Since last year's PRISM revelations, a growing number of people in Germany are becoming aware of how secure their email is (or isn't).
"Germans are deeply unsettled by the latest reports on the potential interception of communication data," René Obermann, CEO of Deutsche Telekom, said last year.
At the time, Obermann was announcing the launch of 'Email made in Germany', which promised to automatically encrypt emails with SSL by default where possible. Also, to make life harder for the NSA and other agencies, emails sent using the service between users in Germany would never leave the country’s borders.
As of today, several major German email providers — including Web.de and GMX — have signed up to offer the service, and according to Deutsche Telekom, some 50 million private customers are now using it.
Likewise, interest in Posteo — a German email provider that offers users full anonymity and SSL encryption — soared in the wake of the Snowden leaks. According to Bloomberg, in the six months after the leaks, the service tripled its user base.
Swelling the ranks of secure options in the country, a new privacy-focused email service called Lavaboom went into private beta last month. The service provides PGP encryption with no additional software required; users can expect PGP-encrypted communication between each other and with users of similar services such as Riseup and Hushmail.
The PGP encryption keys are hosted on client computers and are not directly accessible by Lavaboom (so that if the NSA came knocking on their server doors, Lavaboom could lawfully claim that they don't have the ability to decrypt users' emails, otherwise known as 'zero-knowledge privacy').
"The original idea came to my mind pretty much the day after the Snowden revelations," said Felix Müller-Irion, Lavaboom's founder and CEO. "There was not any provider out there who actually provided for secure communications."
Of course, there was Lavabit, the secure email service which Snowden had used but was later shut down. (Despite the similarity in the names, Lavaboom isn’t connected to Lavabit; rather, it's inspired by the original service.)
Companies such as Lavaboom are finding that Germany — with a population that is increasingly tuned-in to security risks, coupled with the country's strict privacy regulations — is a good place to offer secure email service.
In fact, the country’s Independent Centre for Data Protection, a government advisory agency, explicitly advises email users to avoid American internet services. When choosing a provider, European and German companies are preferable to those "from third countries, in particular from the US, because European data protection law is applicable", the agency's website says.
An end to Safe Harbour?
In particular, Germany has a narrower interpretation of the Safe Harbour agreement — the regulations, passed in 1998, which govern the sharing of information between the US and some countries in Europe — than other European countries.
In 2010, regulators in the country crafted a stricter framework for the agreement, which German companies have to abide by to share data with organisations in other countries to safeguard privacy and maintain an increased level of transparency. For instance, detailed records must be kept, and German companies must verify that the parties whose data is collected are being notified.
And in the wake of the PRISM revelations, there have been calls in the country to end the agreement altogether, some from government officials. "The Europeans should terminate the Safe Harbor agreement," Manfred Weber, a European Parliament Member from political party the Christian Social Union, told Der Spiegel last year.
According to Bill Franklin, Lavaboom's CMO, under the current rules, it's still illegal for the NSA to request Lavaboom's SSL keys directly. "That's what Ladar is facing in the US," he said, referring to Ladar Levison, who shut down Lavabit after the US government ordered him to turn over his SSL keys.
Instead, the NSA (or other law enforcement agency from abroad) would have to appeal to Federal Constitutional Court for the keys. "German laws are actually enabling us to do what we do," Franklin said.
Your metadata's showing
Even though using encryption protocols like PGP can make email highly secure (Lavaboom uses key sizes of 4,096 bits, which would take decades to crack today) there are still technical thresholds and other challenges that remain.
For one, users must use Lavaboom's email client, meaning that those who are accustomed to easy email setups on their own client applications or mobile devices are out of luck for the time being. Using protocols like SMTP or IMAP, while making things easier "would defeat the purpose", according to Müller-Irion.
"Once emails are sent unencrypted through an IMAP protocol or through an SMTP protocol, that makes them visible by the NSA, etc," he said.
And those who want to use the service but are prone to forgetfulness might want to jot down their passwords, since Lavaboom will not provide any recovery service. "This is a downside to zero-knowledge privacy, we suggest writing your password on a piece of paper at registration," the service’s website advises.
Additionally, since there currently exists no way to encrypt metadata, subject lines, sender and receiver email addresses, and other information like the time of sending, will still be unencrypted; although all user IP addresses will be replaced with Lavaboom’s IP addresses in Cologne.
"This is an issue that we're definitely going to work out," said Müller-Irion, who said that he would be eager to adopt any protocols created by the Darkmail Technical Alliance, which is reportedly working on ways to encrypt metadata.
However: "it will be a little while still."