“Encrypted communication is not an optional extra, but a duty"
An interview with tax lawyer, Matthias Baenz about security, responsibility, and client trust.
Question: Mr. Baenz, as we’ve already spoken, before we introduce you and your law firm, I would be very interested to know: Why is encrypted communication so important for lawyers?
Answer: Encrypted communication for lawyers is not really something that only affects lawyers - it should concern everyone. But for lawyers, there is also the professional law dimension. This ensures that lawyers operate within a special set of rules and have certain duties of consideration that do not apply in the private sphere.
This means that, as a lawyer, I simply have sets of rules that dictate certain things to me, whereas as a private user I can perhaps ask myself: Does this affect me at all? Does it interest me? Do I find it bad? As a lawyer, on the other hand, I always have to consider not only my own professional law, but above all the interests of my client.
There are clear guidelines that say: I must not harm the interests of my client. Incidentally, these rules have always existed. But in the course of the data protection issue, new risks have arisen, one being the risk of interference. And all lawyers need to take this seriously. All lawyers have a special duty to ensure that the client is not put at risk to data leaks, unintentional access, or publication of data.
This can only be ensured through genuine, encrypted communication like Tuta Mail. However, many lawyers are not even aware that this is the case, and that it must be taken seriously. The normal technical precautions in email traffic, such as TLS, simply don’t achieve this.
I don’t think most lawyers even know what SSL or TLS means. Email providers usually reassure users by saying the connection is encrypted. This is often displayed as follows, “Connection encrypted.” But many people don’t know that this only applies to the connection to their own email server. The rest of the connection is basically unencrypted.
This means that the data can be intercepted and changed. This fact is simply not known and not taken seriously enough. People often say, “Well, what’s so bad about that?” Or, “Who is supposed to care about that?” and with this attitude, the actual threat is not even noticed. In my opinion, however, encrypted communication is not an optional extra, but a duty, especially for lawyers.
Question: Yes, I think the topic of “being changed” is also very important because most people don’t have it on their radar. It was recently reported in the media in Germany that an invoice sent via email by a company was manipulated. How great is the risk here and what is the responsibility of companies when emails, especially invoices, are sent unencrypted? Should companies rely on encrypted emails?
Answer: The risk is enormous - and in this case, the customer had to learn it the hard way. But of course, it always applies in both directions. Perhaps we should first briefly explain what the problem was in this specific case.
The company’s email account had been hacked - at least that’s what the court assumed. Let’s take that as a basis. So someone had intervened - the hacker. The recipient account, i.e. the payment account, was changed for all emails relating to invoice documents. Everything else looked exactly the same. The emails looked the same, only the account number had changed. However, nobody noticed this - neither the business nor the customer.
The court then established two things. Firstly, did the customer fulfill his debt with this payment to the account specified in the invoice? No, said the court, he had not. In other words, the debt was still outstanding. That was the first big blow for the customer - that he had not fulfilled his debt despite paying 11,000 euros.
The court couldn’t really decide otherwise. If the money does not arrive where it should, then it has not been paid.
The question of whether the company should have done something to prevent the hack - e.g. with encrypted emails - was initially irrelevant in this context. It only became relevant when the question arose, Was the company liable for damages? Isn’t the damage exactly the amount that the customer transferred for nothing?
The court said: It could be, but not the full amount.
The fact that the court then said Both contracting parties have engaged in a risky form of communication. So the principle applies, anyone who voluntarily engages in something risky must also bear the risk as a responsible citizen. In circumstances where knowledge and expertise are unequally distributed, for example, giant corporations versus consumer, the situation may be different.
In this case, however, it was an established company on the one side and an established customer on the other. The court could therefore not prove any great difference in knowledge and said, In principle, both bear the risk.
However, the company was ultimately “awarded” a little more blame, because the court said, you have breached another duty - namely a duty under the General Data Protection Regulation to secure your own IT system.
When asked what advice Baenz would give to other law firms unsure about switching to encrypted communication platforms, he suggests starting small, for example with a Tuta Mail account.
Question: That’s very interesting. Does that mean the customer should have demanded encrypted communication?
Answer: If they want to play it safe - yes, exactly. You can put it like that. The court said, You both got involved in this vulnerable communication, so you are both to blame.
