Transparency report

"We would like you to know how often authorities request user data from Posteo. For this reason we published a transparency report in May 2014, becoming the first German telecommunications provider to do so. Since then, we've regularly provided an impulse for more transparency and disclosed grievances in requests for information from authorities."

Transparency report

Welcome to the Posteo transparency report.

We would like you to know how often authorities request user data from Posteo. In this report, we show how often investigative authorities and intelligence services have requested data from Posteo – and how often we actually had to release data. In addition, you will find out how often these requests were formally correct and how many of the requests were illegal. The report covers all requests from authorities that Posteo received until the end of December 2016. Numbers for the current year, 2017, will be published in January 2018.

Posteo publishes requests

Because many requests from authorities that reach Posteo do not comply with the legal provisions, we have continually devoted emphasis to the information process in our reports since 2015. Here we direct criticism at the chaotic conditions that rule in requests for user information under § 113 TKG. We reveal that in practice, grave security problems exist, there are regular breaches of the law and that deficiencies in controls are making the situation worse.

To prove this, we draw among other things on our own case documentation and publish examples of illegal requests from authorities. In addition, we publish our written communication with all the respective German federal state privacy officers as well as the justice ministries of the federal states. Thus you obtain an insight into our privacy-oriented background work that takes place at Posteo behind the scenes all year round.

We also occupy ourselves with the control instrument of the judicial reservation, which is in a state that in our view is no longer equitable in a constitutional state. In practice, all applications for surveillance measures were clearly approved. Though no statistics are kept on the efficacy of the judicial reservation, we have found numbers that prove this.

Our goals

In May 2014, Posteo became the first German telecommunications provider to publish a transparency report. We first had the permissibility of such a report checked with a legal opinion. With our move, we induced that in the meantime, other German providers also publish transparency reports – including, among others, Deutsche Telekom. With our transparency report, we would like to contribute to making existing grievances and legal realities public and allowing them to be debated.

We want something to change: despite that the government has been informed of some of the grievances for years, the situation has clearly not improved. Democratic control of state disclosure processes and surveillance measures in Germany must therefore be strengthened. We make proposals to this end in our transparency report. We call for the control organs to be better equipped, for example.

Answers to frequently asked questions on the legal bases and processes as well as how Posteo deals with requests from authorities are found in the "Background information and FAQs" section.

Requests for information:

Preliminary note: We are a privacy-oriented provider with a strong concept of data efficiency. We therefore possess neither personal data (user data like names and addresses), nor the IP addresses of our customers. If Posteo becomes required to release user data under a judicial ruling, authorities can therefore only receive content data (e.g. emails). In response to requests for personal information or IP addresses, we reply to the authorities that we do not possess the requested data. Between December 2015 and December 2016, the number of accounts registered at Posteo increased by about 40%. At the same time, the number of requests from authorities significantly decreased.

Number of requests 2016
Total: 35
From German authorities: 35
From foreign authorities: 0
Type of authority
Law enforcement: 34
Intelligence services: 1
Type of request
Requests for user information: 28
Mailbox seizures: 2
Requests for traffic data: 2
TKÜ (surveillance of an account for a specified time period): 2
Unclear requests: 1

Correctness

Admissibility / formal correctness of the request (checked by our lawyers)
Formally correct requests for user information: 14
Formally incorrect requests for user information: 14
Formally correct seizures: 2
Formally correct TKÜ: 2
Formally correct requests for traffic data: 2
Formally incorrect, unclear requests: 1

Number of releases

Releases
Releases of user information: 0
Reason: data not available / anonymous signup
Releases of user information on bank details: 0
Reason: data not available / anonymous payment
Releases of traffic data: 0
Reason: data (IP addresses) not available / not required for operational purposes
Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 3
Reason: formally correct judicial ruling

Explanation:
The difference between the number of requests for content data and their release is due to the following: a seizure can not be carried out when crypto mail storage is activated. Two accounts were each seized twice (various time periods requested).

Complaints by Posteo

Complaints to federal state privacy officers
Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 14
Number of requests 2015
Total: 48
From German authorities: 47
From foreign authorities: 1
Type of authority
Law enforcement: 47
Intelligence services: 1
Type of request
Requests for user information: 27
Mailbox seizures: 8
Requests for traffic data: 6
TKÜ (surveillance of an account for a specified time period): 4
Unclear requests: 3

Correctness

Admissibility / formal correctness of the request (checked by our lawyers)
Formally correct requests for user information: 14
Formally incorrect requests for user information: 13
Formally correct seizures: 8
Formally correct TKÜ: 4
Formally correct requests for traffic data: 5
Formally incorrect, unclear requests: 3

Number of releases

Releases
Releases of user information: 0
Reason: data not available / anonymous signup
Releases of user information on bank details: 0
Reason: data not available / anonymous payment
Releases of traffic data: 0
Reason: data (IP addresses) not available / not required for operational purposes
Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 5
Reason: formally correct judicial ruling

Explanation:
The difference between the number of requests for content data and their release is due to the following: A seizure can not be carried out when crypto mail storage is activated. Two accounts were each seized twice (various time periods requested).

Complaints by Posteo

Complaints to federal state privacy officers
Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 13
Number of requests 2014
Total: 22
From German authorities: 22
From foreign authorities: 0
Type of authority
Law enforcement: 22
Intelligence services: 0
Type of request
Requests for user information: 17
Mailbox seizures: 1
Requests for traffic data: 2
TKÜ (surveillance of an account for a specified time period): 2

Correctness

Admissibility / formal correctness of the request (checked by our lawyers)
Formally correct requests for user information: 2
Formally incorrect requests for user information: 15
Formally correct seizures: 1
Formally correct TKÜ: 2
Formally correct requests for traffic data: 2

Number of releases

Releases
Releases of user information: 0
Reason: data not available / anonymous signup
Releases of user information on bank details: 0
Reason: data not available / anonymous payment
Releases of traffic data: 0
Reason: data (IP addresses) not available / not required for operational purposes
Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 2
Reason: formally correct judicial ruling

Complaints by Posteo

Complaints to federal state privacy officers
Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 15
TKÜ interrupted by Posteo while in progress
Reason: original decision not sent to Posteo within the required time frame 1

2013 requests for information:

Number of requests
Total: 7 *
those from German public authorities: 7
those from foreign public authorities: 0
Type of public authority
Law enforcement agencies: 7
Intelligence services: 0
Type of request
Queries regarding inventory data: 7
those of a mailbox name regarding existent bank data: 1
Mailbox seizures: 1
Queries regarding traffic data: 1
TKÜ (monitoring of a mailbox for a specific time period): 1

Correctness/arbitrariness

Permissibility / formal correctness of the request (review by our attorneys)
Formally correct queries regarding inventory data: 2
Formally incorrect queries regarding inventory data: 5
Formally correct seizures: 1
Formally correct TKÜs: 1
Formally correct queries regarding traffic data: 1
Cases of arbitrariness on the part of public authorities
Allegation: unauthorised search of Posteo, coercion, encouragement of unlawful cooperation: 1
(see: Disciplinary complaints / criminal complaints)

Number and success rate

Success rate
Total number of cases in which data were released: 1
Releases after simple queries regarding inventory data: 0
Reason: Data not available/anonymous log on
Releases after a query of a mailbox name for existent bank data: 0
Reason: Data not available/anonymous payment
Releases of data after a mailbox seizure, ongoing transfers of data according to a TKÜ: 1
Reason: formally correct court order

Appeals / complaints by Posteo

Complaints of our attorney to the data protection officers of the relevant federal states
Reason: transmission of requests from public authorities that does not conform to regulations 1
Criminal complaints/ disciplinary complaints against law enforcement officials, prosecutors and judges
Allegation: among other things, coercion, encouragement of unlawful cooperation, disregard of applicable law, ordering of a mailbox seizure, queries regarding traffic data and TKÜs without a sufficient legal basis, ordering of a search of Posteo without a sufficient legal basis 4

Explanation:
* We have received requests from public authorities in a total of 7 cases, of which 6 were solely queries regarding inventory data. In one case, various requests were made (inventory data, traffic data, mailbox contents and ongoing monitoring of telecommunications).

