Posteo Transparency report

"We would like you to know how often authorities request user data from Posteo. For this reason we published a transparency report in May 2014, becoming the first German telecommunications provider to do so. Since then, we've regularly provided an impulse for more transparency and disclosed grievances in requests for information from authorities."

Transparency report

Important update

As a result of a ruling by the European Court of Justice (ECJ) on June 13, 2019, email services such as Posteo were no longer subject to the obligations of the German Telecommunications Act (TKG) between June 2019 and November 2021. Thus, the legal basis for any telecommunications monitoring (TKÜ) had ceased to exist. Posteo did not conduct any TKÜ during this period. The Federal Network Agency had removed Posteo from its list of telecommunications providers as a result of the ECJ ruling.

On 1 December 2021, a new TKG came into effect, which now also applies to email services. Our German FAQ section has already been updated accordingly and our English FAQ section is in the process of being adapted to the new TKG. There are still many references to the old TKG in the key topics, which we are gradually updating.

Welcome to the Posteo transparency report.

We would like you to know how often authorities request user data from Posteo. In this report, we show how often investigative authorities and intelligence services have requested data from Posteo – and how often we actually had to release data. In addition, you will find out how often these requests were formally correct and how many of the requests were illegal. The report covers all requests from authorities that Posteo received until the end of December 2022. We split the presentation of the numbers for 2019 and 2021 in two because email providers were no longer subject to German telecommunications law (TKG) from June 2019 until November 2021 after a decision made by the European Court of Justice.

Posteo publishes requests

Because many requests from authorities that reach Posteo do not comply with the legal provisions, we have continually devoted emphasis to the information process in our reports since 2015. Here we direct criticism at the chaotic conditions that rule in requests for user information under § 113 TKG. We reveal that in practice, grave security problems exist, there are regular breaches of the law and that deficiencies in controls are making the situation worse.

To prove this, we draw among other things on our own case documentation and publish examples of illegal requests from authorities. In addition, we publish our written communication with all the respective German federal state privacy officers as well as the justice ministries of the federal states. Thus you obtain an insight into our privacy-oriented background work that takes place at Posteo behind the scenes all year round.

We also occupy ourselves with the control instrument of the judicial reservation, which is in a state that in our view is no longer equitable in a constitutional state. In practice, all applications for surveillance measures were clearly approved. Though no statistics are kept on the efficacy of the judicial reservation, we have found numbers that prove this.

Our goals

In May 2014, Posteo became the first German telecommunications provider to publish a transparency report. We first had the permissibility of such a report checked with a legal opinion. With our move, we induced that in the meantime, other German providers also publish transparency reports – including, among others, Deutsche Telekom. With our transparency report, we would like to contribute to making existing grievances and legal realities public and allowing them to be debated.

We want something to change: despite that the government has been informed of some of the grievances for years, the situation has clearly not improved. Democratic control of state disclosure processes and surveillance measures in Germany must therefore be strengthened. We make proposals to this end in our transparency report. We call for the control organs to be better equipped, for example.

Answers to frequently asked questions on the legal bases and processes as well as how Posteo deals with requests from authorities are found in the "Background information and FAQs" section.

Requests for information:

Preliminary note: We are a privacy-oriented provider with a strong concept of data efficiency. We therefore possess neither personal data (user data like names and addresses), nor the IP addresses of our customers. If Posteo becomes required to release user data under a judicial ruling, authorities can therefore only receive content data (e.g. emails). In response to requests for personal information or IP addresses, we reply to the authorities that we do not possess the requested data.

    Number of requests 2023
    Total: 74
    From German authorities: 73
    From foreign authorities 1
    Type of authority
    Law enforcement: 67
    Intelligence services: 7
    Type of request
    Requests for user information: 55
    Mailbox seizures: 11
    Requests for traffic data: 0
    TKÜ (surveillance of an account for a specified time period): 8
    Unclear requests: 0
    During the reported time frame in 2023, Posteo operated more than half a million accounts.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 21
    Formally incorrect requests for user information: 34
    Formally correct seizures: 11
    Formally correct TKÜ: 8
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 0
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 0

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 5
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 4
    Of which were affected by TKÜ: 5
    Of which were released to intelligence services: 1
    Of which were released to foreign authorities or intelligence services: 0

    Explanation:
    For two mailboxes, there were several consecutive judicial orders for TKÜ (surveillance of an account for a specified time period) and mailbox seizures.

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transmission of authority requests; illegal request for traffic data (planned) 34
    Number of requests 2022
    Total: 57
    From German authorities: 51
    From foreign authorities 6
    Type of authority
    Law enforcement: 51
    Intelligence services: 6
    Type of request
    Requests for user information: 50
    Mailbox seizures: 2
    Requests for traffic data: 0
    TKÜ (surveillance of an account for a specified time period): 1
    Unclear requests: 4
    During the reported time frame in 2022, Posteo operated more than half a million accounts.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 15
    Formally incorrect requests for user information: 35
    Formally correct seizures: 1
    Formally correct TKÜ: 1
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 0
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 6

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 4
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 2
    Of which were affected by TKÜ: 2
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Explanation:
    There was a TKÜ order for two accounts. The TKÜ was cancelled before it was completed.

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transmission of authority requests; illegal request for traffic data 35
    Number of requests 2021/2
    Total: 1
    From German authorities: 1
    From foreign authorities 0
    Type of authority
    Law enforcement: 1
    Intelligence services: 0
    Type of request
    Requests for user information: 1
    Mailbox seizures: 0
    Requests for traffic data: 0
    TKÜ (surveillance of an account for a specified time period): 0
    Unclear requests: 0
    During the reported time frame in 2021, approximately 490,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 0
    Formally incorrect requests for user information: 1
    Formally correct seizures: 0
    Formally correct TKÜ: 0
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 0
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 0

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 0
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 0
    Of which were affected by TKÜ: 0
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 1
    Number of requests 2021/1
    Total: 43
    From German authorities: 40
    From foreign authorities 3
    Type of authority
    Law enforcement: 42
    Intelligence services: 0
    Type of request
    Requests for user information: 32
    Mailbox seizures: 3
    Requests for traffic data: 0
    TKÜ (surveillance of an account for a specified time period): 0
    Unclear requests: 6
    During the reported time frame in 2021, approximately 490,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 3
    Formally incorrect requests for user information: 29
    Formally correct seizures: 3
    Formally correct TKÜ: 0
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 5
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 3