Question: That’s really interesting. In order to prevent the problems that you have described - i.e. what lawyers have to protect, what they are obliged to do - you and your law firm offer various options for encrypted communication, not just Tuta Mail. Why is it so important to you that the client can choose different communication channels?
Answer: There are two different aspects to this. One aspect is that I want to give the client a choice. This is not an obligation that is imposed on me, but from my point of view, it would simply not be right for me to stick to a single system and reject everything else. After all, I don’t know which variants the client may already be using. And I don’t want to create an additional barrier, I want to make it as simple as possible.
That’s why we offer different options. If you want to work with PGP, go for it. If you want to work with Tuta Mail, go for that. If you have something else, do it differently.
The second aspect is, if I place my communication in different tools, then I create fewer potential attack vectors in a single place. This is a kind of division strategy so that I’m not completely dependent on one provider and vulnerable to attack. I don’t want to handle 100 percent of my communication with a single system, because that naturally carries a risk.
Question: How do your clients react to this?
Answer: This is actually the crux of the matter. Most clients don’t even have a system for encryption in place, let alone ideas or preferences. When they come closer to the idea that it is actually important for their case, they usually take the system that I suggest. And that has been Tuta Mail for the last ten years. It’s important to clients that it just works. They don’t want to try out or compare different things. They just want it to work.
I was really happy when Tutanota came on the scene, just over ten years ago, because it was a system that was very easy to implement. Even with clients who weren’t keen on technical gimmicks, I managed to convince them to use encrypted communication on a permanent basis. Before that, it was much more difficult - especially with PGP. I had to explain, “You have to install this and that, generate a certificate…” that became too much effort for the clients.
Once the clients had crossed the barrier, it was easy for them. To get started with encrypted communication, they don’t even have to create their own account with Tuta - that was and is particularly nice. This way, they can continue to use their usual email program and still communicate with me securely via the link from Tutanota, or Tuta today. Via the shared password, they have access to all previous communication at any time via an internet browser, so they don’t have to decrypt each message individually, they can view all previous communication via one link. That’s a great thing for clients.
The only difficulty was sometimes when there were longer breaks in communication, I then had to tell them their password again. To make things easier, I usually gave it to them, not by email of course, but via another secure channel. The practical thing with Tuta is that I can securely store the password for the client in Tuta Contacts and just look it up when it’s requested. This way, I can give it to the client again even after half a year or more.
Question: I’m very pleased to hear that. Tutanota was launched eleven years ago - so you are a pioneer. I’m almost surprised that you and I haven’t crossed paths before. (laughs) Do you still remember the transition back then? Were there any challenges for your law firm when introducing Tutanota?
Answer: Of course, there still are today, to be fair. Unfortunately, I haven’t managed to convert our entire office to Tutanota, now Tuta Mail. There is that famous persistence. If we had switched over completely, we would have suddenly had new email addresses - an absolute no-go for many clients. We’re not talking about one or two clients, but hundreds. That gives people the shivers.
But when I show them: You can continue to use your own domain if you wish, your email address remains visually the same - that’s no problem with Tuta Mail - then you would still have to set that up and move everything over. This requires coordination with the provider, certain adjustments and a one-off effort. And then comes the commercial thinking: What’s in it for me? How big is the risk really? Is it worth the effort?
That’s why we are ultimately stuck with a two-system model. I have persuaded some partners to set up Tuta access or have me set it up for them, or at least to accept encrypted Tuta emails from me in their normal mailbox, to open them via a link and browser and also to reply encrypted. We use this specifically for particularly sensitive topics, for joint mandates or if we want to use the dual control principle. Most colleagues continue to use their usual system for day-to-day communication. I haven’t managed to change that yet.
Despite the known quirks, people prefer to stick with what they are used to. It’s a classic risk-benefit analysis. So I use a two-pronged approach myself, Tuta Mail for sensitive matters, i.e. practically all my communication with clients, and Outlook for the rest. Ultimately, it’s also about the secure encryption of emails on the mail server, which in my case is Tuta.
Question: That’s a smart solution. How do you assess Microsoft’s strategy of moving everything to the cloud and the associated data protection issues - also with regard to possible US access to data? That is a considerable risk for a law firm. Is the American cloud - even if the data is stored on German servers - actually a no-go for law firms?