Emphases

Constitutional state out of control: indefensible circumstances in manual requests for user information under § 113 TKG   In this section, we document since 2015 the ongoing security problems in the practice of requests for information. Many requests are transferred to us insecurely, despite containing sensitive information. For this reason, many of the requests are illegal. We prove this using our own case documentation, which we publish here, blacked out. In addition, you will also find a large amount of correspondence between Posteo and the federal state privacy officers on this topic.
Read more about illegal requests and security problems in practice here.

1. Massive security problems in the practice of requests for information under § 113 TKG

In the practice of requests for information under § 113 TKG there are serious security problems. Requests for user information under § 113 TKG contain sensitive personal information. From police authorities, we mostly receive email addresses or names that are specified in connection with a concrete criminal charge. Sometimes the requests even contain a person’s complete bank or payment details. Posteo frequently receives such requests for user information.

Investigative authorities are legally required by the BDSG (among other things) [translation] to ensure that personal data can not be read, copied, changed or deleted in an unauthorised manner under electronic transfer, during its transport or saving to a data storage medium. (BDSG, Anlage, sentence 4)

Illegal, insecure transfer of sensitive data

Many requests under § 113 TKG reach us via email and were transmitted to us insecurely or unencrypted. This procedure violates valid privacy provisions and is illegal. (See BDSG § 9, Anlage, sentences 4 and 8 as well as the respective rules on “technisch-organisatorischen Maßnahmen” of the Landesdatenschutzgesetze, among others). If requests are transferred unencrypted, they can easily end up in the hands of data thieves on their way over the internet.

Many requests under § 113 TKG exhibit additional deficiencies that also violate privacy provisions or other laws. Some examples include:

  • Sending police requests to our customer support rather than the people responsible (anti-abuse team)
  • Use of non-work email accounts to transfer requests, providing such accounts as a reply address
  • Requests for information and data, the release of which is not permitted under § 113 TKG, e.g. traffic data such as IP addresses
  • Failure to provide a secure method to reply
  • Failure to provide a legal basis for the enquiry (required by law)
Gallery 1: Examples of insecurely transferred requests from authorities
The problem is known to privacy officers

A large proportion of requests under § 113 TKG reach us in this way (by unencrypted email). Fax is seldom used by authorities (2013-2016), and only one single request has reached us so far by post. Occasionally, we also receive requests by email with an unencrypted document attached that is incorrectly marked "Telefax-Nachricht" (Telefax message). In January 2015, we first made complaints with the responsible privacy officers for the respective German federal states about the insecure transfer of sensitive data by police authorities. The responses from the privacy groups were unambiguous: the problem of insecure transfer of sensitive data by police authorities is known and remains an occasion for conversations and controls. The replies prove that insecure sending of sensitive information by police authorities is a topic requiring urgent action.
Here is what the privacy officer for North Rhine-Westphalia wrote to us:

[translation] Regarding the MIK NRW we have repeatedly advised that requests in investigative processes should in principle occur by post or in justified cases by fax. If a request by email is required in an exceptional case, either the message itself must be encrypted or as a minimum the transfer of personal information must occur in an encrypted attachment. I will treat your request as an occasion to raise this topic again with the MIK NRW to work towards a privacy-legitimate configuration of police investigations.

(Complete response in German: see gallery 2, below)

The Bavarian privacy officer informed us:

[translation] Since the transfer of personal information in unencrypted emails by the police continues to be an occasion for checks in terms of data-protection law, I have already concerned myself with this topic within my professional duties on multiple occasions. (…) I can assure you that I also regularly debate this topic independently of my concrete controls of the responsible police positions. I am currently in contact with the Bavarian State Office of Criminal Investigation to check the configuration of the retrieval process used there with telecommunications services.

(Complete response in German: see gallery 2, below)

The Mecklenburg privacy officers were also active:

[translation] I have contacted the affected service post and referred to their implementation of privacy measures, so that in future requests under § 113 TKG arrive by secure means and the rights of the party involved are not violated. I have also made the Ministry for Internal Affairs and Sport of Mecklenburg-Vorpommern aware of this grievance. The Ministry (…) assured me that it would again sensitise the officers to the correct handling of personal data and surveillance (TKÜ) requests under § 113 TKG.

(Complete response in German: see gallery 2, below)

The Saxon privacy officers even set the police president an ultimatum:

[translation] We absolutely support your concern. I therefore today sent a letter to the Saxon police president with a request to redress this, and asked him to tell us by the 15th of April 2015 which remedies he has put in place.

Complete response in German: see gallery 2, below)

The privacy officers’ responses prove that unencrypted requests are a known problem to them. If it is common practice for police authorities to send sensitive information unencrypted via the internet (for example regarding requests under § 113 TKG), then it is not only a problem in terms of privacy: it is also illegal and possibly endangers current investigations. Data thieves can thereby easily access the requests or the authorities’ communication.

In some cases, we have experienced the bureaucracy as being very cumbersome. In response to one case, the Berlin privacy officer replied to us five months later, as follows: [translation] Unfortunately, the matter can not yet be conclusively resolved.

Some months earlier, he had notified us in writing that he had asked the police for information on current guidelines for requests for information and the sending of personal information.

In conclusion: we assume that total, nationwide security problems exist in the practice of manual requests for user information (under § 113 TKG). At Posteo, in any case, not a single request was received from police authorities by email that was encrypted and thereby conformed to the legal requirements for secure transfer.

Responses from the privacy officers have confirmed to us that we are not the only ones affected.

Gallery 2: Responses from the federal state privacy officers (in German)
Complaints do not lead to remedies

Unfortunately, our complaints have not yet led to any remedies. During 2015 and 2016, all requests that arrived with us via email were transferred insecurely, including from German federal states where the federal state privacy officer appeared particularly engaged. We are therefore asking ourselves how remedies can be achieved. If officers are not sufficiently schooled in secure ways of dealing with data and IT engineering, this constitutes a fundamental security problem in the police’s work.

We will continue to give the privacy officers regular practical feedback and inform them of every unencrypted transfer of a request that reaches us.

As we see it, the security of the process in practice is currently not guaranteed. We therefore engaged politics. Ultimately, however, it is not the provider’s task to check if the dealings of authorities are legal or to work towards this. The state itself needs to achieve and ensure that. In July 2015 at an appointment in the Posteo lab we gave Thomas Oppermann, chairman of the SPD fraction, a statement on this. Oppermann then wrote to Federal Minister of the Interior, Thomas de Maiziere. In his reply to Thomas Oppermann, the minister admitted to braches of the law in the practice. He explained, however, that the BKA would only desire user information in plain text if no encryption was possible for the email communication with a provider or if it did not support the methods used by the police authority. These statements by the minister are remarkable. He clearly considers breaches of the law to be justified in some circumstances. In addition, his statements do not apply: we provide the keys required for secure communication on our website, for example. Encrypted communication with us is unquestionably possible. Nonetheless we have received multiple requests from the BKA that were all transferred unencrypted. Every insecure transfer is a breach of the Federal Data Protection Act (BDSG). Criminal investigators must ensure that personal data can not be read, copied, changed or removed in an unauthorised manner during its electronic transfer, transport or saving to data storage. If a provider does not offer any possibility for encrypted communication, then fax or the post is to be used. The security of authorities’ communication must urgently be improved – otherwise, data thieves and hackers can easily obtain it.