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 3
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 3
    Of which were affected by TKÜ: 0
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 32
    Number of requests 2020
    Total: 60
    From German authorities: 54
    From foreign authorities 6
    Type of authority
    Law enforcement: 60
    Intelligence services: 0
    Type of request
    Requests for user information: 52
    Mailbox seizures: 1
    Requests for traffic data: 3
    TKÜ (surveillance of an account for a specified time period): 0
    Unclear requests: 4
    During the reported time frame in 2020, approximately 425,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 0
    Formally incorrect requests for user information: 52
    Formally correct seizures: 1
    Formally correct TKÜ: 0
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 3
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 6

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 1
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 1
    Of which were affected by TKÜ: 0
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 52
    Number of requests 2019/2
    Total: 23
    From German authorities: 22
    From foreign authorities 1
    Type of authority
    Law enforcement: 20
    Intelligence services: 3
    Type of request
    Requests for user information: 20
    Mailbox seizures: 1
    Requests for traffic data: 2
    TKÜ (surveillance of an account for a specified time period): 0
    Unclear requests: 0
    During the reported time frame in 2019, approximately 350,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 0
    Formally incorrect requests for user information: 20
    Formally correct seizures: 1
    Formally correct TKÜ: 0
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 0
    Formally incorrect, unclear requests: 0
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 1

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 1
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 1
    Of which were affected by TKÜ: 0
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 20
    Number of requests 2019/1
    Total: 20
    From German authorities: 19
    From foreign authorities: 1
    Type of authority
    Law enforcement: 20
    Intelligence services: 0
    Type of request
    Requests for user information: 16
    Mailbox seizures: 1
    Requests for traffic data: 2
    TKÜ (surveillance of an account for a specified time period): 0
    Unclear requests: 1
    During the reported time frame in 2019, approximately 350,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 7
    Formally incorrect requests for user information: 9
    Formally correct seizures: 1
    Formally correct TKÜ: 0
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 2
    Formally incorrect, unclear requests: 1
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 1

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 1
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 1
    Of which were affected by TKÜ: 0
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 9
    Number of requests 2018
    Total: 32
    From German authorities: 31
    From foreign authorities: 1
    Type of authority
    Law enforcement: 26
    Intelligence services: 6
    Type of request
    Requests for user information: 28
    Mailbox seizures: 1
    Requests for traffic data: 2
    TKÜ (surveillance of an account for a specified time period): 1
    Unclear requests: 0
    During the reported time frame in 2018, approximately 285,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 12
    Formally incorrect requests for user information: 16
    Formally correct seizures: 1
    Formally correct TKÜ: 1
    Formally incorrect TKÜ: 0
    Formally correct requests for traffic data: 2
    Formally incorrect, unclear requests: 0
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 1

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 2
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 1
    Of which were affected by TKÜ: 1
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 15
    Number of requests 2017
    Total: 48
    From German authorities: 43
    From foreign authorities: 5
    Type of authority
    Law enforcement: 44
    Intelligence services: 4
    Type of request
    Requests for user information: 41
    Mailbox seizures: 3
    Requests for traffic data: 1
    TKÜ (surveillance of an account for a specified time period): 2
    Unclear requests: 1
    During the reported time frame in 2017, approximately 230,000 accounts were operated by Posteo.

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 23
    Formally incorrect requests for user information: 18
    Formally correct seizures: 3
    Formally correct TKÜ: 1
    Formally incorrect TKÜ: 1
    Formally correct requests for traffic data: 1
    Formally incorrect, unclear requests: 1
    Formally incorrect requests from abroad not made through official mutual legal assistence channels: 4

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Releases of content data (number of affected mailboxes): 3
    Reason: formally correct judicial ruling
    Of which were affected by mailbox seizures: 3
    Of which were affected by TKÜ: 1
    Of which were released to intelligence services: 0
    Of which were released to foreign authorities or intelligence services: 0

    Explanation:
    One account was affected by a combination of a mailbox seizure and surveillance (TKÜ). One TKÜ was formally incorrect and was corrected by the court before being conducted.

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 14
    Number of requests 2016
    Total: 35
    From German authorities: 35
    From foreign authorities: 0
    Type of authority
    Law enforcement: 34
    Intelligence services: 1
    Type of request
    Requests for user information: 28
    Mailbox seizures: 2
    Requests for traffic data: 2
    TKÜ (surveillance of an account for a specified time period): 2
    Unclear requests: 1

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 14
    Formally incorrect requests for user information: 14
    Formally correct seizures: 2
    Formally correct TKÜ: 2
    Formally correct requests for traffic data: 2
    Formally incorrect, unclear requests: 1

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 3
    Reason: formally correct judicial ruling

    Explanation:
    The difference between the number of requests for content data and their release is due to the following: several requests were combined for one mailbox.

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 14
    Number of requests 2015
    Total: 48
    From German authorities: 47
    From foreign authorities: 1
    Type of authority
    Law enforcement: 47
    Intelligence services: 1
    Type of request
    Requests for user information: 27
    Mailbox seizures: 8
    Requests for traffic data: 6
    TKÜ (surveillance of an account for a specified time period): 4
    Unclear requests: 3

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 14
    Formally incorrect requests for user information: 13
    Formally correct seizures: 8
    Formally correct TKÜ: 4
    Formally correct requests for traffic data: 5
    Formally incorrect, unclear requests: 3

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 5
    Reason: formally correct judicial ruling

    Explanation:
    The difference between the number of requests for content data and their release is due to the following: A seizure can not be carried out when crypto mail storage is activated. Two accounts were each seized twice (various time periods requested).

