No, you got that right. It's about a single mailbox and only for new mails. As they can't decrypt old mails themselves without a backdoor.

Still, once they have this function, all it takes is a court order to start collecting for other mailboxes.

Tutanota will take this to the next higher court but as it says in the article, they have to start implementing the backdoor right away.

There's a clear distinction between "We are mandated by the court to maintain plaintext for all accounts for all time" and "We are mandated by the court to have the capability to maintain plaintext for one account when ordered so by subpoena-or-equivalent". This is the latter.

Arguments can be had about the relevance of that distinction, but relevant or not, the distinction does exist. Thanks for clarifying!

(I'm not participating in the "Is this distinction relevant?" discussion today, sorry, just trying to understand what was passed. See other threads for pro/con arguments.)

It only affects new incoming mails as they cannot decrypt the old ones.

My understanding of the German wiretapping law is also that they can only record messages from the point of the wiretapping court order so no older messages can be accessed by it.

It sets an extremely dangerous precedent whether it's just a single mailbox or not.

My understanding is that they are only required to monitor a single specific mailbox (for which a court order has been issued) - so no preemptive collection.

The following (machine-translated) paragraph clears that up:

This should not change anything for the other users, their mails should continue to be encrypted by default. Nevertheless, Tutanota considers a one-time circumvention of the encryption to be a data protection and security risk for all customers.

[Update, 30.11., 12 o'clock] As Tutanota emphasized, the monitoring measure only affects newly incoming unencrypted e-mails. Already encrypted data as well as end-to-end encrypted e-mails in Tutanota cannot be decrypted by the company. [Update]