2. Prohibited requests for dynamic IP addresses

In introducing the next problem area that we see in the practice of requests under § 113 TKG, we remain in political territory. In January 2013, SPD representative Burkhard Lischka directed a written enquiry to the German government. He asked whether it was known to the government,

[translation] that in practice, countless requests for the release of information under § 113 TKG have as their object the release of data that is not user information (e.g. log files, dynamic IP addresses, (…).

Questions to the government, from p7, q12, 13, 14 (in German)

He added: [translation] If so, which authorities conduct this illegal practice and what is the government doing to stop it?

The background to his question is that a few months earlier, BITKOM made the German parliament’s judiciary committee aware of grievances in requests for user information, in a statement:

[translation] In practice, countless requests for information under § 113 TKG are known that involve the release of data that does not constitute user information (e.g. log files, IP addresses, date and time of the last access to an account, addresses with other providers of the individual concerned, the identity of authorities that had already requested the same user information, etc). It therefore follows that providers already have to deal with countless requests that serve investigations and go far beyond the regularly content of the norm.

BITKOM statement from 17th October 2012 (in German)

To summarise, BITKOM objected that authorities making requests for user information (under § 113 TKG) frequently request information whose release in response to such requests is absolutely not lawful. For requests under § 113 TKG for which no judicial ruling exists, authorities can only request user information – approximately only names and addresses, and not dynamic IP addresses or log files. These highly-sensitive traffic data are governed by secrecy of telecommunications (Fernmeldegeheimnis) and can only be released at the directive of a judge.

In its reply on the 28th of January 2013, the German government dismissed BITKOM’s statements as “allegations”:

[translation] The government is – aside from the allegations quoted in the question of the BITKOM statement – not aware of any such cases.

Response from the German government (in German, from p7, q12, 13, 14)

The government nonetheless took the BITKOM accusations as an occasion to question various investigative authorities. And they stated:

[translation] The results of the interrogation did not provide any evidence of illegal requests.

Authorities illegally request dynamic IP addresses

We hereby confirm the BITKOM “allegations”: in about 30% of all requests from police authorities that reached us in the years 2014 to 2016 concerning requests for user information under § 113 TKG, police officers illegally asked for dynamic IP addresses or the IP address of the most recent login.

To prove this, we continue to publish examples of such illegal requests (blacked out): the originals are located in writing at Posteo. In these, it is also clear that officers do not only attempt the illegal release of IP addresses, but also occasionally succeed to obtain and save these for their investigations. This is also not permissible.

Gallery 3: Examples of prohibited requests for IP addresses by authorities

We find it astounding that in January 2013 the government obviously did not via BITKOM turn to the organisation where such illegal requests exist. The government would, in our view, have informed itself with the organisations and needed to reach suitable remedy measures. That it refrained from doing this, even though it was informed by a large German industry association of illegal practices by authorities, is completely incomprehensible to us. Instead, clearly only the authorities were asked and the statements from the high-tech industry association were labelled allegations. In a constitutional state, when advice of illegal practices of the executive authority exist, these should be more seriously pursued.

Government again questioned in 2015

In the summer of 2015, member of parliament Dieter Janecek (speaker on economics from the Greens fraction) again asked the government about this topic, wanting to know if they remain faithful to their assessment. In his question, the representative referred to the BITKOM statement as well as the Posteo transparency report.

The Federal Ministry of the Interior explained in its response:

[translation] The government still has no indication of any illegal requests. (…) Usually, the responsible entities for privacy controls educate senior authorities about offences against privacy regulations that have been identified. In the government’s view, proceedings beyond this are not required.

Response from the German government from 19th August 2015
Privacy officers do not respond to complaints regarding the IP address problem

Perhaps there is a communication problem between the privacy officers and the government, because in all cases in which police authorities illegally requested IP addresses, we made complaints to the respective federal state privacy officers. In their replies, none of the privacy officers responded to our complaints on this matter. Our complaints were clearly not passed on to the highest federal authorities, as is otherwise customary according to the BMI statement. Illegitimate requests for IP addresses do not constitute mere violations of privacy guidelines; requesting an IP address within a request for user information is illegal under the TKG law (Telekommunikationsgesetz). Those involved are not only federal state police authorities. We have also received such illegal requests requests from state investigative authorities.

Our conclusion: The government is clearly completely uninterested in whether illegal practices exist in requests for user information. The Federal Ministry of the Interior has remained idle for years. As such requests frequently infringe on citizens’ rights, this is irresponsible, in our view.

Contention due to the IP address problem

In cases of enquiries under § 113 TKG made to Posteo which illegally requested traffic data, situations subsequently often arose in which we were put under pressure and threatened. We always refer officials back to the valid law. We advise that we would make ourselves liable for prosecution by releasing traffic data in response to a request under § 113 TKG (see § 206 StGB) and that for the release of traffic data, a judicial ruling must exist. We explain to the officers that in a request under § 113 TKG, they can only request user information if they have an IP address on hand that is already known to them. The fact that the reverse disclosure is not allowed is often not known to officers.

Some react to this information with amazement or anger. Officers have repeatedly asserted to us that with other parties, they easily obtained IP addresses in requests under § 113 TKG. Whether this is true or was only intended to unsettle us, we don’t know. What we can prove is that police officers frequently and with great self-assurance make written requests for traffic data under § 113 TKG (see image gallery with examples). We therefore think that it is absolutely possible that the legislation on information practices is also not always observed by the obligated parties (e.g. companies).

One possible reason for this could be that the circle of parties regarding information under § 113 TKG is very large, and not restricted to telecommunications providers. Many of the obligated parties do not necessarily possess the required legal knowledge to be able to correctly identify illegal enquiries as such.

Consequence: high legal costs

Due to escalated, illegitimate demands for IP addresses, we have already incurred enormous legal costs and financial damage of a mid-range, five-figure sum, for example, to lodge protective texts with the courts, for correspondence with investigating officers, legal advice, etc. In one case, we reported investigating officers who personally sought us out in our office. The public prosecutor’s office gave our notification no weight – as our lawyers had in advance predicted would happen. The prosecution told us that our document was plainly false and ceased any proceedings against the officers without any further investigations into them. Instead, they required us to pay a fine due to “false suspicion”, which the court also approved. Posteo company director Patrik Löhr was required to pay a fine. High legal costs are accompanied by the fact that we could theoretically receive 18 EUR back from the state for the effort involved in each request for user information under § 113 TKG. We do not make use of this facility. As a privacy-oriented company we do not accept any money from authorities for requests for user information.

Requests under § 113 TKG will gain meaning with the reintroduction of data retention laws

We have shown that the security of the process is currently not guaranteed and that authorities frequently make illegal requests under § 113 TKG to Posteo for traffic data such as dynamic IP addresses. In addition, we have shown that the problem of insecure transfer is known to the respective German federal state privacy officers. Further, we indicated that the industry organisation BITKOM had in 2012 already made the government aware of countless illegal requests made under § 113 TKG.