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 13
    Number of requests 2014
    Total: 22
    From German authorities: 22
    From foreign authorities: 0
    Type of authority
    Law enforcement: 22
    Intelligence services: 0
    Type of request
    Requests for user information: 17
    Mailbox seizures: 1
    Requests for traffic data: 2
    TKÜ (surveillance of an account for a specified time period): 2

    Correctness

    Admissibility / formal correctness of the request (checked by our lawyers)
    Formally correct requests for user information: 2
    Formally incorrect requests for user information: 15
    Formally correct seizures: 1
    Formally correct TKÜ: 2
    Formally correct requests for traffic data: 2

    Number of releases

    Releases
    Releases of user information: 0
    Reason: data not available / anonymous signup
    Releases of user information on bank details: 0
    Reason: data not available / anonymous payment
    Releases of traffic data: 0
    Reason: data (IP addresses) not available / not required for operational purposes
    Number of mailboxes affected by release of content data under account seizure, ongoing transfer of data under TKÜ: 2
    Reason: formally correct judicial ruling

    Complaints by Posteo

    Complaints to federal state privacy officers
    Reason: illegal, insecure transfer of an authority's request; illegal request for traffic data 15
    TKÜ interrupted by Posteo while in progress
    Reason: original decision not sent to Posteo within the required time frame 1

    2013 requests for information:

    Number of requests
    Total: 7 *
    those from German public authorities: 7
    those from foreign public authorities: 0
    Type of public authority
    Law enforcement agencies: 7
    Intelligence services: 0
    Type of request
    Queries regarding inventory data: 7
    those of a mailbox name regarding existent bank data: 1
    Mailbox seizures: 1
    Queries regarding traffic data: 1
    TKÜ (monitoring of a mailbox for a specific time period): 1

    Correctness/arbitrariness

    Permissibility / formal correctness of the request (review by our attorneys)
    Formally correct queries regarding inventory data: 2
    Formally incorrect queries regarding inventory data: 5
    Formally correct seizures: 1
    Formally correct TKÜs: 1
    Formally correct queries regarding traffic data: 1
    Cases of arbitrariness on the part of public authorities
    Allegation: unauthorised search of Posteo, coercion, encouragement of unlawful cooperation: 1
    (see: Disciplinary complaints / criminal complaints)

    Number and success rate

    Success rate
    Total number of cases in which data were released: 1
    Releases after simple queries regarding inventory data: 0
    Reason: Data not available/anonymous log on
    Releases after a query of a mailbox name for existent bank data: 0
    Reason: Data not available/anonymous payment
    Releases of data after a mailbox seizure, ongoing transfers of data according to a TKÜ: 1
    Reason: formally correct court order

    Appeals / complaints by Posteo

    Complaints of our attorney to the data protection officers of the relevant federal states
    Reason: transmission of requests from public authorities that does not conform to regulations 1
    Criminal complaints/ disciplinary complaints against law enforcement officials, prosecutors and judges
    Allegation: among other things, coercion, encouragement of unlawful cooperation, disregard of applicable law, ordering of a mailbox seizure, queries regarding traffic data and TKÜs without a sufficient legal basis, ordering of a search of Posteo without a sufficient legal basis 4

    Explanation:
    * We have received requests from public authorities in a total of 7 cases, of which 6 were solely queries regarding inventory data. In one case, various requests were made (inventory data, traffic data, mailbox contents and ongoing monitoring of telecommunications).

    Key topics

    Topic Transparency reports should become obligatory for telecommunications providers In 2014, Posteo was the first German telecommunications provider to publish a transparency report about requests made by law enforcement agencies. Back then, we had first asked for a legal opinion to clarify the legal possibility of reports of that kind in Germany. Hans-Christian Ströbele, member of the German Parliament, additionally submitted a parliamentary question to the federal government about this topic.
    Read more about our proposal here.

    In 2014, Posteo was the first German telecommunications provider to publish a transparency report about requests made by law enforcement agencies. Back then, we had first asked for a legal opinion to clarify the legal possibility of reports of that kind in Germany. Hans-Christian Ströbele, member of the German Parliament, additionally submitted a parliamentary question to the federal government about this topic.
    Read more about our proposal here.

    Our goal: To establish transparency reports in Germany.
    Almost four years later we are now taking stock: Since then, some providers have started to publish their own reports. Many German companies, however, still do not publish numbers of requests by authorities. Several telecommunication services did not continue to publish their numbers after the year 2015. Furthermore, the information provided in the available reports often does not create transparency: Transparency is achieved when providers state the number of requests regarding different types of data. And: How often data was subsequently released to authorities. Unfortunately, only one number is mentioned in most reports: Either the number of requests or the number of releases. This is not transparent. In this way, users do not get to know how a company handles these requests. Nor how many requests were illegal. If the number of releases is missing, users cannot identify which information about them actually exists at the provider.

    We therefore think that transparency needs an obligatory agreement: We wish for transparency reports and their specific form to become mandatory by law for German telecommunications providers. Transparency is only achieved if the reports supply informative statements.

    Support by former Minister for Consumer Protection Renate Künast

    Also Renate Künast (MdB), former Minister for Consumer Protection and up to now chairwoman of the Parliamentary Committee on Legal Affairs and Consumer Protection, regards informative transparency reports as an undeniable right of every consumer: "Transparency reports are a manifestation of the consumers' informational self-determination. We are entitled to meaningful transparency reports!" (transl.)

    Our claims for such a regulation, from our experience, are:

    For each type of data (e.g. for traffic data, user information, content data), at least two values should have to be provided:

    • How often and in which context (for example requests for traffic data, manual and automatic requests for user data, seizures or TKÜ) authorities have requested data.
    • How often the respective data types have actually been released subsequently. (e.g. traffic data, user information, content data in the context of seizures or TKÜ)

    Further proposals by Posteo for obligatory transparency regulations:
    • Telecommunications providers should also be obliged to transparently document all requests from intelligence services in their reports.
    • The rate of requests that were formally incorrect should be listed as well. This statistical feedback would be valuable for the legislators, the privacy officers and other protagonists in society. At Posteo, the rate of illegal requests is at around 50 per cent, which is why we see an urgent need for action in this matter.
    • To ensure ideal comparability, the companies' reports should also be published in an open data format so that they can be statistically processed.

    In the previous years, surveillance laws in Germany have been gradually extended. In our view, instruments are missing that would in return strengthen the democratic control of these laws. Mandatory transparency reports can contribute to that. After having observed the development for four years, we now put forward this proposal.

    Topic Constitutional state out of control: indefensible circumstances in manual requests for user information under § 113 TKG   In this section, we document since 2015 the ongoing security problems in the practice of requests for information. Many requests are transferred to us insecurely, despite containing sensitive information. For this reason, many of the requests are illegal. We prove this using our own case documentation, which we publish here, blacked out. In addition, you will also find a large amount of correspondence between Posteo and the federal state privacy officers on this topic.
    Read more about illegal requests and security problems in practice here.

