Dear Posteo users,

A few days ago, a new version of the encryption add-on Mailvelope (available for Firefox and Chrome) was released. The new version is preconfigured to work with Posteo.
#more#
Using the add-on, it is now possible to easily encrypt the content of emails using OpenPGP within the Posteo webmail interface. You can also sign your emails, but attachments can not be encrypted using the add-on. Mailvelope is especially interesting for all who prefer to use the Posteo webmail interface and who would like to secure their emails with end-to-end encryption. Mailvelope is open source: The program code for the add-on is visible and based on open standards.

In the Posteo help section “Webmail”, you can find instructions on how to install the add-on in Firefox or Chrome and how encryption using Mailvelope works. Other browsers such as Safari or Internet Explorer do not yet support Mailvelope. If you encounter problems using Mailvelope or have questions about the add-on, please contact Mailvelope support.

Best regards,

The Posteo team

Dear Posteo users,

We have some important information for you: From today, the new standard
design of our webmail interface is available.
#more#
You can now activate the new design in the settings of your account via
“Einstellungen” → “Benutzeroberfläche” → “Oberflächendesign” (or “Settings”
→ “User Interface” → “Interface Skin”, if your interface is set to English).
If you would like to use the design, simply choose “Standard” and confirm by
clicking “Save”.

During the last few months, our team has been working on the appearance of the
user interface. The webmail site is now more appealing, and easier to use. We
will continue to support the old design until early 2015. We recommend
switching to the new design now.

We will soon make additional versions of the new standard design available to
choose from. Other parts of the website – for example, the help section – will
be progressively updated to match the new design.

As part of the design update, some technological improvements have been made
in the background. These lay the foundation for various new features, such as
Posteo email account encryption, which we will be introducing this autumn.

Best regards,

The Posteo team

Dear Posteo users,

This blog entry is about a topic that has made many of you anxious, and about which we are currently receiving enquiries. The question concerns when and how German email providers give out data to investigative authorities when a judicial ruling exists for the surrender or surveillance of an email account. #more#

Computer magazine c’t states in its current edition (4/2014):

“Email providers with more than 10,000 customers must operate a so-called SINA box, which can channel the email traffic of all users without the provider or the user being aware.”

This is incorrect. It is not possible for German authorities to access users’ emails without the knowledge of the provider. In addition, a SINA box has no access to a provider’s systems.
We asked the editors to issue a correction. They then acknowledged the error and published a correction on the c’t blog. Because we can not individually answer all the questions we are receiving, we inform here exactly what the situation is with the SINA box:

So far, there is no SINA box at Posteo.
The (German) Telecommunications Monitoring Ordinance (Telekommunikations-Überwachungsverordnung, TKÜ) requires telecommunication providers with at least 10,000 users to install a special computer (the SINA box). We can not say exactly how many users our service has, because we don’t collect our users’ personal information. We only know the number of email accounts.

We will, at some point, have to acquire a SINA box – but we leave estimating when this might be to our experienced lawyers, who have negotiated SINA solutions for various telecommunications organisations with the Federal Network Agency. This is more of a financial nuisance. It will not impair the security of our users’ data. We have become convinced of this following an intensive debate on this topic (with lawyers and authorities, among others), and we can assure you of it.

A SINA box is a computer that establishes an encrypted connection to authorised authorities – a so-called VPN. We would have no access to the SINA box, but neither would the authorities have any access to our servers or network traffic via the SINA box. The authority would have no access to our servers whatsoever. We would, however, have the possibility to save the content of an email account on an authority’s server via the SINA box, if a judge had ordered the surrender or surveillance of the account.

We would then have no access to this data – only the authority would. The only data found on that computer would be that which we (Posteo) had deposited there, however.
————
Please note: c’t magazine writes that the email traffic of all users can be channeled over the SINA box without the provider or user noticing. This is incorrect.
————
The authority’s computer (behind the SINA box) would, like the SINA box itself, be connected neither with our servers, nor would it allow access to our servers. For the authority, the point is to establish a completely isolated system, such that third parties have no way to intercept data that we are required to provide manually. If a judicial ruling exists, we need to provide copies of the data via this computer, for example, transfer by FTP access (one-way).

Even without a SINA box, we are – in the event of a judicial ruling – already required to surrender an email account’s data, which we also point out in our privacy policy. Every email provider in Germany is required to do this, no matter how small.

The legislator has set the hurdle for surrender of content very high: Your emails are governed by secrecy of telecommunications. Because we never surrender email accounts of our own free will (§ 94 Abs. 1 StPO), instead always formally objecting, the lawful seizure of a Posteo account must always be ordered by a judge (§ 94 Abs. 2 StPO, § 98 Abs. 1 S. 1 and Abs. 2 S. 1 StPO). The command to lawfully surveil an email account can only be obtained in cases of specific, severe crimes, and not for infringements, among other things. The legal ruling on this can be found, for example here. The judicial ruling must be presented to us (the provider) and will be checked by our lawyers for scope and formal correctness before we provide any data.

After submission of a judicial ruling, the provider therefore delivers the data itself. The user must not be informed about the order for lawful interception. This is prohibited; we would make ourselves liable for prosecution.

At present, for example, we would have to send a DVD containing the email account contents to the authority – via the SINA box, the authority would obtain the data more quickly and securely. Otherwise, there is no difference to the previous procedure. In addition, there is no possibility for the authorities to access our users’ data.

We would like to release a transparency report on the number of requests from authorities as soon as possible. This would certainly counter general uncertainty. Unfortunately, it is not yet fully clear if this is permitted under German law. It is possible that we could make ourselves liable for prosecution by publishing a transparency report. We are currently obtaining a legal opinion on this. We will shortly provide a page with information about common legal questions.

We hope we have provided some clarity with this piece.

Best regards,

The Posteo team