Given the lack of process we would like to advise that the process under § 113 TKG with data retention ("Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") will gain importance. The law will effect a large increase in the amount of data available for requests for user data.

Coveted information: internet users will be identified by requests under § 113 TKG

Via the process, authorised parties will in future far more often be able to receive information about which person a dynamic IP address was assigned to at a particular point in time. An example: an officer approaches a provider with an IP address and would like to know which person is behind the address. The provider compares the IP address with the IP data that are held in their database for data retention. This is allowed for the provider without a judicial ruling. The provider must then tell the officer which person is behind the IP address (again: not the other way around). This is very coveted information for which no judicial reservation is intended and can already be used in cases of minor breaches of the law.

We therefore assume that the number of requests under § 113 TKG and thereby also the number of insecure and illegal requests will sharply increase with the introduction of the new law. There is an additional reason for this assumption: checking IP data and the resulting release of user information can only occur via the manual disclosure process under § 113 TKG. This is not possible via the automated process under § 112 TKG.

The number of illegal requests will markedly increase

It is our view that the process under § 113 TKG with its current patent flaws in practice is in no way suitable. Today a large amount of citizens’ sensitive data is already insecurely transferred due to this process and there are countless illegal enquiries from authorities.

In addition, there are insufficient controls of the process: to our knowledge, there is no requirement in existence to keep statistics for enquiries under § 113 TKG. Thus the effect of the introduction of the law on data retention – how it concretely affects the number of requests – can not be evaluated, and the number of requests by state authorities will remain unknown to the public.

The government must act: the reintroduction of data retention must be abandoned

It is in no way acceptable that citizens’ sensitive data continue to be sent or requested insecurely over the internet by authorities, or that dynamic IP addresses governed by the secrecy of telecommunications are given out in response to simple enquiries under § 113 TKG without a judicial ruling. In our view, no new laws or guidelines can therefore be introduced that would further increase the number of illegal and insecure requests made.

We therefore demand that the government introduces measures as soon as possible that are intended to ensure that the request and transfer of sensitive citizens’ information by authorities under § 113 TKG occurs fundamentally by secure means (no proprietary solutions) and also corresponding to the legal regulations – and when it occurs by email, then exclusively by encrypted email. In addition, we demand that the government introduces measures as soon as possible that ensure that for requests for user information, no more illegal requests for traffic data or any other information that goes far beyond the norm occur.

We are of the view that there is a glaring need for processes to be adjusted in an organisational respect, so that a privacy-equitable and constitutional state conforming configuration of the disclosure process can be secured in future. For this, we suggest the introduction of reporting requirements (among other things, see the section on controls of the information process).

Until this remedy is achieved, data retention (Einführung des Gesetzes zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten) is in our view unreasonable for this reason alone, as it will in practice further increase the amount of insecure and illegitimate data transfer and the legal cracks in the disclosure process under § 113 TKG.

Independent of this, we completely and with great emphasis reject the reintroduction of data retention for countless further reasons, e.g. for privacy reasons and data security as well as due to its accompanying blanket restrictions of fundamental rights, that we do not deem reasonable. On this topic, please also read our text on the control instrument of judicial reservation, which we also criticise in this report. The law will nonetheless confront providers like Posteo with even more illegal requests and accompanying bureaucracy and legal costs in connection with requests under § 113 TKG.

In addition, we demand that the Federal Office for Information Security become liberated as an independent state authority from the business branch of the Federal Ministry of the Interior so that the BSI can be an independent contact for security questions.

Inadequate public controls of the information process under § 113 TKG and § 112 TKG The fact that controls regularly occur in the practice of requests for information by security authorities is absolutely essential for the balance between security and freedom in a democracy. Through it, misuse of the process can be prevented or at least identified in retrospect. Illegal practices can be counteracted with controls. We are convinced that controls of the information process under § 113 TKG and § 112 TKG exhibits grave deficiencies – if controls can be spoken of whatsoever. Requests for user information under § 113 TKG appears to be a grey zone. There is no requirement to keep statistics. Insofar as numbers become known at all, these originate from transparency reports by German telecommunications providers that only exist since 2014, after Posteo became the first German provider to publish a transparency report on requests from authorities.
Read more about the deficient controls of the information process here.

In a democracy, it is essential for a balanced relationship between security and freedom that controls in the practice of information processes regularly take place. Through these, misuse of the process can be prevented or ascertained in hindsight. Inadmissible practices can be counteracted with controls. We are convinced that the information process under § 113 TKG and § 112 TKG exhibits grave deficiencies – if controls can be spoken of at all, that is.

The example of § 112 TKG: millions of automated requests and only a handful of controls

Not only in connection with a manual request for user information under § 113 TKG can authorities request user information. There is also the automated process under § 112 TKG, in which about 150 larger telecommunications companies take part (at Posteo, data can only be requested under § 113 TKG). In Germany, many millions of automated requests for user information under § 112 TKG are made each year. In 2014, 6.92 million requests were made to the Federal Network Agency which together led to 34.30 million requests to telecommunications providers. We asked ourselves how many controls these millions of requests made by authorities were actually subject to. We therefore wrote to the parties responsible.

From the privacy officers’ replies, it emerges that last year only a handful of requests by the Federal Network Agency and the state privacy representative (BfDi) were subject to controls, and these were mostly only checked for concrete tips on insider threats that had been reported from within the police authorities themselves.

The state privacy representative wrote to us: [translation] In recent years there were only few requests made under § 112 TKG, mostly from police authorities. These cases were checked together with the Federal Network Agency. Complete response: see gallery 4, further below

The last mention of controls in ten years of old reports of proceedings

To comment more closely on these “few cases” that were subject to controls, the state privacy representative only referred us to very old reports of proceedings from the years 2001–2004, with the addition, that [translation] “these are absolutely still current.”

In the 2003–2004 report, there is concrete talk of three cases:

[translation] During the period of the report, there were only a few requests from police authorities due to suspicion of unauthorised requests by insider threats. In three cases, data could be reported back that led to an investigation process.

See 20. Tätigkeitsbericht des BfDI 2003–2004, p144 ff.

A look at the newer reports shows that controls on requests under § 112 TKG in the procedure reports of 2005–2014 were clearly no longer mentioned. Whether controls were even undertaken at all after 2004 is therefore unclear to the public. For us, this is a very sobering result.

Before we knew of this result, we had sent written enquiries to all the federal state privacy officers, asking for the number of controls from 2013 and 2014. For requests under § 112 TKG, the federal state privacy officers also have control powers, where it concerns requests from public positions in their respective federal states. This was also sobering: all the privacy officers replied that they had not undertaken any controls of requests under § 112 TKG. Some of the privacy officers, however, want to undertake controls in future due to our enquiry.

The Hamburg privacy officer wrote to us:

[translation] Your enquiry will be taken as an occasion to undertake a privacy-legal control of the positions mentioned in § 112 Abs. 2 TKG this year.

Complete response: see gallery 4, further below

From Rhineland-Palatinate we received this commitment:

[translation] Because a competency centre for telecommunications surveillance measures is set up in [Rhineland-Palatinate], I have this area on my check plan for the current year. I will make controls of the process concerning § 112 TKG and successful retrievals made on this basis.