    1. Massive security problems in the practice of requests for information under § 113 TKG

    In the practice of requests for information under § 113 TKG there are serious security problems. Requests for user information under § 113 TKG contain sensitive personal information. From police authorities, we mostly receive email addresses or names that are specified in connection with a concrete criminal charge. Sometimes the requests even contain a person’s complete bank or payment details. Posteo frequently receives such requests for user information.

    Investigative authorities are legally required by the BDSG (among other things) [translation] to ensure that personal data can not be read, copied, changed or deleted in an unauthorised manner under electronic transfer, during its transport or saving to a data storage medium. (BDSG, Addendum, sentence 4)

    Illegal, insecure transfer of sensitive data

    Many requests under § 113 TKG reach us via email and were transmitted to us insecurely or unencrypted. This procedure violates valid privacy provisions and is illegal. (See BDSG § 9, Anlage, sentences 4 and 8 as well as the respective rules on “technisch-organisatorischen Maßnahmen” of the Landesdatenschutzgesetze, among others). If requests are transferred unencrypted, they can easily end up in the hands of data thieves on their way over the internet.

    Many requests under § 113 TKG exhibit additional deficiencies that also violate privacy provisions or other laws. Some examples include:

    • Sending police requests to our customer support rather than the people responsible (anti-abuse team)
    • Use of non-work email accounts to transfer requests, providing such accounts as a reply address
    • Requests for information and data, the release of which is not permitted under § 113 TKG, e.g. traffic data such as IP addresses
    • Failure to provide a secure method to reply
    • Failure to provide a legal basis for the enquiry (required by law)
    Gallery 1: Examples of insecurely transferred requests from authorities
    The problem is known to privacy officers

    A large proportion of requests under § 113 TKG reach us in this way (by unencrypted email). Fax is seldom used by authorities (2013-2016), and only one single request has reached us so far by post. Occasionally, we also receive requests by email with an unencrypted document attached that is incorrectly marked "Telefax-Nachricht" (Telefax message). In January 2015, we first made complaints with the responsible privacy officers for the respective German federal states about the insecure transfer of sensitive data by police authorities. The responses from the privacy groups were unambiguous: the problem of insecure transfer of sensitive data by police authorities is known and remains an occasion for conversations and controls. The replies prove that insecure sending of sensitive information by police authorities is a topic requiring urgent action.
    Here is what the privacy officer for North Rhine-Westphalia wrote to us:

    [translation] Regarding the MIK NRW we have repeatedly advised that requests in investigative processes should in principle occur by post or in justified cases by fax. If a request by email is required in an exceptional case, either the message itself must be encrypted or as a minimum the transfer of personal information must occur in an encrypted attachment. I will treat your request as an occasion to raise this topic again with the MIK NRW to work towards a privacy-legitimate configuration of police investigations.

    (Complete response in German: see gallery 2, below)

    The Bavarian privacy officer informed us:

    [translation] Since the transfer of personal information in unencrypted emails by the police continues to be an occasion for checks in terms of data-protection law, I have already concerned myself with this topic within my professional duties on multiple occasions. (…) I can assure you that I also regularly debate this topic independently of my concrete controls of the responsible police positions. I am currently in contact with the Bavarian State Office of Criminal Investigation to check the configuration of the retrieval process used there with telecommunications services.

    (Complete response in German: see gallery 2, below)

    The Mecklenburg privacy officers were also active:

    [translation] I have contacted the affected service post and referred to their implementation of privacy measures, so that in future requests under § 113 TKG arrive by secure means and the rights of the party involved are not violated. I have also made the Ministry for Internal Affairs and Sport of Mecklenburg-Vorpommern aware of this grievance. The Ministry (…) assured me that it would again sensitise the officers to the correct handling of personal data and surveillance (TKÜ) requests under § 113 TKG.

    (Complete response in German: see gallery 2, below)

    The Saxon privacy officers even set the police president an ultimatum:

    [translation] We absolutely support your concern. I therefore today sent a letter to the Saxon police president with a request to redress this, and asked him to tell us by the 15th of April 2015 which remedies he has put in place.

    Complete response in German: see gallery 2, below)

    The privacy officers’ responses prove that unencrypted requests are a known problem to them. If it is common practice for police authorities to send sensitive information unencrypted via the internet (for example regarding requests under § 113 TKG), then it is not only a problem in terms of privacy: it is also illegal and possibly endangers current investigations. Data thieves can thereby easily access the requests or the authorities’ communication.

    In some cases, we have experienced the bureaucracy as being very cumbersome. In response to one case, the Berlin privacy officer replied to us five months later, as follows: [translation] Unfortunately, the matter can not yet be conclusively resolved.

    Some months earlier, he had notified us in writing that he had asked the police for information on current guidelines for requests for information and the sending of personal information.

    In conclusion: we assume that total, nationwide security problems exist in the practice of manual requests for user information (under § 113 TKG). At Posteo, in any case, not a single request was received from police authorities by email that was encrypted and thereby conformed to the legal requirements for secure transfer.

    Responses from the privacy officers have confirmed to us that we are not the only ones affected.

    Gallery 2: Responses from the federal state privacy officers (in German)
    Complaints do not lead to remedies

    Unfortunately, our complaints have not yet led to any remedies. During 2015 and 2016, all requests that arrived with us via email were transferred insecurely, including from German federal states where the federal state privacy officer appeared particularly engaged. We are therefore asking ourselves how remedies can be achieved. If officers are not sufficiently schooled in secure ways of dealing with data and IT engineering, this constitutes a fundamental security problem in the police’s work.

    We will continue to give the privacy officers regular practical feedback and inform them of every unencrypted transfer of a request that reaches us.

    As we see it, the security of the process in practice is currently not guaranteed. We therefore engaged politics. Ultimately, however, it is not the provider’s task to check if the dealings of authorities are legal or to work towards this. The state itself needs to achieve and ensure that. In July 2015 at an appointment in the Posteo lab we gave Thomas Oppermann, chairman of the SPD fraction, a statement on this. Oppermann then wrote to Federal Minister of the Interior, Thomas de Maiziere. In his reply to Thomas Oppermann, the minister admitted to braches of the law in the practice. He explained, however, that the BKA would only desire user information in plain text if no encryption was possible for the email communication with a provider or if it did not support the methods used by the police authority. These statements by the minister are remarkable. He clearly considers breaches of the law to be justified in some circumstances. In addition, his statements do not apply: we provide the keys required for secure communication on our website, for example. Encrypted communication with us is unquestionably possible. Nonetheless we have received multiple requests from the BKA that were all transferred unencrypted. Every insecure transfer is a breach of the Federal Data Protection Act (BDSG). Criminal investigators must ensure that personal data can not be read, copied, changed or removed in an unauthorised manner during its electronic transfer, transport or saving to data storage. If a provider does not offer any possibility for encrypted communication, then fax or the post is to be used. The security of authorities’ communication must urgently be improved – otherwise, data thieves and hackers can easily obtain it.

