Posteo on the myths of the SINA box
Created at 29.January 2014, 18:00 | Category: Blog
Dear Posteo users,
This blog entry is about a topic that has made many of you anxious, and about which we are currently receiving enquiries. The question concerns when and how German email providers give out data to investigative authorities when a judicial ruling exists for the surrender or surveillance of an email account.
Computer magazine c’t states in its current edition (4/2014):
“Email providers with more than 10,000 customers must operate a so-called SINA box, which can channel the email traffic of all users without the provider or the user being aware.”
This is incorrect. It is not possible for German authorities to access users’ emails without the knowledge of the provider. In addition, a SINA box has no access to a provider’s systems.
We asked the editors to issue a correction. They then acknowledged the error and published a correction on the c’t blog. Because we can not individually answer all the questions we are receiving, we inform here exactly what the situation is with the SINA box:
So far, there is no SINA box at Posteo.
The (German) Telecommunications Monitoring Ordinance (Telekommunikations-Überwachungsverordnung, TKÜ) requires telecommunication providers with at least 10,000 users to install a special computer (the SINA box). We can not say exactly how many users our service has, because we don’t collect our users’ personal information. We only know the number of email accounts.
We will, at some point, have to acquire a SINA box – but we leave estimating when this might be to our experienced lawyers, who have negotiated SINA solutions for various telecommunications organisations with the Federal Network Agency. This is more of a financial nuisance. It will not impair the security of our users’ data. We have become convinced of this following an intensive debate on this topic (with lawyers and authorities, among others), and we can assure you of it.
A SINA box is a computer that establishes an encrypted connection to authorised authorities – a so-called VPN. We would have no access to the SINA box, but neither would the authorities have any access to our servers or network traffic via the SINA box. The authority would have no access to our servers whatsoever. We would, however, have the possibility to save the content of an email account on an authority’s server via the SINA box, if a judge had ordered the surrender or surveillance of the account.
We would then have no access to this data – only the authority would. The only data found on that computer would be that which we (Posteo) had deposited there, however.
————
Please note: c’t magazine writes that the email traffic of all users can be channeled over the SINA box without the provider or user noticing. This is incorrect.
————
The authority’s computer (behind the SINA box) would, like the SINA box itself, be connected neither with our servers, nor would it allow access to our servers. For the authority, the point is to establish a completely isolated system, such that third parties have no way to intercept data that we are required to provide manually. If a judicial ruling exists, we need to provide copies of the data via this computer, for example, transfer by FTP access (one-way).
Even without a SINA box, we are – in the event of a judicial ruling – already required to surrender an email account’s data, which we also point out in our privacy policy. Every email provider in Germany is required to do this, no matter how small.
The legislator has set the hurdle for surrender of content very high: Your emails are governed by secrecy of telecommunications. Because we never surrender email accounts of our own free will (§ 94 Abs. 1 StPO), instead always formally objecting, the lawful seizure of a Posteo account must always be ordered by a judge (§ 94 Abs. 2 StPO, § 98 Abs. 1 S. 1 and Abs. 2 S. 1 StPO). The command to lawfully surveil an email account can only be obtained in cases of specific, severe crimes, and not for infringements, among other things. The legal ruling on this can be found, for example here. The judicial ruling must be presented to us (the provider) and will be checked by our lawyers for scope and formal correctness before we provide any data.
After submission of a judicial ruling, the provider therefore delivers the data itself. The user must not be informed about the order for lawful interception. This is prohibited; we would make ourselves liable for prosecution.
At present, for example, we would have to send a DVD containing the email account contents to the authority – via the SINA box, the authority would obtain the data more quickly and securely. Otherwise, there is no difference to the previous procedure. In addition, there is no possibility for the authorities to access our users’ data.
We would like to release a transparency report on the number of requests from authorities as soon as possible. This would certainly counter general uncertainty. Unfortunately, it is not yet fully clear if this is permitted under German law. It is possible that we could make ourselves liable for prosecution by publishing a transparency report. We are currently obtaining a legal opinion on this. We will shortly provide a page with information about common legal questions.
We hope we have provided some clarity with this piece.
Best regards,
The Posteo team