestically higher panel prices could be rough going for solar installers trying to sell solar to customers. There’s no easy solution here and the unfortunate solution is that any tariff could slow solar growth, and though it’s terribly unfair the, smartest and the least likely to happen solution, is to fight China with its own medicine. Which would be having the U.S. government aggressively finance innovation in renewable energy so that new tech, not easy credit, wins the game.

Federal ID Plan: No, It’s Not a Government ID Card

The Obama administration introduced its National Strategy on Trusted Identity in Cyberspace on Friday, and took pains to point out that this program will be led by the private sector, and isn’t some kind of Big Brother-ish, government-issued ID card everyone will be forced to use.