For different reasons calendar and address book are not encrypted.
In a web-based application, there will always be gaps in encryption, simply because the data needs to be presented at the client side in human-readable form, which requires these data to be unencrypted at some point beforehand.
For this reason, users should always consider that – in theory – their service provider has the capability to read any data that are usually delivered to their web interface. Note that many of our competitors don’t make much of an effort to mention this limitation, which has sole technical reasons, to their customers.
Further, there are many mailbox.org accounts which have been set up as family accounts or linked business accounts. It would not be possible to easily share calendars and contact lists between these accounts if the corresponding data were encrypted in such a way that only the original owner could access them. We also have a number of software extensions for calendar and contact list planned (for instance, reminder services) that would not work if these areas were encrypted.
Providing more comprehensive encryption is possible in principle, yet would also bring about disadvantages, apart from being difficult to implement. For example, many special features currently in place would be unavailable for those users that want extended encryption. At this time, we do not have the resources to do any of this and would like to concentrate realizing the many, many other ideas and projects that are also waiting in the pipeline. We believe these will be more effective to increase and sustain security, and benefit the majority of our customers.