German Bundestag: Posteo statement on privacy

Created on 13. March 2015, 16:15 | Category: Blog

Dear Posteo users, 



As of today you can find a statement from Posteo on the topic of “Privacy in the digital world” at bundestag.de. Our vice president of communications, Dean Ceulic, was a guest expert on the committee for the German parliament’s digital agenda. The topic of the discussion was “Startups, small to medium-sized businesses and privacy in the digital world”. In addition, we were asked to provide written replies to a list of questions that the various fractions prepared prior to the discussion. Our statement is now available on the Bundestag website (in German). 
The discussion itself is available as a video at bundestag.de (in German).

An overview of the most important points for us

On German and European privacy standards:

We emphasised that strict German and European privacy regulations do not stand in the way of the economy. The opposite is true: European companies can use stricter privacy regulations to their advantage, protecting themselves (for example, from American competitors) using sophisticated privacy measures. Stricter privacy standards do not inhibit innovation; they actually constitute a competitive advantage for European companies. This view is shared by an overwhelming majority of the experts who took part in the discussion. #more#

We criticise the German government’s current plans to weaken the high German and European privacy standards:

“Germany’s high standards for privacy have become a relevant factor for a company’s location, and should not be given up lightly. The principles of data reduction and purposeful use strengthen consumers’ trust in German companies and help strengthen citizens’ fundamental right to informational self-determination.”

We therefore demanded that the law stipulates that personal information can only be processed if allowed by law and with the affected party’s consent.

On data preservation, we stated the following: 
“Sensitive metadata such as IP addresses, for example, are currently under special protection in Germany. Connection and traffic data (such as IP addresses) must also be under special protection on a European level, as their evaluation enables compilation of extensive personality profiles. In particular, the retention of data should be opposed, as this severely impairs citizens’ fundamental rights according to several of the highest law courts.” 

On data economy and purposeful use:

 The German government will in future consider the principles of data reduction and purposeful use when handling data.

We engaged ourselves with maintaining both of these fundamental privacy principles, stating:

“When handling data, the principles of data reduction and purposeful use strengthen not only the citizens’ fundamental right to informational determination. Both factors also give companies a clear course of action and minimise uncertainties as to how they collect and process data – in particular also amongst one another.”

On the relationship between fundamental rights and security interests:

We emphasised that there is no conflict between objectives in security interests and the effective protection of citizens’ privacy. In a constitutional state, both poles should be in a far more balanced relationship with each other:

“To further strengthen democracy in the digital world, it is essential to restore a more balanced relationship between both poles. International, comprehensive surveillance activities by intelligence agencies can only be countered with measures for encryption, data economy and anonymisation. This is in the interest of citizens – as well as in the interest of companies and authorities.” 



Best regards,

The Posteo team

Email encryption in your browser with Mailvelope

Created on 10. October 2014, 18:47 | Category: Blog

Dear Posteo users,

A few days ago, a new version of the encryption add-on Mailvelope (available for Firefox and Chrome) was released. The new version is preconfigured to work with Posteo.
#more#
Using the add-on, it is now possible to easily encrypt the content of emails using OpenPGP within the Posteo webmail interface. You can also sign your emails, but attachments can not be encrypted using the add-on. Mailvelope is especially interesting for all who prefer to use the Posteo webmail interface and who would like to secure their emails with end-to-end encryption. Mailvelope is open source: The program code for the add-on is visible and based on open standards.

In the Posteo help section “Webmail”, you can find instructions on how to install the add-on in Firefox or Chrome and how encryption using Mailvelope works. Other browsers such as Safari or Internet Explorer do not yet support Mailvelope. If you encounter problems using Mailvelope or have questions about the add-on, please contact Mailvelope support.

Best regards,

The Posteo team

New webmail interface available

Created on 23. September 2014, 18:53 | Category: Blog

Dear Posteo users,

We have some important information for you: From today, the new standard
design of our webmail interface is available.
#more#
You can now activate the new design in the settings of your account via
“Einstellungen” → “Benutzeroberfläche” → “Oberflächendesign” (or “Settings”
→ “User Interface” → “Interface Skin”, if your interface is set to English).
If you would like to use the design, simply choose “Standard” and confirm by
clicking “Save”.

During the last few months, our team has been working on the appearance of the
user interface. The webmail site is now more appealing, and easier to use. We
will continue to support the old design until early 2015. We recommend
switching to the new design now.

