When TLS Is Not Enough

When TLS Is Not Enough

• 2 min read
• By volker
TLS Email Security GDPR End-to-End Encryption Cybersecurity Legal Data Protection

When TLS Is Not Enough

Most people assume that if an email is encrypted in transit, it’s safe. But a recent court ruling in Germany makes it clear that’s not always true.

The Higher Regional Court of Schleswig-Holstein ruled that sending invoices via email with only TLS encryption isn’t enough. A business emailed an invoice for over €15,000 to a private customer. Somewhere along the way, the email was intercepted and altered. The customer, thinking everything was normal, sent the money straight to criminals. The court decided this was a GDPR violation and awarded the customer damages equal to the stolen amount.

This changes the game for businesses. The ruling suggests that when real money is at stake, companies can’t just rely on basic transport encryption. The court argued that end-to-end encryption (E2EE) is necessary to protect sensitive data from interception. TLS, which only secures the path between mail servers, wasn’t enough to stop the fraud.

Does this mean every company needs to switch to end-to-end encryption for all emails? Not exactly. The ruling doesn’t demand a one-size-fits-all approach. Instead, businesses need to think harder about the risks and match their security measures to the data they’re handling.

For businesses, this means rethinking how they send important information. If an email includes financial details, trusting TLS alone might be like locking the front door while leaving the windows open. Encrypted PDFs, secure customer portals, or fully E2EE email services could be better options.

The real lesson here? This verdict isn’t necessarily final. Higher courts could overturn it, or legislators could step in to clarify encryption requirements under GDPR. But it does highlight the weak understanding of courts and regulators about cryptography. End-to-end encryption is not the answer here, we are talking about integrity protection. And thus, the ruling is not only wrong but also dangerous. Integrity protection is about digital signatures, not encryption.

References

  1. Verdict (available at https://www.gesetze-rechtsprechung.sh.juris.de/bssh/document/NJRE001598708) [Accessed: 08.02.2025].

  2. Court Ruling on Email Encryption (available at https://www.heise.de/news/Urteil-Ende-zu-Ende-Verschluesselung-statt-TLS-bei-E-Mails-6763661.html) [Accessed: 08.02.2025].