Complete response: see gallery 4, further below

Some privacy officers were of the view that they were not responsible. The privacy officer for Mecklenburg-Vorpommern advised us of a further problem – inadequate facilities for privacy authorities:

[translation] Due to a large number of petitions from various areas regarding privacy and freedom of information it is not possible in terms of either time or personnel for us to undertake controls on our own initiative of requests under § 112 TKG.

Complete response: see gallery 4, further below

As a matter of fact, no controls of the process under § 112 TKG occur. The only positive thing to note is that for the automated request process under § 112 TKG there are still reporting and protocol requirements, so that it can at least be seen in the Federal Network Agency yearly reports how often the process is utilised by authorised parties.

Gallery 4: responses from privacy officers on the controls of requests for information under § 112 TKG

Grey zone in § 113 TKG: no statistical data available

There are no statistical surveys by public positions of the number of requests under § 113 TKG available. Corresponding requirements for statistics are not known to our lawyers. Insofar as numbers are known at all, these originate from German telecommunications providers’ transparency reports that have existed since 2014, after Posteo became the first German provider to publish a transparency report on requests from authorities. In the Deutsche Telekom’s report for 2014, 27,957 requests were made under § 113 TKG. Complaints about security problems and illegal requests from the responsible organs of control have not yet led to a remedy in the requests that reach us, as we presented in part one.

§ 113 TKG: introducing reporting requirements to improve public controls

The process constitutes a grey zone, in a way. This is by no means acceptable, because requesting user information under § 113 TKG generally requires better controls and evaluation (see our section on chaotic circumstances for user information requests).

In our view, reporting requirements for requests under § 113 TKG should be urgently introduced. The numbers should be published yearly, as they are for other kinds of requests for information, e.g. as is common for requests under § 112 TKG (published in the Federal Network Agency's yearly report) and under § 100a StPO, (published on the Bundesamtes für Justiz website).

In addition, similarly to the automated process under § 112 TKG, protocol requirements should ensure that for each request, information should be held on which officer requested what information, to make internal and external controls (for example by privacy officers) easier in retrospect.

It is to be expected that these control possibilities would work against misuse and illegal requests. In this area, remedies are urgently required.

§ 113 TKG: broaden controls and intensify schooling of investigative officers

In our view it is urgently required that the responsible organs of control regularly and comprehensively make controls of compliance to the legal requirements for requests under § 113 TKG until the deficits in the process are eliminated nationwide. Investigative officers must, in addition, become comprehensively schooled in the secure and legally compliant handling of information technology in general and with sensitive data in particular.

Better equip privacy officers

In conclusion, on the topic of deficient controls, we would also like to advise of the current report on the duties of the representative for privacy and freedom of information.

In it is contained a warning with regard to future information processes, that:

[translation] the system of checks and balances in the area of intelligence services is in massive imbalance. Especially since 2001, the tasks and powers of security authorities as well as their personnel and equipment are considerably enlarged. The wide-scope cooperation between police and intelligence agencies has intensified nationally and internationally. Large central databases have been set up and a new security structure established. (...) On the control organs’ side, no corresponding development has occurred, i.e. also insofar as existing, grave lawmaking deficits that must be eliminated as quickly as possible in the interest of the citizens. As a result of this development it is no longer possible, given the negligible personnel and equipment available to me, for me to adequately fulfil my legally-assigned duties to advise and undertake controls. It is also no longer possible for me appropriately ensure the compensation function of my controls of the citizens concerned that the Federal Constitutional Court stressed in its verdict on anti-terror file law, i.e. to check for the party concerned whether their rights under secret interventions by the security authorities are protected."

Source: Tätigkeitsbericht der Bundesdatenschutzbeauftragten 2013 & 2014, p36

This statement is a warning from the federal state privacy officer. We see an urgent need to conform to the demands of the BfDI, such that more personnel and equipment is made available to them, also so that they can urge a secure and legally-conforming practice for information processes, for example, requests under § 113 TKG, and to comprehensively effect this with increased controls. The same applies for the federal state privacy officers’ equipment. The control organs must become altogether better equipped such that existing grievances can be effectively confronted.

Judicial reservation: in practice, clearly all applications for surveillance measures were granted In this section we occupy ourselves with the control instrument of the judicial reservation, which in our view no longer fairly performs its intended function. In practice, clearly all applications for surveillance measures are approved. Although no statistics are kept as to the effectiveness of the judicial reservation, we found numbers to demonstrate this. We also explain why the deficiencies that we present demonstrate that data retention should definitely not be reintroduced. Incidentally, if you think that a surveillance measure (TKÜ) couldn’t affect you because you haven’t committed any crimes, you are incorrect. In practice, people within the sphere of a suspect also have their communication surveilled or seized, even if there is absolutely no suspicion of a crime committed by that person.
Read more about the judicial reservation here.

When discussions about interventions into the fundamental rights of citizens occur, critics are often calmed by the argument that these can only occur under strict requirements and only with a “judicial reservation”. Referring to the judicial reservation is a common argument: the citizens’ trust in the judiciary is much greater than their trust in the government, according to surveys. At the moment, arguments are again being made using the judicial reservation; this time it’s about the planned reintroduction of data retention.

The control instrument of the judicial reservation has been accused for many years of being less effective in practice. For example, two well-invested studies published by Bielefeld University and the Max Planck Institute for Foreign and International Criminal Law came to this conclusion in 2003. Both studies documented multiple deficiencies in the process at the time. The Max Planck Institute, for example, came to the conclusion that a surveillance measure would fail to be granted only in absolutely exceptional cases.

The Bielefeld University study stated at the time that only a quarter of surveillance measures were arranged according to the process regulations. Moreover, the surveillance measures would mostly consist of orders, which allows the assumption that judges do not reach their decision independently.

A public prosecutor who was surveyed by Max Planck Institut researchers at the time stated the following on the topic of email surveillance, for the record:

[translation] In the area of email surveillance, an update and clarification is required. Chaos rules. There are the most crazy legal concepts and regardless of which application I submit, the judge allows it in these cases.

Source: Studie des Max-Planck-Institutes für ausländisches und internationales Strafrecht, p226

We have also grappled for some time with the question of how the control instrument of the judicial reservation intended by the legislator for surveillance measures has developed in Germany – and how its effectiveness is controlled or evaluated. The occasion for this question was (among other things) telecommunication surveillance (TKÜ) that was ordered for which both we and our lawyers found the offence stated to be insufficient. Incidentally, if you think that a surveillance measure (TKÜ) couldn’t affect you because you haven’t committed any crimes, you are incorrect. In practice, people within the sphere of a suspect also have their communication surveilled or seized, even if there is absolutely no suspicion of a crime committed by that person.

1. Legislators don’t sufficiently evaluate the effectiveness of the control instrument of the judicial reservation

If a suspect is ascertained and police officers with the public prosecutor instigate the seizing or surveillance of an email account, legal protection for the affected party is severely restricted by the secrecy of the measure. It can not be heard before the decision of the determining judge responsible. The judge should compensate for this deficit: the judge checks the case and if convinced that the telecommunication of the suspect should indeed be surveilled or seized, allows the public prosecutor’s application. Information as to how often a judge rejects an application for a surveillance measure is therefore an important indicator of how effective the control instrument of the judicial reservation really is. If, for example, all applications for surveillance were to be approved in a particular state, this would be a strong indication that the state is on the way to becoming a surveillance state.