    2. Prohibited requests for dynamic IP addresses

    In introducing the next problem area that we see in the practice of requests under § 113 TKG, we remain in political territory. In January 2013, SPD representative Burkhard Lischka directed a written enquiry to the German government. He asked whether it was known to the government,

    [translation] that in practice, countless requests for the release of information under § 113 TKG have as their object the release of data that is not user information (e.g. log files, dynamic IP addresses, (…).

    Questions to the government, from p7, q12, 13, 14 (in German)

    He added: [translation] If so, which authorities conduct this illegal practice and what is the government doing to stop it?

    The background to his question is that a few months earlier, BITKOM made the German parliament’s judiciary committee aware of grievances in requests for user information, in a statement:

    [translation] In practice, countless requests for information under § 113 TKG are known that involve the release of data that does not constitute user information (e.g. log files, IP addresses, date and time of the last access to an account, addresses with other providers of the individual concerned, the identity of authorities that had already requested the same user information, etc). It therefore follows that providers already have to deal with countless requests that serve investigations and go far beyond the regularly content of the norm.

    BITKOM statement from 17th October 2012 (in German)

    To summarise, BITKOM objected that authorities making requests for user information (under § 113 TKG) frequently request information whose release in response to such requests is absolutely not lawful. For requests under § 113 TKG for which no judicial ruling exists, authorities can only request user information – approximately only names and addresses, and not dynamic IP addresses or log files. These highly-sensitive traffic data are governed by secrecy of telecommunications (Fernmeldegeheimnis) and can only be released at the directive of a judge.

    In its reply on the 28th of January 2013, the German government dismissed BITKOM’s statements as “allegations”:

    [translation] The government is – aside from the allegations quoted in the question of the BITKOM statement – not aware of any such cases.

    Response from the German government (in German, from p7, q12, 13, 14)

    The government nonetheless took the BITKOM accusations as an occasion to question various investigative authorities. And they stated:

    [translation] The results of the interrogation did not provide any evidence of illegal requests.

    Authorities illegally request dynamic IP addresses

    We hereby confirm the BITKOM “allegations”: in about 30% of all requests from police authorities that reached us in the years 2014 to 2016 concerning requests for user information under § 113 TKG, police officers illegally asked for dynamic IP addresses or the IP address of the most recent login.

    To prove this, we continue to publish examples of such illegal requests (blacked out): the originals are located in writing at Posteo. In these, it is also clear that officers do not only attempt the illegal release of IP addresses, but also occasionally succeed to obtain and save these for their investigations. This is also not permissible.

    Gallery 3: Examples of prohibited requests for IP addresses by authorities

    We find it astounding that in January 2013 the government obviously did not via BITKOM turn to the organisation where such illegal requests exist. The government would, in our view, have informed itself with the organisations and needed to reach suitable remedy measures. That it refrained from doing this, even though it was informed by a large German industry association of illegal practices by authorities, is completely incomprehensible to us. Instead, clearly only the authorities were asked and the statements from the high-tech industry association were labelled allegations. In a constitutional state, when advice of illegal practices of the executive authority exist, these should be more seriously pursued.

    Government again questioned in 2015

    In the summer of 2015, member of parliament Dieter Janecek (speaker on economics from the Greens fraction) again asked the government about this topic, wanting to know if they remain faithful to their assessment. In his question, the representative referred to the BITKOM statement as well as the Posteo transparency report.

    The Federal Ministry of the Interior explained in its response:

    [translation] The government still has no indication of any illegal requests. (…) Usually, the responsible entities for privacy controls educate senior authorities about offences against privacy regulations that have been identified. In the government’s view, proceedings beyond this are not required.

    Response from the German government from 19th August 2015
    Privacy officers do not respond to complaints regarding the IP address problem

    Perhaps there is a communication problem between the privacy officers and the government, because in all cases in which police authorities illegally requested IP addresses, we made complaints to the respective federal state privacy officers. In their replies, none of the privacy officers responded to our complaints on this matter. Our complaints were clearly not passed on to the highest federal authorities, as is otherwise customary according to the BMI statement. Illegitimate requests for IP addresses do not constitute mere violations of privacy guidelines; requesting an IP address within a request for user information is illegal under the TKG law (Telekommunikationsgesetz). Those involved are not only federal state police authorities. We have also received such illegal requests requests from state investigative authorities.

    Our conclusion: The government is clearly completely uninterested in whether illegal practices exist in requests for user information. The Federal Ministry of the Interior has remained idle for years. As such requests frequently infringe on citizens’ rights, this is irresponsible, in our view.

    Contention due to the IP address problem

    In cases of enquiries under § 113 TKG made to Posteo which illegally requested traffic data, situations subsequently often arose in which we were put under pressure and threatened. We always refer officials back to the valid law. We advise that we would make ourselves liable for prosecution by releasing traffic data in response to a request under § 113 TKG (see § 206 StGB) and that for the release of traffic data, a judicial ruling must exist. We explain to the officers that in a request under § 113 TKG, they can only request user information if they have an IP address on hand that is already known to them. The fact that the reverse disclosure is not allowed is often not known to officers.

    Some react to this information with amazement or anger. Officers have repeatedly asserted to us that with other parties, they easily obtained IP addresses in requests under § 113 TKG. Whether this is true or was only intended to unsettle us, we don’t know. What we can prove is that police officers frequently and with great self-assurance make written requests for traffic data under § 113 TKG (see image gallery with examples). We therefore think that it is absolutely possible that the legislation on information practices is also not always observed by the obligated parties (e.g. companies).

    One possible reason for this could be that the circle of parties regarding information under § 113 TKG is very large, and not restricted to telecommunications providers. Many of the obligated parties do not necessarily possess the required legal knowledge to be able to correctly identify illegal enquiries as such.

