Encrypted mail service Tuta says it was wrongly accused of being a front for intelligence services

Storefront aimed to attract criminals

In court transcripts released on Friday 10 November, Ortis testified that he had been approached by a counterpart at a foreign intelligence agency with information about an encrypted messaging service that was being used as a “storefront” for intelligence agencies.

He told the court in Ottawa that a storefront was a fake business, either online or bricks and mortar, covertly set up by an intelligence or law enforcement agency.

“The common goal is to attract criminals or targets of different kinds of investigations to that storefront in order for them to engage in their services,” Ortis told the court.

Ortis, former director general of RCMP’s National Intelligence, told the court that he was approached by his counterpart at a foreign agency in autumn 2014.

He said he was briefed that a storefront was being set up to attract targets to an online encrypted email service, Tutanota, to gather intelligence.

He said the foreign agency would be able to feed the intelligence, including intercepted emails, through the Five Eyes intelligence network – a collaboration between the US, UK, Canada, Australia and New Zealand – back to the Royal Canadian Mounted Police.

The information that would be gathered was compelling and demonstrated clearly a direct and grave threat, he said.

“I could corroborate much of the information by looking at existing OR [Operation Research] files and RCMP holdings,” he said in the hearing on 3 November. “I was given a strict caveat not to share the information with anyone,” he added.

No basis for claims

Tuta, formerly known as Tutanota, said there was no basis for Ortis’s claims. The company said its entire source code is published on GitHub, and can be peer reviewed to ensure there are no hidden backdoors in Tuta’s end-to-end encryption.

According to Tuta’s transparency report, the company only responds to court orders issued by German courts.

It publishes a “warrant canary” confirming that its services have not been subjected to an order from the US National Security Agency and that its encryption has not been subject to any backdoors.

Tuta has received orders from German courts to hand over inventory data, which can include banking data, credit card data and PayPal usernames, and real-time metadata, which can include the email addresses of the sender and receiver of emails, and the time messages were sent, but not the content.

The email service has also been ordered to disclose encrypted emails, however Tuta points out that it does not have access to decryption keys and is unable to handover decrypted messages.

“The key is encrypted with the user’s password. We never know the password as only a hash of the password is transmitted to the server. Thus, we cannot know the decryption key,” said Tuta spokesperson Hanna Bozakov.

Phantom Secure

Prosecutors allege that Ortis used his position in a secret unit within the RCMP to attempt to sell intelligence gathered by Canada and the Five Eyes to people linked to organised crime.

Ortis has been accused of sharing information with Vincent Ramos, the CEO of Phantom Secure, a Canadian company that made encrypted BlackBerry phones for use by criminals.

Canadian, Australian and US law enforcement agencies took down Phantom Secure in a joint operation in March 2018. Ramos pleaded guilty to racketeering and was sentenced to nine years.

The RCMP arrested Ortis in September 2019, when he was charged with seven counts under the Security of Information Act (SOIA) and the criminal code.

The charges, which Ortis has denied, included unauthorised communication of special operational information, in breach of the SOIA, and preparatory acts, which included those for the unlawful and unauthorised communications of safeguarded information.

Ortis was also charged with breach of trust by a public officer and unauthorised use of a computer under the Canadian Criminal Code.