How often a judge declines an application for surveillance can not be statistically ascertained

How often a judge declines a surveillance measure mostly can not, however, be ascertained in Germany. In the Federal Office of Justice’s yearly report, only the number of rulings passed is specified, in which measures under § 100a Abs. 1 StPO were arranged, as well as the number of surveillance measures undertaken (cf. § 100b Abs. 5, 6 StPO). The German federal states have to supply these numbers to the Federal Office of Justice. Numbers such as how often an application for a surveillance measure is not satisfying to a judge are not included in the statistics, however. The judicial reservation is therefore a control instrument whose efficacy it is actually largely unknown.

Posteo surveyed justice ministries in all German federal states

We wanted to know if the corresponding numbers were perhaps available in the German federal states. At the start of the year, we therefore asked the justice ministries for information in writing.

Initially, the responses were disappointing. We received the same responses time and again in which we were told that no statistics were kept as to how often applications for a surveillance measure were denied. The number of cases in which applications for surveillance (TKÜ) were denied was supposedly unknown. The fact that the number of refused applications for surveillance was not collected was supposedly because there was no necessity for reporting in the law.

The Bavarian state justice ministry (among others) explained to us:

[translation] The necessity to report under § 100b Abs. 5, Abs. 6 StPo does not stipulate any requirement to compile denied applications, which is why no statistics on this exist.

The state justice ministry of Hesse told us that this would require an effort of manual analysis [translation] that seems disproportionate to me and criminal investigative authorities can not be overburdened.

We then received the information that we sought: from Berlin, we received a reply that the senate in Berlin had collected the number of denied surveillance measures since 2006.

Gallery 5: some responses from the Ministries of Justice

And we were shocked.

Since 2007, not a single application for surveillance was denied

Since 2007, not a single application for telecommunication surveillance has been denied in Berlin. (See the respective yearly reports from the senate on the practice of telephone surveillance under §§ 100 a, 100 b StPO)

In total, between 2008 and 2014 in Berlin, 14,621 applications for surveillance were made – and approved. The number of surveillance measures arranged increased markedly over these years.

The fact that between 2008 and 2014, not a single one of the 14,621 applications for surveillance in Berlin was denied, certainly clarifies in our perception that doubts regarding the effectiveness of the control instruments of the judicial reservation are not only justified, but also that there is a need for clarification. How can it be possible that judges grant every single application for surveillance of a citizen over many years? What do these numbers say about the state of our constitutional state? The numbers from Berlin provide a wide overview of a large time period. In our view, they clearly prove that the instrument of the intended controls has actually not been of sufficient quality for a long time and a debate is necessary.

Over the years, the situation has got worse: the Max Planck Institute study of 2003 came to the conclusion that only 0.4% of applications for surveillance measures were not approved, and the rate in Berlin over the last seven years in a row is 0.00%. (Source: Max Planck Institute study, p177, PDF p197 and yearly reports from Berlin.) That all orders occurred conforming to the process regulations is doubtful: in any case, the Bielefeld University study of 2003 came to the conclusion that 75% of all surveillance reviewed was not ordered in accordance with the process requirements.

Reporting requirements under § 100b Abs. 5, Abs. 6 StPo must be extended

Without the yearly reports from Berlin, which the federal state of Berlin has voluntarily given out since 2006, there would be absolutely no numbers available on the effectiveness of the judicial reservation in Germany. For us, this is incomprehensible for reasons of democratic controls alone. The fact that every request for surveillance is approved according to the numbers available to us is, due to the lack of reporting requirements, not only unknown to the wider public, but the legislator can not evaluate the effect of its own control instrument. In our view, the legislator absolutely must compile nationwide statistics for the purposes of evaluation and control on how often applications for surveillance measures are actually granted, and how often judges decline surveillance (TKÜ). Only when appropriate statistics are available is control possible. Alarming developments can then be recognised early and debated.

We therefore recommend that adapting the reporting requirements for control and evaluation purposes under § 100b Abs. 5, Abs. 6 StPO to that effect, so that not only the number of surveillance (TKÜ) measures arranged can be statistically recorded, but also the number of denied requests for surveillance (TKÜ) in order to check the effectiveness of the judicial reservation.

Lack of time and personnel in the courts

According to studies, a lack of time and personnel in the courts has for years also contributed to the situation. We can see an important starting point to strengthen the control of surveillance processes here. The Max Planck Institute study from 2003 already explains, for example, that the judge for an investigation, with evidence of a heavy workload, only has ten to a maximum of 30 minutes to check a decision for surveillance (TKÜ). Another judge stated then that he was forced to put his “checking priorities” into more serious cases, like bodily attacks or arrest warrants. The study determined, moreover, that police initiation of surveillance (TKÜ) was regularly taken over by federal prosecution and the judge in the investigation. The reasons for the order for surveillance (TKÜ) were, [translation] “according to the records and after self-assessment of criminal investigators surveyed, almost exclusively written by the police”, not by the judges themselves.

With regard to the judges’ workloads there appears to have been no improvement in the last few years:

From a current study, the Roland Rechtsreport 2014, it emerges that nine out of ten judges and federal prosecutors surveyed think it is necessary for additional judges and federal prosecutors to be employed. 85% of those surveyed said they have too little time for their legal cases. A vast majority (72%) of judges and federal prosecutors were of the view that the framework of conditions for jurisdiction in Germany are currently deteriorating. The main reason for this was that there are too few personnel.

We think it is alarming that such conditions have clearly existed for many years, and that there have clearly been no efforts made since the study from 2003 that would have led to an actual improvement in the controls of surveillance processes. This clearly leads in practice to statistics like those from Berlin, which in our judgement are no longer fair in a constitutional state. If the possibilities for surveillance in Germany continue to develop while these deficiencies linger, this is a development that can not be beneficial to democracy.

As the government is currently planning to reintroduce data retention and will authorise these public positions to make attacks on fundamental rights that should be subject to controls by the instrument of the judicial reservation, we summon the German Minister for Justice, Heiko Maas, to stop the draft legislation. If the possibilities for surveillance in Germany continue to be expanded while the deficiencies outlined in our transparency report still exist and clearly every application for surveillance is approved, this is a development that can not be beneficial to democracy. Data retention would allow public positions to make attacks on fundamental rights that are supposed to be subject to control by the instrument of the judicial reservation. According to the numbers we have documented, the instrument has not fairly performed its intended control tasks for many years. Controls of the information process are also deficient. Often there is no requirement to keep statistics or reports. In the practice of requests for user information under § 113 TKG, chaotic circumstances rule: almost all requests that reach us are illegal. We fear that the introduction of the law would lead to a further increase in illegal requests.

Background information and frequently asked questions

General:

Why does Posteo publish a transparency report once per year? 

We want our customers to know how many and what type of requests for information we receive from authorities. We also want to make transparent how Posteo handles such inquiries. After the large-scale surveillance of citizens by intelligence agencies became known, it is more important than ever that providers publish transparency reports. They strengthen fundamental rights, informational self-determination and democracy as a whole.

Why did Posteo first publish a transparency report in 2014, and why had no other telecommunications provider done so until then? 