We will soon make additional versions of the new standard design available to
choose from. Other parts of the website – for example, the help section – will
be progressively updated to match the new design.

As part of the design update, some technological improvements have been made
in the background. These lay the foundation for various new features, such as
Posteo email account encryption, which we will be introducing this autumn.

Best regards,

The Posteo team

Posteo on the myths of the SINA box

Created on 29. January 2014, 18:00 | Category: Blog

Dear Posteo users,

This blog entry is about a topic that has made many of you anxious, and about which we are currently receiving enquiries. The question concerns when and how German email providers give out data to investigative authorities when a judicial ruling exists for the surrender or surveillance of an email account. #more#

Computer magazine c’t states in its current edition (4/2014):

“Email providers with more than 10,000 customers must operate a so-called SINA box, which can channel the email traffic of all users without the provider or the user being aware.”

This is incorrect. It is not possible for German authorities to access users’ emails without the knowledge of the provider. In addition, a SINA box has no access to a provider’s systems.
We asked the editors to issue a correction. They then acknowledged the error and published a correction on the c’t blog. Because we can not individually answer all the questions we are receiving, we inform here exactly what the situation is with the SINA box:

So far, there is no SINA box at Posteo.
The (German) Telecommunications Monitoring Ordinance (Telekommunikations-Überwachungsverordnung, TKÜ) requires telecommunication providers with at least 10,000 users to install a special computer (the SINA box). We can not say exactly how many users our service has, because we don’t collect our users’ personal information. We only know the number of email accounts.

We will, at some point, have to acquire a SINA box – but we leave estimating when this might be to our experienced lawyers, who have negotiated SINA solutions for various telecommunications organisations with the Federal Network Agency. This is more of a financial nuisance. It will not impair the security of our users’ data. We have become convinced of this following an intensive debate on this topic (with lawyers and authorities, among others), and we can assure you of it.

A SINA box is a computer that establishes an encrypted connection to authorised authorities – a so-called VPN. We would have no access to the SINA box, but neither would the authorities have any access to our servers or network traffic via the SINA box. The authority would have no access to our servers whatsoever. We would, however, have the possibility to save the content of an email account on an authority’s server via the SINA box, if a judge had ordered the surrender or surveillance of the account.

We would then have no access to this data – only the authority would. The only data found on that computer would be that which we (Posteo) had deposited there, however.
————
Please note: c’t magazine writes that the email traffic of all users can be channeled over the SINA box without the provider or user noticing. This is incorrect.
————
The authority’s computer (behind the SINA box) would, like the SINA box itself, be connected neither with our servers, nor would it allow access to our servers. For the authority, the point is to establish a completely isolated system, such that third parties have no way to intercept data that we are required to provide manually. If a judicial ruling exists, we need to provide copies of the data via this computer, for example, transfer by FTP access (one-way).

Even without a SINA box, we are – in the event of a judicial ruling – already required to surrender an email account’s data, which we also point out in our privacy policy. Every email provider in Germany is required to do this, no matter how small.

The legislator has set the hurdle for surrender of content very high: Your emails are governed by secrecy of telecommunications. Because we never surrender email accounts of our own free will (§ 94 Abs. 1 StPO), instead always formally objecting, the lawful seizure of a Posteo account must always be ordered by a judge (§ 94 Abs. 2 StPO, § 98 Abs. 1 S. 1 and Abs. 2 S. 1 StPO). The command to lawfully surveil an email account can only be obtained in cases of specific, severe crimes, and not for infringements, among other things. The legal ruling on this can be found, for example here. The judicial ruling must be presented to us (the provider) and will be checked by our lawyers for scope and formal correctness before we provide any data.

After submission of a judicial ruling, the provider therefore delivers the data itself. The user must not be informed about the order for lawful interception. This is prohibited; we would make ourselves liable for prosecution.

At present, for example, we would have to send a DVD containing the email account contents to the authority – via the SINA box, the authority would obtain the data more quickly and securely. Otherwise, there is no difference to the previous procedure. In addition, there is no possibility for the authorities to access our users’ data.

We would like to release a transparency report on the number of requests from authorities as soon as possible. This would certainly counter general uncertainty. Unfortunately, it is not yet fully clear if this is permitted under German law. It is possible that we could make ourselves liable for prosecution by publishing a transparency report. We are currently obtaining a legal opinion on this. We will shortly provide a page with information about common legal questions.

We hope we have provided some clarity with this piece.

Best regards,

The Posteo team