Transparency Report 2013

Why is Posteo publishing a transparency report?

We want you to know how many and what type of requests for information we receive from public authorities. We also want to inform you how Posteo handles such inquiries. After the NSA scandal, it is more important than ever that providers publish transparency reports. They strengthen digital civil rights, self-determination on the internet and democracy as a whole.

Why has Posteo not published a transparency report in the past?

Because the legal situation regarding this in Germany is not clear. The law imposes on the telecommunications providers (such as Posteo) the obligation to maintain secrecy regarding requests for information, in (among other laws) the Telecommunications Act (TKG) and in the German G10 Act. However, how far these secrecy obligations extend is not evident from the texts of the laws. Therefore, prior to publication, we had our attorneys prepare a comprehensive legal opinion regarding whether it is possible to publish transparency reports in Germany. It was important for us to clarify this matter, because last year (2013), we received requests for information for the first time.

Does the report cover all previous requests for information?

Yes. This report includes all requests for information that we have received to date. This report covers only 2013 because in Posteo's first four years (2009-2012), there were no inquiries from public authorities at all. Posteo was a very small provider until the spring of 2013. This may be one reason why we did not receive any inquiries before 2013. It is also possible that last year's revision of the regulations regarding the disclosure of inventory data led to an increase in inquiries.

Why should a public authority make a query regarding user data held by an email provider?

Public authorities seek user data for a great variety of reasons: for example, in the course of (criminal) investigation work, in order to solve criminal acts or to pursue suspicions of misdemeanours. In particular, law enforcement agencies are, under certain circumstances, entitled to receive emails or traffic data from providers.

What does Posteo do when there is an inquiry from a public authority? Does Posteo take legal action against unlawful requests?

We first have each inquiry from a public authority carefully reviewed by our attorneys. We take the protection of our users' data very seriously. We do not want to hinder (criminal) investigations, but we want to ensure that the investigating public authorities are actually entitled to receive the requested data. In most cases we do not have the requested data (inventory data) in our possession. We always answer these inquiries in the negative. If public authorities are actually entitled to receive data stored at Posteo (based on a court order), we must forward such data to them. However, if our attorneys conclude on the basis of their review that a request does not conform to the law or is formally incorrect, or that the court order does not cover the data sought by the public authority, we, working together with our attorneys, do what we can for the affected user. Accordingly, last year there were several cases in which our attorneys filed a complaint with the data protection officer of the relevant state. In addition, disciplinary complaints / criminal complaints were filed against the law enforcement officials involved, and against one public prosecutor and one judge. In this effort, we spare no expense and no effort – we assure you that our attorneys, who are specialised in telecommunications, will do everything to defend your right to informational self-determination vis-à-vis the various organs of the state, if the occasion arises.

How often has Posteo previously transferred data to authorised public authorities?

So far, we have had to forward data to law enforcement agencies in just one particular case. The public authorities had presented a formally correct court order for the seizure and ongoing monitoring of an email mailbox. However, in terms of content, we and our attorneys were convinced that the court order was obtained without sufficient legal basis, so we filed a disciplinary complaint against the responsible public prosecutor.

Have employees of Posteo ever been threatened, or have there ever been unlawful attempts to persuade them to release data?

Yes, in one case. In July 2013, officials of the State Protection Office carried out a search at Posteo and attempted to coerce us into engaging in unlawful cooperation and to release data. We filed a criminal complaint against the law enforcement officials involved. They used as leverage a purported court order to search and seize all of our business records and documents. In point of fact, they possessed only one court order for release of a single sheet of paper. We filed a disciplinary complaint against the judge who had signed the court order to search Posteo. The law enforcement officials wanted (among other things) us to write a script for them that would have documented the IP addresses that Posteo users access when logging in to their email addresses. With this script, they wanted to find out which email address belongs to certain IP addresses already known to them. The officials threatened that otherwise, we would be forced to cooperate through a court order. There is no legal basis whatsoever that could obligate telecommunications providers to provide such cooperation. Here, you can view our disciplinary complaint / criminal complaint.

Are the affected users informed by Posteo?

No, we are not allowed to inform affected users. That would make us liable for prosecution. Unlike the situation in other countries, German telecommunications providers are bound to secrecy regarding most requests for information from public authorities by various laws (among other laws, the Telecommunications Act (TKG) and the G10 Act. This has been regulated by statute in order to preclude ongoing investigations from being jeopardised.

Does Posteo's data-minimising approach protect me from requests for information from public authorities?

When a user registers, we do not collect any personal data. Moreover, the data we receive with payments is not linked to electronic mailboxes. Consequently, there are many kinds of requests for information from the public authorities (such as inquiries within the framework of a disclosure of inventory data) to which we are only able to respond in the negative. However, if there is a suspicion of certain serious criminal acts, we can be presented with a court order that obligates us to submit content data and certain traffic data to law enforcement agencies.

What are inventory data, and why does Posteo not collect any inventory data?