    Consequence: high legal costs

    Due to escalated, illegitimate demands for IP addresses, we have already incurred enormous legal costs and financial damage of a mid-range, five-figure sum, for example, to lodge protective texts with the courts, for correspondence with investigating officers, legal advice, etc. In one case, we reported investigating officers who personally sought us out in our office. The public prosecutor’s office gave our notification no weight – as our lawyers had in advance predicted would happen. The prosecution told us that our document was plainly false and ceased any proceedings against the officers without any further investigations into them. Instead, they required us to pay a fine due to “false suspicion”, which the court also approved. Posteo company director Patrik Löhr was required to pay a fine. High legal costs are accompanied by the fact that we could theoretically receive 18 EUR back from the state for the effort involved in each request for user information under § 113 TKG. We do not make use of this facility. As a privacy-oriented company we do not accept any money from authorities for requests for user information.

    Requests under § 113 TKG will gain meaning with the reintroduction of data retention laws

    We have shown that the security of the process is currently not guaranteed and that authorities frequently make illegal requests under § 113 TKG to Posteo for traffic data such as dynamic IP addresses. In addition, we have shown that the problem of insecure transfer is known to the respective German federal state privacy officers. Further, we indicated that the industry organisation BITKOM had in 2012 already made the government aware of countless illegal requests made under § 113 TKG.

    Given the lack of process we would like to advise that the process under § 113 TKG with data retention ("Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") will gain importance. The law will effect a large increase in the amount of data available for requests for user data.

    Coveted information: internet users will be identified by requests under § 113 TKG

    Via the process, authorised parties will in future far more often be able to receive information about which person a dynamic IP address was assigned to at a particular point in time. An example: an officer approaches a provider with an IP address and would like to know which person is behind the address. The provider compares the IP address with the IP data that are held in their database for data retention. This is allowed for the provider without a judicial ruling. The provider must then tell the officer which person is behind the IP address (again: not the other way around). This is very coveted information for which no judicial reservation is intended and can already be used in cases of minor breaches of the law.

    We therefore assume that the number of requests under § 113 TKG and thereby also the number of insecure and illegal requests will sharply increase with the introduction of the new law. There is an additional reason for this assumption: checking IP data and the resulting release of user information can only occur via the manual disclosure process under § 113 TKG. This is not possible via the automated process under § 112 TKG.

    The number of illegal requests will markedly increase

    It is our view that the process under § 113 TKG with its current patent flaws in practice is in no way suitable. Today a large amount of citizens’ sensitive data is already insecurely transferred due to this process and there are countless illegal enquiries from authorities.

    In addition, there are insufficient controls of the process: to our knowledge, there is no requirement in existence to keep statistics for enquiries under § 113 TKG. Thus the effect of the introduction of the law on data retention – how it concretely affects the number of requests – can not be evaluated, and the number of requests by state authorities will remain unknown to the public.

    The government must act: the reintroduction of data retention must be abandoned

    It is in no way acceptable that citizens’ sensitive data continue to be sent or requested insecurely over the internet by authorities, or that dynamic IP addresses governed by the secrecy of telecommunications are given out in response to simple enquiries under § 113 TKG without a judicial ruling. In our view, no new laws or guidelines can therefore be introduced that would further increase the number of illegal and insecure requests made.

    We therefore demand that the government introduces measures as soon as possible that are intended to ensure that the request and transfer of sensitive citizens’ information by authorities under § 113 TKG occurs fundamentally by secure means (no proprietary solutions) and also corresponding to the legal regulations – and when it occurs by email, then exclusively by encrypted email. In addition, we demand that the government introduces measures as soon as possible that ensure that for requests for user information, no more illegal requests for traffic data or any other information that goes far beyond the norm occur.

    We are of the view that there is a glaring need for processes to be adjusted in an organisational respect, so that a privacy-equitable and constitutional state conforming configuration of the disclosure process can be secured in future. For this, we suggest the introduction of reporting requirements (among other things, see the section on controls of the information process).

    Until this remedy is achieved, data retention (Einführung des Gesetzes zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten) is in our view unreasonable for this reason alone, as it will in practice further increase the amount of insecure and illegitimate data transfer and the legal cracks in the disclosure process under § 113 TKG.

    Independent of this, we completely and with great emphasis reject the reintroduction of data retention for countless further reasons, e.g. for privacy reasons and data security as well as due to its accompanying blanket restrictions of fundamental rights, that we do not deem reasonable. On this topic, please also read our text on the control instrument of judicial reservation, which we also criticise in this report. The law will nonetheless confront providers like Posteo with even more illegal requests and accompanying bureaucracy and legal costs in connection with requests under § 113 TKG.

    In addition, we demand that the Federal Office for Information Security become liberated as an independent state authority from the business branch of the Federal Ministry of the Interior so that the BSI can be an independent contact for security questions.

    Update Percentage of illegal requests for user information remains high in 2017 Posted on 17 January 2018, 11:00 Also in 2017 we again received many requests with formal shortcomings. In total, their rate was at 42 per cent. For requests of user information, the rate of illegal requests was at 44 per cent.
    Quota of unlawful inventory data requests of the years 2013-2017
    From the police authorities of Saxony, Hesse, North Rhine-Westphalia, Rhineland-Palatinate, Lower Saxony, Thuringia, Berlin and Brandenburg we invariably received requests with formal deficiencies in the year 2017.
    Read more about the development of unlawful requests and security problems in practice in 2017 here.

    Erstellt am 17. Januar 2018 11:00 Uhr

    Also in 2017 we again received many requests with formal shortcomings. In total, their rate was at 42 per cent. For requests of user information, the rate of illegal requests was at 44 per cent.
    Quote rechtswidriger Bestandsdatenersuchen der Jahre 2013-2017
    From the police authorities of Saxony, Hesse, North Rhine-Westphalia, Rhineland-Palatinate, Lower Saxony, Thuringia, Berlin and Brandenburg we invariably received requests with formal deficiencies in the year 2017.

    Positive development in Bavaria

    One state stood out positively in 2017: In previous years, many illegal requests reached us from Bavaria. In 2017, 7 out of 8 requests were formally correct.
    This might be due to the commitment of the Bavarian privacy officer who repeatedly responded to our complaints that a solution was under way.
    Also from Baden-Württemberg we received more correct requests.