In 2013, we received our first requests whatsoever from police authorities. For us it was clear that we wanted in future to publish a transparency report on requests from authorities following the model of American telecommunications companies.
Our lawyers pointed out, however, that the legal situation regarding this in Germany was not clear and for this reason, no German provider had published a transparency report until then. The legislator obligates German telecommunications providers with secrecy regarding requests for information in the Telecommunications Act (TKG) and the German G10 Act, among others. Therefore, prior to publication in May 2014, we had our attorneys prepare a comprehensive legal opinion. We needed to clarify the situation in advance, as violating the obligation of secrecy is punishable with up to five years’ imprisonment. The expert assessment that we commissioned determined that publishing purely statistical information that does not allow any inferences regarding individual cases is permitted. The Federal Ministry of Justice (Bundesministerium der Justiz) then also confirmed this in response to an enquiry from Christian Ströbele, MdB. Posteo then ultimately published the first transparency report by a German telecommunication provider on the 14th of May, 2014.

What would Posteo like to achieve by publishing transparency reports? 

We would like it to be become standard in Germany that telecommunications providers publish transparency reports. This form of transparency strengthens the possibility of democratic controls and the evaluation of surveillance measures. When we published the first report by a German telecommunications provider in 2014, the Deutsche Telekom followed a few hours later. In the mean time, a few other German providers have also published appropriate reports. We offer an exchange of experiences with other providers for which this comes into consideration.
Furthermore, we would like to instigate the provision of transparency reports by German providers in open data format, so that a transparent overall picture of requests for information can emerge. We publish our transparency report in an open, standardised exchange format (XML and JSON) so that any interested party has the ability to process and work statistically with the data we provide. An additional goal of our transparency reports is to reveal grievances in the information process and work towards improvement.

Why does Posteo publish the transparency report as open data? 

For our transparency reports, we make the numbers available in a machine-readable format from now on. The data can then be read licence-free (CC0) and continue to be processed. In this way, individuals or companies that are interested can assess the data in a completely different form to us, for example, undertaking analysis and comparisons, if other providers also use this format to make the data in their transparency reports available. The key term here is “open data”. A civil society can debate better with such transparently available data at hand. In contrast with personal data, that has a high requirement for protection, such statistical data does not require protection, but rather should be available to all interested parties.
For the machine-readable form, we use a so-called plist/XML scheme that can also be used by other providers without issue and can be extended if required. The data for 2014 can be accessed as JSON or PLIST.

Do the Posteo transparency reports cover all requests that Posteo has received to date? Is there such a thing as “secret requests”, which can not be included in the statistics? 

In Germany, there are no such secret requests for which we can not provide statistical information. The Posteo transparency reports therefore cover all requests that we have received. In Posteo’s first four years of business (2009–2012) we did not receive any requests from authorities; until spring of 2013, Posteo was a very small provider. Reports exist for the years 2013 and 2014. Our reports encompass all requests from investigative authorities as well as all requests from intelligence services that have reached us.

Why do authorities request user information from an email provider? 

Authorities request user information for various reasons: for example, to solve a crime or to pursue a suspicion of a minor breach of the law. Where there is a suspicion of serious crimes, investigative authorities are under certain circumstances entitled to receive emails or traffic data from providers. For this, however, they require a judicial ruling. For the release of personal information (for example, name and address) on the other hand, neither a judicial ruling nor the suspicion of a serious crime is necessary. With Posteo, no personal information can be requested as we do not collect our customers’ user information.

What does Posteo do when there is an inquiry from an authority? Does Posteo take legal action against unlawful requests? 

We first have each inquiry from a public authority carefully reviewed by our lawyers. We take the protection of our users' data very seriously. If our lawyers’ check determines that a request is not legally conforming, formally incorrect or the reach of a decision does not extend to the data requested by the authority, we lodge complaints. Posteo will never release data if there is doubt as to the correctness or legality of a ruling. We do not spare any expense or effort: we assure you that our lawyers, who are specialised in telecommunications, will do everything to defend your right to informational self-determination in the worst case scenario. We do not want to hinder (criminal) investigations, but we do want to ensure that the investigating authorities are actually entitled to receive the requested data. If the authorities are actually entitled to receive a Posteo user’s content data (for example, emails) due to a judicial ruling, then we must transfer such data to them. We are required to do this by law. Such requests are, however, very rare.
In most cases, authorities only request user information such as names and addresses, and as we do not save such data, we can not release it.

How often has Posteo had to transfer data to eligible authorities? 

In 2013 and 2014, we were only required to release data to investigative authorities in individual cases after a judicial ruling (see the transparency reports for the years 2013 and 2014). Altogether, three email accounts were affected, for which there were sometimes multiple requests (e.g. account seizure as well as TKÜ). In each case, the authorities had presented a formally correct ruling for the ongoing surveillance of an email account or an email account’s seizure. Release of the data occurred only after a thorough check by our lawyers. In the years prior to 2013 we did not receive any requests from authorities.

Have Posteo employees Posteo ever been threatened, or have there ever been attempts to persuade them to unlawfully release data? 

Yes. We go into this in the transparency report under "Authorities illegally request dynamic IP addresses".

Are affected users informed by Posteo? 

No, we are not allowed to inform affected users. That would make us liable for prosecution. German telecommunications providers are bound to secrecy regarding most requests for information from authorities by various laws (among others, the Telecommunications Act (TKG) and the G10 Act). This has been regulated by statute in order to preclude ongoing investigations from being jeopardised.

Types of data, requests and legal bases:

What are inventory data? 

Your personal data (such as your name and address or bank account number) are called "inventory data" in the texts of the laws. When you become the customer of a telecommunications company, the company (TKG § 111) must store the following personal data for you: your name, your date of birth, and your address. When connections are made, your telephone and fax numbers, as well as (depending on the kind of connection) further data such as device numbers, connection numbers or data about the contract’s beginning and end must also be saved. For email providers, there is a special regulation – they are allowed to refrain from collecting your personal data (§ 111 TKG), and are then not required to save it. Posteo makes use of this regulation. We do not need your personal data – not even for billing purposes (see: Anonymous payment with Posteo). If email providers want to save your personal data, they must (§ 111 TKG) save the following data: the name of the email mailbox, the name of the holder of the email's mailbox, and this person’s address. If the provider stores your bank data in connection with your mailbox, such data are also existent inventory data.

Why does Posteo not collect any inventory data? 

The legislator even explicitly calls on companies (§ 3a of the German Federal Data Protection Act) to avoid saving personal data whenever possible:

Data avoidance and data minimisation: The collection, processing and use of personal data and the selection and design of data processing systems must be oriented to the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous, to the extent that this is possible according to the intended purpose and does not require disproportionate efforts in relation to the protective purpose that is sought.

Bundesdatenschutzgesetz § 3a

Our design of Posteo has been guided by this requirement.
We work as economically with data as possible, to protect our users as best as possible: only data that is not collected, can with 100% certainty not be stolen or misused. Meanwhile, countless cases have become known in which criminals have stolen customers’ data from companies. For example, to access bank data and to commit fraud. Our concept employs maximal privacy: we therefore do not collect any personal data, and have made all payment processes anonymous.

Under which circumstances may public authorities demand inventory data from email providers? Can inventory data be queried from Posteo? 

Authorities can receive no inventory data from Posteo, because we don’t collect it.
In general, inventory data may be queried from providers by numerous authorities and other authorised parties upon suspicion of a minor misdemeanour (such as a parking violation or a noise complaint). There is no substantive review or requirement of a judicial decision. The law allows for the identification of internet users for the prosecution of misdemeanours of any type. When providers with more than 100,000 participants collect inventory data, they must make it automatically available for query. According to the German Federal Network Agency (Bundesnetzagentur), about 6.92 million requests producing 34.3 million results were carried out in this manner in 2014.(Source: 2014 Activity Report of the Federal Network Agency)

Do authorities only ask for data that companies are allowed to release within the framework of a disclosure of inventory data? 