Your personal data (such as your name, your address and your account number) are called "inventory data" in the texts of the laws. When you become a customer of a telecommunications company, the company (§ 111 TKG) must store the following personal data regarding you: your name, your date of birth, your address. When connections are made, additional data must be stored as follows: your telephone and fax numbers; the address of the respective connection; for mobile telephone contracts that include a device, the device number of the device and the date the contract took effect; for connections in general, the connection identification along with the date the contract took effect and the date it ended. For email providers, there is a special regulation – they are allowed to refrain from collecting your personal data (§ 111 TKG), and are then not required to store it. Posteo makes use of this option. We do not need your personal data – not even for billing purposes (see: Anonymous payment with Posteo). If email providers want to store your personal data, they must (§ 111 TKG) store the following data: the name of the email mailbox, the name of the holder of the email's mailbox, and this person’s address. Many email providers also collect your date of birth, although they are not legally obligated to do so. This supplementary information can sometimes be "voluntary". If the provider stores your bank data in connection with your mailbox, such data are also existent inventory data. There is a great deal of "deceptive packaging" on the market – there are now some providers that advertise with data minimisation or anonymous registration, yet they still collect your inventory data. Posteo does not collect this data, as we want to work with the highest possible degree of data minimisation. Only data that has not been collected cannot be stolen or misused. Numerous cases in which criminals have stolen customer data from companies have now become known. These thefts occur, for example, to access bank data and to commit fraud. The law even explicitly calls on operators of data processing systems (§ 3a of the German Federal Data Protection Act)to avoid storing personal data whenever possible – and calls for data minimisation:

§ 3a of the Federal Data Protection Act – Data avoidance and data minimisation: The collection, processing and use of personal data and the selection and design of data processing systems must be oriented to the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous, to the extent that this is possible according to the intended purpose and does not require disproportionate efforts in relation to the protective purpose that is sought.

Our design of Posteo has been guided by this requirement. We do not collect any personal data, and have made all payment processes anonymous.

Under which circumstances may public authorities demand inventory data from email providers? Can inventory data be queried from Posteo?

Inventory data may be queried from providers by numerous public authorities and other authorised parties even when there is just a suspicion of a misdemeanour (such as a parking violation or disturbance of the peace). There is no substantive review or requirement of a judicial decision. The law allows for the identification of Internet users for the prosecution of misdemeanours of any type.
When providers with more than 100,000 participants collect inventory data, they must make it automatically available for query. According to the German Federal Network Agency, 36 million queries were carried out in this manner in 2012. (Source: 2013 Activity Report of the Federal Network Agency, page 266)

Inventory data cannot be queried from Posteo because no such data is collected in the first place.

Do public authorities only ask for data that companies are allowed to release within the framework of a disclosure of inventory data?

Unfortunately, no. We – and other providers too – have seen that with inquiries about inventory data, public authorities often ask for data that that they are not authorised to query. The provider is under the obligation to check whether a request from a public authority is formally correct. In 2012, the German Federal Association for Information Technology, Telecommunications and New Media (BITKOM) published the following statement: "In practice, we are aware of countless requests for information based on § 113 TKG that have as their subject matter the release of data that are simply not inventory data (such as log files, IP addresses, date and time of last access to an account, email addresses the person concerned that this person is known to have with other providers, the identity of public authorities that have already asked for the same inventory data, etc.). If follows from this that even today providers have to deal with numerous inquiries that actually serve the purpose of exploration and go far beyond the regulatory content of the legal standard."

What are traffic data?

Traffic data are data that arise in telecommunications activity. Such data document, for example, the point in time at which an email was exchanged between two electronic mailboxes. Since the practice of data retention for possible future use was overturned by the Federal Constitutional Court in March 2010, email providers may store traffic data only for a period of at most 7 days. Sensitive traffic data are subject to the protection of telecommunications secrecy. This means that public authorities need a court order when they want to query this data from telecommunications providers. A court order may be issued only if there is a suspicion of certain serious criminal acts. Traffic data that accumulate at email providers include the following:

• information regarding when (point in time) an email was sent from a specific email address to another email address
• information regarding the IP address from which the email was sent

Such data are stored in the so-called "log files" of the email provider. They may use such data only for the following two purposes:

1. for detecting, isolating and eliminating technical errors (§ 100, para. 1 TKG), for example, when sending or receiving emails
2. for detecting misuse of the system (§ 100, para. 3 TKG), for example, by spammers

Posteo, like everybody else, needs to log file data for the purposes set out above. For example: A user believes that an email has been sent to them, but has not arrived. Then they contacts us. We look in the log files to see whether there was a delivery attempt and tell the user what has happened.

Traffic data and requests for information from public authorities:

Traffic data are subject to the protection of telecommunications secrecy. Releasing traffic data in response to simple inquiries from public authorities is prohibited. Law enforcement agencies need a court order to query traffic data from us. This is only granted by a judge if there is suspicion of a serious criminal act. German law also does not permit traffic data to be stored separately for the purpose of law enforcement (data retention for possible future use is particularly prohibited). Only data that is lawfully stored for operational reasons may be used to issue information. This means that public authorities are not allowed to demand that we collect additional traffic data from our users. When you visit our site and log in to your mailbox, we do not store your IP address.