    Unencrypted police requests keep parliament and authorities busy in Rhineland-Palatinate

    Following our last transparency report for the year 2016, the SWR ("Southwest Broadcasting", a public broadcasting corporation) has taken up the topic in February of 2017 and reported on infringement by the police authority in Rhineland-Palatinate (in German). The editors had first requested evidence for infringement of the data protection act from us - and received it, too. Subsequently, the matter was dealt with by the parliament of the federated state and by the responsible ministry of internal affairs in Mainz. The opposition demanded the employment of encryption technology by the police. The ministry of internal affairs claimed that the problems originated from the use of different encryption techniques by the police and from the multitude of email providers. Furthermore, these were problems that police authorities all over Germany were confronted with. Back then, a spokesman of the ministry of internal affairs declared that new technical standards for a unified procedure for encrypted data requests was being developed in cooperation with the Federal Network Agency.

    There are, in fact, already two standardised encryption methods that have been available for decades. Police stations can use these standard methods nationwide without further ado and irrespective of the provider - thus immediately complying with the guidelines of the privacy law. Three months after the debate in Rhineland-Palatinate, we again received a request for information by the local police authorities. Again through an unencrypted email containing sensitive data.

    Investigative authorities are legally obliged by the BDSG(German Federal Data Protection Act), among others, to "ensure that personal data cannot be unauthorisedly copied, altered or removed during electronic transmission or during transportation or storage on storage media." (transl., BDSG, Addendum, Sentence 4)

    Illegal insecure transmission of sensitive data

    Many requests pursuant to § 113 TKG reach us via email - and are transmitted insecurely or unencrypted. This practice does not comply with the aforementioned current data protection provisions and is therefore illegal. (see, among others, BDSG §9, Addendum, Sentence 4 and 8, as well as the respective regulations on "technical-organisational measures" from the federal states' data protection acts). If requests are transmitted unencrypted, they can easily fall into the hands of data thieves while making their way through the internet.

    Many requests pusuant to § 113 TKG show further defects in addition to that. These also constitute infringements of regulations regarding data protection or of other laws. Among them are:

    • sending police requests to the customer support - and not to the responsible persons (anti-abuse team)
    • the use of non-official email accounts to transmit requests and providing accounts of this kind as reply address
    • requesting information and data whose release on requests pursuant to §113 TKG is not permissible, e.g. traffic data such as IP addresses
    • missing indication of a safe possibility to reply
    • missing indiciation of the legal basis of the request (which is required by law)
    Gallery: Examples of illegal requests in the year 2017

    Mehr Informationen zu diesem Thema finden Sie in unserem 2015 veröffentlichten Hauptartikel. Dort sind rechtswidrige Ersuchen aus den Vorjahren dokumentiert und wir legen Antworten von Datenschutzbeauftragten zu den Datenschutzverstößen offen.


    Topic Inadequate public controls of the information process under § 113 TKG and § 112 TKG The fact that controls regularly occur in the practice of requests for information by security authorities is absolutely essential for the balance between security and freedom in a democracy. Through it, misuse of the process can be prevented or at least identified in retrospect. Illegal practices can be counteracted with controls. We are convinced that controls of the information process under § 113 TKG and § 112 TKG exhibits grave deficiencies – if controls can be spoken of whatsoever. Requests for user information under § 113 TKG appears to be a grey zone. There is no requirement to keep statistics. Insofar as numbers become known at all, these originate from transparency reports by German telecommunications providers that only exist since 2014, after Posteo became the first German provider to publish a transparency report on requests from authorities.
    Read more about the deficient controls of the information process here.

    In a democracy, it is essential for a balanced relationship between security and freedom that controls in the practice of information processes regularly take place. Through these, misuse of the process can be prevented or ascertained in hindsight. Inadmissible practices can be counteracted with controls. We are convinced that the information process under § 113 TKG and § 112 TKG exhibits grave deficiencies – if controls can be spoken of at all, that is.

    The example of § 112 TKG: millions of automated requests and only a handful of controls

    Not only in connection with a manual request for user information under § 113 TKG can authorities request user information. There is also the automated process under § 112 TKG, in which about 150 larger telecommunications companies take part (at Posteo, data can only be requested under § 113 TKG). In Germany, many millions of automated requests for user information under § 112 TKG are made each year. In 2014, 6.92 million requests were made to the Federal Network Agency which together led to 34.30 million requests to telecommunications providers. We asked ourselves how many controls these millions of requests made by authorities were actually subject to. We therefore wrote to the parties responsible.

    From the privacy officers’ replies, it emerges that last year only a handful of requests by the Federal Network Agency and the state privacy representative (BfDi) were subject to controls, and these were mostly only checked for concrete tips on insider threats that had been reported from within the police authorities themselves.

    The state privacy representative wrote to us: [translation] In recent years there were only few requests made under § 112 TKG, mostly from police authorities. These cases were checked together with the Federal Network Agency. Complete response: see gallery 4, further below

    The last mention of controls in ten years of old reports of proceedings

    To comment more closely on these “few cases” that were subject to controls, the state privacy representative only referred us to very old reports of proceedings from the years 2001–2004, with the addition, that [translation] “these are absolutely still current.”

    In the 2003–2004 report, there is concrete talk of three cases:

    [translation] During the period of the report, there were only a few requests from police authorities due to suspicion of unauthorised requests by insider threats. In three cases, data could be reported back that led to an investigation process.

    See 20. Tätigkeitsbericht des BfDI 2003–2004, p144 ff.

    A look at the newer reports shows that controls on requests under § 112 TKG in the procedure reports of 2005–2014 were clearly no longer mentioned. Whether controls were even undertaken at all after 2004 is therefore unclear to the public. For us, this is a very sobering result.

    Before we knew of this result, we had sent written enquiries to all the federal state privacy officers, asking for the number of controls from 2013 and 2014. For requests under § 112 TKG, the federal state privacy officers also have control powers, where it concerns requests from public positions in their respective federal states. This was also sobering: all the privacy officers replied that they had not undertaken any controls of requests under § 112 TKG. Some of the privacy officers, however, want to undertake controls in future due to our enquiry.

    The Hamburg privacy officer wrote to us:

    [translation] Your enquiry will be taken as an occasion to undertake a privacy-legal control of the positions mentioned in § 112 Abs. 2 TKG this year.

    Complete response: see gallery 4, further below

    From Rhineland-Palatinate we received this commitment:

    [translation] Because a competency centre for telecommunications surveillance measures is set up in [Rhineland-Palatinate], I have this area on my check plan for the current year. I will make controls of the process concerning § 112 TKG and successful retrievals made on this basis.

