Posteo and Mailbox.org: Many authorities do not create encrypted requests

According to their transparency reports for 2025, the data protection-focused email providers Mailbox.org and Posteo rejected numerous authority requests that were not formally correct. Mailbox.org rejected almost 25 percent of the requests, mostly because they were transmitted unencrypted. “Even for information requests by authorities, we adhere to the strict guidelines of the Federal Network Agency, which state that requests must be made encrypted,” explained Balint Gyemant, Chief Product Officer of mailbox.

In total, Mailbox.org received 74 information requests in 2025, 63 of which were by email and 27 of those unencrypted. Another six were unlawful for other reasons. “It is pleasing that in 2025, for the first time, no requests reached us by fax. This was still the case until 2024, even though information requests by fax have actually been prohibited since 2021,” said Gyemant.

The majority of information requests to Mailbox.org came from German authorities, only three were from other EU states, and one request came from outside the EU. 72 requests were made in the context of criminal prosecution, two by intelligence services. Only two related to mailbox seizure, all others were about subscriber data queries.

At least there appears to be some learning effect with some authorities: In 15 cases, investigative authorities corrected unencrypted transmitted requests retrospectively, so that mailbox.org answered a total of 56 requests. However, 18 requests were not corrected and therefore rejected. The majority of requests in 2025, as in the previous year, were received by email encrypted with PGP. In the previous year, the email provider still reported a rejection rate of 30 percent.

Posteo: 27 complaints to data protection officers

Posteo counts a total of 85 requests for the year 2025, of which, after review by its lawyers, 35 were classified as incorrect. This corresponds to a rate of around 41 percent. Here too, encryption of their requests seems to be a hurdle for many authorities: Posteo states that in 2025 it filed 27 complaints with state data protection officers or authorities due to unlawful, unencrypted transmission of authority requests. Complaints are also planned for unlawful requests for traffic data such as IP addresses.

As with mailbox.org, the majority of requests to Posteo, namely 72, concerned the disclosure of subscriber data. In four cases, it was about mailbox seizures, and in two cases about TKÜ (telecommunications interception), i.e., monitoring a mailbox for a specific period. In seven cases, it remained unclear what the authorities' concern was. As with Posteo, the clear majority of requests, 81, came from law enforcement agencies, and four from intelligence services. With 79 requests, the majority came from German authorities.

Unlike Mailbox.org, Posteo also provides the number of cases in which data was released: in 2025, there were only two, each being the release of content data as part of a TKÜ, which was done by court order. There was no release of subscriber and payment data, as the queried accounts were apparently set up anonymously, which is possible at Posteo with cash payment by mail.

Posteo has been publishing its transparency reports since 2014 and has also been complaining about the shortcomings in requests from authorities since then, for example, because sensitive data was transmitted unencrypted, the requests went to customer support, and similar issues. Some cases are documented on the transparency report page.

Authorities use Tuta accounts themselves

The situation is different with Tuta (formerly Tutanota), an email provider from Hanover also focused on data protection. It updates its transparency report semi-annually and, according to figures from early January, has rejected a total of 75 percent of all authority requests. Here too, most requests are for subscriber data; in the second half of 2025, there were 165 requests, of which subscriber data was released in 19 cases.

However, Tuta does not systematically record the reasons for rejection, a company spokesperson explained. Mostly, no data is delivered because the requested account does not exist or no longer exists, or because the request is faulty or unjustified. However, the problem with unencrypted requests hardly occurs at all, as the authorities create a Tuta account themselves. This allows both the request and the delivery of data to take place end-to-end encrypted via Tuta Mail.

(axk)