What is telecommunications secrecy, and when can it be limited?

Telecommunications secrecy is a fundamental right and, just like mail and postal secrecy, is subject to the protection of Article 10 of the German Basic Law (Grundgesetz). It stipulates that citizens have a right vis-à-vis the state for their private communications to be shielded so that facts and thoughts can be exchanged and passed on without this being observed from the outside. Both specific content (phone calls, emails) and the traffic data of telecommunications are subject to telecommunications secrecy. However, this may also be limited – the cases in which limitations are possible are governed in the German Code of Criminal Procedure (Strafprozessordnung, "StPO") and the G10 Act. With law enforcement actions, a monitoring of telecommunications for a certain period of time may be ordered if there is a justified suspicion of a serious criminal act (§ 100a of the StPO). The monitoring must be ordered by a judge or – if there is a danger in delay – by the Public Prosecutor's Office. Moreover, under § 100g of the StPO, the communication of traffic data may be ordered in individual cases. The G10 Act stipulates when services such as the State Offices of the Protection of the Constitution and the Office for Military Counter-Intelligence Service are entitled to monitor telecommunications. If monitoring is ordered, the telecommunications provider must provide the authorised public authorities with a copy of the telecommunications activity. The person affected by such monitoring must be informed of the measure that was conducted (by the public authorities) as soon as the "purpose of the measure" permits this. The public authorities must destroy the data that they received during the access.

What are content data, and under which circumstances can they be queried from email providers?

Content data are nothing more than the "content" of your communications – your emails. German lawgivers have placed a hurdle on the release of content that is quite high: your emails are subject to telecommunications secrecy. As we never voluntarily release mailboxes (§ 94, para. 1 of the StPO), but always formally object to inquiries, a seizure under criminal law of a Posteo mailbox must be ordered by a judge (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO). Moreover, a TKÜ order under criminal law for monitoring a mailbox for a certain period of time may be effected only for certain serious criminal acts. Every court order must be presented to us (the provider) by the public authorities, and is reviewed by our attorneys for scope and formal correctness before we pass on any data. The customer affected may not be informed of a TKÜ order. That would make us liable to prosecution.

However, we would like to point out that under certain circumstances, the requirement of a judicial decision as a control mechanism is not a sufficiently effective instrument. As early as 2003, the University of Bielefeld and the Max Planck Institute (MPI) identified the deficiencies of this procedure in independent studies. MPI's study showed, for example, that in only 0.4% of the cases did a judge decide not to approve a requested monitoring measure. (Source: MPI study, page 177, or page 197 of the PDF)

What is the difference between a mailbox seizure and a TKÜ?

If there is a seizure under criminal law of a Posteo mailbox (§ 94, para. 2 of the StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1 of the StPO), we are obliged to pass on all emails that were in the relevant electronic mailbox at the point in time of the seizure. If there is a TKÜ order for monitoring a mailbox, we are obliged to divert to the authorised public authorities all emails that are received in or are sent from the relevant mailbox, beginning with the time of the order. Previously stored emails are not affected by a TKÜ. However, both measures – seizure and ongoing monitoring – may be combined with each other.

I have read that email providers with more than 10,000 users must install a governmental eavesdropping interface (SINA box). Is that true and is there a SINA box at Posteo?

There is no SINA box at Posteo, at least not yet. And a SINA box is also not an "eavesdropping interface". Under the German Telecommunications Monitoring Ordinance (Telekommunikations-Überwachungsverordnung), there is an obligation for telecommunications providers to install a special computer (a SINA box) after reaching 10,000 participants. At Posteo, the number of participants in our service cannot be said with absolute certainty because we do not collect any inventory data regarding our users. We only know the number of mailboxes. We will certainly have to purchase a SINA box eventually. Determining the right point in time for this is being left to our very experienced attorneys, who frequently negotiate SINA solutions for various telecommunications companies with the Federal Network Agency. But this is mostly just a financial nuisance. It will not diminish the security of our users' data. We can assure you that an in-depth analysis of this topic (with attorneys, public authorities, and others), has convinced us that this is so. You can learn more about SINA boxes and the manner by which email providers transmit data to public authorities in our blog post on this topic.

Can Posteo be forced by public authorities to crack encryption?

No, unlike in the USA or in Great Britain (for example), this is not possible in Germany. There are no laws in Germany that could oblige us to do this. We have had this clarified through our attorneys, since Posteo offers various encryption options for its users' data, and will soon release additional encryption options.

Can public authorities force Posteo to build backdoors and the like at Posteo?

No. There is no legal basis for this in Germany.

Can Posteo release my Posteo password to public authorities?

No. We do not store your password in clear text, but only as so-called "salted hash values". Thus, we do not know your password, and cannot release it either to you or any third party. You can find more information regarding the encryption of passwords at Posteo on our encryption topic page.

I have stored a mobile phone number at Posteo. Can this number be released to public authorities?

No. Your mobile number is encrypted in our database, again, as a "salted hash". We do not know your mobile phone number, and cannot release it to any third party. You can find more information about encryption of mobile telephone numbers at Posteo on our encryption explanation page.