No. In the practice of inventory data requests under § 113 TKG there exist grave security problems and deficiencies. Please read our transparency report from this year which concerns itself with this subject.

What are traffic data? 

Traffic data are data that arise in telecommunications activity. Such data document, for example, the point in time at which an email was exchanged between two electronic mailboxes. Traffic data that accumulate at email providers are, for example:

  • information regarding when (point in time) an email was sent from a specific email address to another email address
  • information regarding the IP address from which the email was sent

Such data are stored in the email provider’s so-called "log files". They may use such data only for the following two purposes:

  1. for detecting, isolating and eliminating technical errors (§ 100, para. 1 TKG), for example, when sending or receiving emails
  2. for detecting misuse of the system (§ 100, para. 3 TKG), for example, by spammers.

When can traffic data be released to authorities? Can authorities demand that Posteo collects traffic data for the prosecution of crimes? 

Traffic data are subject to the protection of telecommunications secrecy. It is therefore prohibited to release traffic data in response to simple inquiries from authorities. Law enforcement agencies need a court order to query traffic data with us. This is only granted by a judge if there is suspicion of a serious criminal act. German law also does not permit traffic data to be stored separately for the purpose of law enforcement (in particular, data retention). Only data that is lawfully stored for operational reasons may be used to issue information. This means that public authorities are not allowed to demand that we collect additional traffic data of our users. When you visit our site and log in to your mailbox, we do not store your IP address, for example.

Can Posteo release IP addresses of its users? 

No. We can not collect and save these because we do not require them for operational purposes. We therefore do not possess IP addresses in connection to any accounts and can not release them as a result.

What is telecommunications secrecy, and when can it be limited? 

Telecommunications secrecy is a fundamental right and, just like mail and postal secrecy, is subject to the protection of Article 10 of the German Basic Law (Grundgesetz). It stipulates that citizens have a right vis-à-vis the state for their private communications to be shielded so that facts and thoughts can be exchanged and passed on without this being observed from the outside. Both specific content (phone calls, emails) and the traffic data of telecommunications are subject to telecommunications secrecy. However, this may also be limited – the cases in which limitations are possible are governed in the German Code of Criminal Procedure (Strafprozessordnung or StPO) and the G10 Act. With law enforcement actions, a monitoring of telecommunications for a certain period of time may be ordered if there is a justified suspicion of a serious criminal act (§ 100a, StPO). The monitoring must be ordered by a judge or – if there is a danger in delay – by the Public Prosecutor's Office. Moreover, under § 100g of the StPO, the communication of traffic data may be ordered in individual cases. The G10 Act stipulates when services such as the State Offices of the Protection of the Constitution and the Office for Military Counter-Intelligence Service are entitled to monitor telecommunications. If monitoring is ordered, the telecommunications provider must provide the authorised public authorities with a copy of the telecommunications activity. The person affected by such monitoring must be informed of the measure that was conducted (by the authorities) as soon as the "purpose of the measure" permits this. The authorities must destroy the data that they received during the access.

What are content data, and under which circumstances can they be queried from email providers? 

Content data are nothing more than the "content" of your communications – your emails. The German legislator has placed a hurdle on the release of content that is quite high: your emails are subject to telecommunications secrecy. As we never voluntarily release mailboxes (§ 94, para. 1, StPO) but always formally object to inquiries, a seizure under criminal law of a Posteo mailbox must be ordered by a judge (§ 94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO). Moreover, a TKÜ order under criminal law for monitoring a mailbox for a certain period of time may be effected only for certain serious criminal acts. Every court order must be presented to us (the provider) by the public authorities, and is reviewed by our attorneys for scope and formal correctness before we pass on any data. The customer affected may not be informed of a TKÜ order. That would make us liable to prosecution.
Please read our transparency report of this year, which occupies itself with this topic.

What is the difference between a mailbox seizure and a TKÜ? 

If there is a seizure under criminal law of a Posteo mailbox (§ 94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO), we are obliged to pass on all emails that were in the relevant electronic mailbox at the point in time of the seizure. If there is a TKÜ order for monitoring a mailbox, we are obliged to divert to the authorised public authorities all emails that are received in or are sent from the relevant mailbox, beginning with the time of the order. Previously stored emails are not affected by a TKÜ. However, both measures – seizure and ongoing monitoring – may be combined with each other.

Common questions on the release of data: encryption, passwords and “eavesdropping interfaces”

I read that email providers with more than 10,000 users must install a governmental eavesdropping interface. Is that true and is that the so-called SINA box? 

There is no SINA box at Posteo yet. A SINA box is not an eavesdropping interface that allows authorities access to data at a provider. More information on the SINA box and the way German email providers transmit data to authorities can be found in our blog post on this topic. In the telecommunication surveillance act, there is a requirement for telecommunications providers with at least 10,000 members to install a special computer (SINA box). For us, it is not possible to determine without doubt how many members our service has, as we do not collect any user information from our users. We only know the number of email accounts. The Bundesnetzagentur assumes that we have meanwhile crossed the threshold. We have therefore intensively occupied ourselves with this topic during the last year. This resulted in various questions that we are now pursuing. As soon as there is any news on this, we will report it in our blog.

Can Posteo be forced by investigative authorities or intelligence services to crack encryption? 

No, unlike in the United States or the UK (for example), this is not possible in Germany. There are no laws in Germany that could oblige us to break encryption. We had this clarified through our lawyers before developing encryption features such as Posteo crypto mail storage. This, for example, is technically designed such that Posteo can not remove the encryption applied by the user – only the user can do this themselves. If a user furnishes data with end-to-end encryption, this can not be removed by the respective provider.

Can authorities force Posteo to build backdoors and the like at Posteo? 

No. There is no legal basis for this in Germany.

Can Posteo release my Posteo password to authorities? 

No. We do not store your password in plain text, but only as so-called "salted hash values". Thus, we do not know your password, and cannot release it either to you or to any third party. You can find more information on the encryption of passwords at Posteo on our encryption topic page.

I have stored a mobile phone number at Posteo. Can this number be released to authorities? 

No. Your mobile number is encrypted in our database, again, as a "salted hash". We do not know your mobile phone number, and cannot release it to any third party. You can find more information about encryption of mobile telephone numbers at Posteo on our encryption explanation page.

Can Posteo release my IP address? 

No. Since data retention was thrown out by the Federal Constitutional Court (Bundesverfassungsgericht) in March 2010, German email providers can only save IP addresses for a maximum of seven days if required for operational purposes.
As we do not require our users’ IP addresses for operational purposes, it is therefore not allowed for us to save them. We therefore do not save our users’ IP addresses and can not give them out as a result.

Is Posteo affected by the planned reintroduction of data retention? 

The government’s draft law for the planned reintroduction of data retention ("Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") stipulates that the entire area of email should be exempt from being saved. This means that if it remains like this, Posteo is not counted among the obligated parties.
Independent of this, we reject data retention in principle. We are currently following the situation very closely.

Can investigative authorities access my data at all if I furnish my emails with end-to-end encryption or my Posteo email account is encrypted (with crypto mail storage)? 

If we are required by a judicial ruling to release an email account, we need to release content data, as it exists. Email data saved with us that has been encrypted by the customer, e.g. using our crypto mail storage or with the help of end-to-end encryption, can not be decrypted by Posteo in retrospect.
If emails are encrypted, they will therefore be released encrypted.