Worried about your email security? In Germany, safe messaging is on the rise

Worried about your email security? In Germany, safe messaging is on the rise

Summary: There are a number of new secure options up in the country. But how private are they really?

SHARE:
TOPICS: Security, Privacy, EU
3

Since last year's PRISM revelations, a growing number of people in Germany are becoming aware of how secure their email is (or isn't).

"Germans are deeply unsettled by the latest reports on the potential interception of communication data," René Obermann, CEO of Deutsche Telekom, said last year.

At the time, Obermann was announcing the launch of 'Email made in Germany', which promised to automatically encrypt emails with SSL by default where possible. Also, to make life harder for the NSA and other agencies, emails sent using the service between users in Germany would never leave the country’s borders.

As of today, several major German email providers — including Web.de and GMX — have signed up to offer the service, and according to Deutsche Telekom, some 50 million private customers are now using it.

Likewise, interest in Posteo — a German email provider that offers users full anonymity and SSL encryption — soared in the wake of the Snowden leaks. According to Bloomberg, in the six months after the leaks, the service tripled its user base.

Swelling the ranks of secure options in the country, a new privacy-focused email service called Lavaboom went into private beta last month. The service provides PGP encryption with no additional software required; users can expect PGP-encrypted communication between each other and with users of similar services such as Riseup and Hushmail.

The PGP encryption keys are hosted on client computers and are not directly accessible by Lavaboom (so that if the NSA came knocking on their server doors, Lavaboom could lawfully claim that they don't have the ability to decrypt users' emails, otherwise known as 'zero-knowledge privacy').

"The original idea came to my mind pretty much the day after the Snowden revelations," said Felix Müller-Irion, Lavaboom's founder and CEO. "There was not any provider out there who actually provided for secure communications."

Of course, there was Lavabit, the secure email service which Snowden had used but was later shut down. (Despite the similarity in the names, Lavaboom isn’t connected to Lavabit; rather, it's inspired by the original service.)

Companies such as Lavaboom are finding that Germany — with a population that is increasingly tuned-in to security risks, coupled with the country's strict privacy regulations — is a good place to offer secure email service.

In fact, the country’s Independent Centre for Data Protection, a government advisory agency, explicitly advises email users to avoid American internet services. When choosing a provider, European and German companies are preferable to those "from third countries, in particular from the US, because European data protection law is applicable", the agency's website says.

An end to Safe Harbour?

In particular, Germany has a narrower interpretation of the Safe Harbour agreement — the regulations, passed in 1998, which govern the sharing of information between the US and some countries in Europe — than other European countries.

In 2010, regulators in the country crafted a stricter framework for the agreement, which German companies have to abide by to share data with organisations in other countries to safeguard privacy and maintain an increased level of transparency. For instance, detailed records must be kept, and German companies must verify that the parties whose data is collected are being notified.

And in the wake of the PRISM revelations, there have been calls in the country to end the agreement altogether, some from government officials. "The Europeans should terminate the Safe Harbor agreement," Manfred Weber, a European Parliament Member from political party the Christian Social Union, told Der Spiegel last year.

According to Bill Franklin, Lavaboom's CMO, under the current rules, it's still illegal for the NSA to request Lavaboom's SSL keys directly. "That's what Ladar is facing in the US," he said, referring to Ladar Levison, who shut down Lavabit after the US government ordered him to turn over his SSL keys.

Instead, the NSA (or other law enforcement agency from abroad) would have to appeal to Federal Constitutional Court for the keys. "German laws are actually enabling us to do what we do," Franklin said.

Your metadata's showing

Even though using encryption protocols like PGP can make email highly secure (Lavaboom uses key sizes of 4,096 bits, which would take decades to crack today) there are still technical thresholds and other challenges that remain.

For one, users must use Lavaboom's email client, meaning that those who are accustomed to easy email setups on their own client applications or mobile devices are out of luck for the time being. Using protocols like SMTP or IMAP, while making things easier "would defeat the purpose", according to Müller-Irion.

"Once emails are sent unencrypted through an IMAP protocol or through an SMTP protocol, that makes them visible by the NSA, etc," he said.

And those who want to use the service but are prone to forgetfulness might want to jot down their passwords, since Lavaboom will not provide any recovery service. "This is a downside to zero-knowledge privacy, we suggest writing your password on a piece of paper at registration," the service’s website advises.

Additionally, since there currently exists no way to encrypt metadata, subject lines, sender and receiver email addresses, and other information like the time of sending, will still be unencrypted; although all user IP addresses will be replaced with Lavaboom’s IP addresses in Cologne.

"This is an issue that we're definitely going to work out," said Müller-Irion, who said that he would be eager to adopt any protocols created by the Darkmail Technical Alliance, which is reportedly working on ways to encrypt metadata.

However: "it will be a little while still."

Read more on this story

Topics: Security, Privacy, EU

Michael Filtz

About Michael Filtz

From the day he brought home a modem and dialed in to a local BBS in 1991, Michael has been obsessed with technology and how it enables collaboration. He has a master's degree in journalism from UC Berkeley, and has worked in and around the technology start-up scenes in San Francisco and Berlin.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Opportunistic encryption

    SMTP mail servers can easily be set up to check for SSL capabilities in the machine to which they are trying to connect and if present set up an SMTP over SSL connection. This ensures that for that hop at least, nobody can collect your mail on the way past. If all mail servers were set up to do this, there would be far less chance of someone being able to grab your mails as they sail past.
    Andrew Meredith
  • Secure, Swiss Email!

    As increasing infringements on our Email and online privacy rises, we see great demand for a solution. The threats against your personal Internet privacy is increasing everyday as "free" Email providers, hackers, NSA's PRISM program, and the amended US Patriot Act are just a few of a growing list that are compromising our freedoms. As we stand at a crossroads, it may appear hopeless to protect our God given rights to privacy but rest assured, there are real
    solutions to this serious problem!
    www.americansrighttoprivacy.com offers 100% guaranteed online privacy because our servers are located in Switzerland, a safe-haven for secure digital communications. As a law abiding citizen, you can be sure your digital data is safe from any agency, business, or anyone at all wanting to retrieve your information. Access to your online data communications by any authority requires an official warrant issued by a federal judge of Switzerland while most
    countries surrender your data without consent.
    To further protect your privacy, we delete the 'Received'-Header that contains the customers IP & All incoming emails are scanned for viruses and drop all infected emails.
    Our VPN service changes your IP address every 10 minutes and our DigitalSafe is a "Swiss Bank" for your data!
    If governments and "free" email providers can peek through your webcam, read your emails and look inside your computer, so can the criminals.
    Solutions exist.
    There is secure email, and then there is Swiss Secure E-Mail...
    www.americansrighttoprivacy.com
    AmericansRighttoPrivacy
  • In Germany, safe messaging is on the rise

    This is why Germans are moving the BlackBerry 10. Hanover 96 is the latest migration to BES10, saying "Data security is key to business success and our mobile device strategy.

    More than 50% of DAX companies have ordered, downloaded and/or are testing BES10.

    It's the most secure, most flexible MDM solution, as well as being the one with the lowest total cost of ownership.
    bb_apptix