Answer: Absolutely. That’s why I hope that we will still manage to migrate completely in the next few years. Once you’ve made the switch to Tuta, everything works as before. Thanks to the app and desktop client, you can use Tuta Mail anywhere. In contrast to Outlook, where you have to work via IMAP depending on the client, everything is much simpler.
Question: Now to you: Could you briefly introduce yourself and your law firm? What do you specialize in?
Answer: With pleasure. We are a medium-sized law firm with offices in Hamburg, Berlin, Potsdam, Schwerin, Rostock and also abroad. Our focus is on advising medium-sized companies, but also individual clients - mainly in commercial and tax law. We are lawyers, tax consultants, and auditors.
Here in Schwerin, we have a tax department that takes care of all our clients’ tax matters, from bookkeeping to tax returns and annual financial statements. I myself am a lawyer specializing in tax law and have been dealing intensively with tax law issues for many years - especially in critical cases: difficult tax audits, voluntary disclosures, criminal proceedings for alleged tax evasion. This is where I come in.
I also provide support in drafting contracts, especially when the focus is on tax optimization. This is not something a traditional tax consultant can do alone; it requires a specialized lawyer for implementation. I am therefore often the link between tax issues and their legal implementation - for example in the case of corporate law structures, wills, marriage contracts or similar sensitive issues.
Question: This involves highly sensitive data. I can understand why you were pleased when Tutanota came onto the market.
Answer: Yes, absolutely. For me, it was an inner justification to deal intensively with the technology. It takes time - in addition to the professional work, the clients, the case law, the legislation. But as a tax lawyer in particular, where we often deal with very sensitive data, some of which are relevant under criminal law, so it was important to me. I want my communication to be as secure as a confidential conversation in a secure room.
Question: That’s a great attitude, and one that we would like to see more often. Amazingly the trend is currently moving in the right direction. When we look at scandals such as the manipulated invoices through hacked emails that we mentioned, what role do you think secure communication will play in the future?
Answer: It will become increasingly important. I am concerned about two developments: firstly, the trend in the USA of the President claiming an area for himself that is not subject to judicial review. This is hardly comprehensible to our understanding of the law in Germany, but it is taken seriously there. Legal protection then practically no longer exists in these areas.
Of course, this also affects companies that are subject to US law, keyword Patriot Act and digital sovereignty. Even if the servers are located in Europe: If a US company is requested to hand over data to US authorities, it has to do so. Promises such as “We won’t do it” are worth nothing in an emergency. This also applies to Microsoft.
On the other hand, there are political efforts in Europe to weaken encryption through backdoors. The so-called chat control, for example: Theyant to allow good encryption, but create access for the investigating authorities. A no-go for me as a lawyer. There is no backdoor just for the good guys. Once you have access, you ultimately open the door to others.
Question: Let’s come back to digital sovereignty in Europe. Where will we be in five years’ time? Will the authorities still be using Microsoft then?
Answer: I hope not, or at least not in its current form. There are approaches, for example in Schleswig-Holstein, but I’m afraid we won’t be there in five years’ time. Maybe in ten. One major problem is the IT consulting provided by the authorities. They often stick to their standards because it works. Problems or concerns are then often suppressed.
We see this with the electronic patient file. It’s basically good, but poorly implemented. Instead of always doing everything from scratch, the authorities could use open source approaches and build on them, like Nextcloud or Tuta Mail, Germany has many good companies. Instead, the wheel is constantly being reinvented and everyone is cooking their own soup. That costs time and money and doesn’t achieve anything.
Question: Finally: What advice do you have for law firms that are still unsure whether they should switch to encrypted communication?
Answer: Just do it. Start small, like me. Set up a Tuta account and use it for sensitive communication. Offer it to your clients. Let it grow slowly without changing everything right away. Don’t be afraid of technology - that would be my advice.
Question: So just go for it. That’s always my advice, too. Take small steps towards better data protection and better security, because unfortunately there is no magic switch that you only have to flip once. But small steps can go a long way. Mr. Baenz, thank you very much for the interview; I would like to chat again soon!
Answer: Thank you very much, it was a pleasure.