    Complete response: see gallery 4, further below

    Some privacy officers were of the view that they were not responsible. The privacy officer for Mecklenburg-Vorpommern advised us of a further problem – inadequate facilities for privacy authorities:

    [translation] Due to a large number of petitions from various areas regarding privacy and freedom of information it is not possible in terms of either time or personnel for us to undertake controls on our own initiative of requests under § 112 TKG.

    Complete response: see gallery 4, further below

    As a matter of fact, no controls of the process under § 112 TKG occur. The only positive thing to note is that for the automated request process under § 112 TKG there are still reporting and protocol requirements, so that it can at least be seen in the Federal Network Agency yearly reports how often the process is utilised by authorised parties.

    Gallery 4: responses from privacy officers on the controls of requests for information under § 112 TKG

    Grey zone in § 113 TKG: no statistical data available

    There are no statistical surveys by public positions of the number of requests under § 113 TKG available. Corresponding requirements for statistics are not known to our lawyers. Insofar as numbers are known at all, these originate from German telecommunications providers’ transparency reports that have existed since 2014, after Posteo became the first German provider to publish a transparency report on requests from authorities. In the Deutsche Telekom’s report for 2014, 27,957 requests were made under § 113 TKG. Complaints about security problems and illegal requests from the responsible organs of control have not yet led to a remedy in the requests that reach us, as we presented in part one.

    § 113 TKG: introducing reporting requirements to improve public controls

    The process constitutes a grey zone, in a way. This is by no means acceptable, because requesting user information under § 113 TKG generally requires better controls and evaluation (see our section on chaotic circumstances for user information requests).

    In our view, reporting requirements for requests under § 113 TKG should be urgently introduced. The numbers should be published yearly, as they are for other kinds of requests for information, e.g. as is common for requests under § 112 TKG (published in the Federal Network Agency's yearly report) and under § 100a StPO, (published on the Bundesamtes für Justiz website).

    In addition, similarly to the automated process under § 112 TKG, protocol requirements should ensure that for each request, information should be held on which officer requested what information, to make internal and external controls (for example by privacy officers) easier in retrospect.

    It is to be expected that these control possibilities would work against misuse and illegal requests. In this area, remedies are urgently required.

    § 113 TKG: broaden controls and intensify schooling of investigative officers

    In our view it is urgently required that the responsible control authorities regularly and comprehensively make controls of compliance to the legal requirements for requests under § 113 TKG until the deficits in the process are eliminated nationwide. Investigative officers must, in addition, become comprehensively schooled in the secure and legally compliant handling of information technology in general and with sensitive data in particular.

    Better equip privacy officers

    In conclusion, on the topic of deficient controls, we would also like to advise of the current report on the duties of the representative for privacy and freedom of information.

    In it is contained a warning with regard to future information processes, that:

    [translation] the system of checks and balances in the area of intelligence services is in massive imbalance. Especially since 2001, the tasks and powers of security authorities as well as their personnel and equipment are considerably enlarged. The wide-scope cooperation between police and intelligence agencies has intensified nationally and internationally. Large central databases have been set up and a new security structure established. (...) On the control organs’ side, no corresponding development has occurred, i.e. also insofar as existing, grave lawmaking deficits that must be eliminated as quickly as possible in the interest of the citizens. As a result of this development it is no longer possible, given the negligible personnel and equipment available to me, for me to adequately fulfil my legally-assigned duties to advise and undertake controls. It is also no longer possible for me appropriately ensure the compensation function of my controls of the citizens concerned that the Federal Constitutional Court stressed in its verdict on anti-terror file law, i.e. to check for the party concerned whether their rights under secret interventions by the security authorities are protected."

    Source: Tätigkeitsbericht der Bundesdatenschutzbeauftragten 2013 & 2014, p36

    This statement is a warning from the federal state privacy officer. We see an urgent need to conform to the demands of the BfDI, such that more personnel and equipment is made available to them, also so that they can urge a secure and legally-conforming practice for information processes, for example, requests under § 113 TKG, and to comprehensively effect this with increased controls. The same applies for the federal state privacy officers’ equipment. The control organs must become altogether better equipped such that existing grievances can be effectively confronted.


    Topic Judicial reservation: in practice, clearly all applications for surveillance measures were granted In this section we occupy ourselves with the control instrument of the judicial reservation, which in our view no longer fairly performs its intended function. In practice, clearly all applications for surveillance measures are approved. Although no statistics are kept as to the effectiveness of the judicial reservation, we found numbers to demonstrate this. We also explain why the deficiencies that we present demonstrate that data retention should definitely not be reintroduced. Incidentally, if you think that a surveillance measure (TKÜ) couldn’t affect you because you haven’t committed any crimes, you are incorrect. In practice, people within the sphere of a suspect also have their communication surveilled or seized, even if there is absolutely no suspicion of a crime committed by that person.
    Read more about the judicial reservation here.

    When discussions about interventions into the fundamental rights of citizens occur, critics are often calmed by the argument that these can only occur under strict requirements and only with a “judicial reservation”. Referring to the judicial reservation is a common argument: the citizens’ trust in the judiciary is much greater than their trust in the government, according to surveys. At the moment, arguments are again being made using the judicial reservation; this time it’s about the planned reintroduction of data retention.

    The control instrument of the judicial reservation has been accused for many years of being less effective in practice. For example, two well-invested studies published by Bielefeld University and the Max Planck Institute for Foreign and International Criminal Law came to this conclusion in 2003. Both studies documented multiple deficiencies in the process at the time. The Max Planck Institute, for example, came to the conclusion that a surveillance measure would fail to be granted only in absolutely exceptional cases.

    The Bielefeld University study stated at the time that only a quarter of surveillance measures were arranged according to the process regulations. Moreover, the surveillance measures would mostly consist of orders, which allows the assumption that judges do not reach their decision independently.

    A public prosecutor who was surveyed by Max Planck Institut researchers at the time stated the following on the topic of email surveillance, for the record:

    [translation] In the area of email surveillance, an update and clarification is required. Chaos rules. There are the most crazy legal concepts and regardless of which application I submit, the judge allows it in these cases.

    Source: Studie des Max-Planck-Institutes für ausländisches und internationales Strafrecht, p226

    We have also grappled for some time with the question of how the control instrument of the judicial reservation intended by the legislator for surveillance measures has developed in Germany – and how its effectiveness is controlled or evaluated. The occasion for this question was (among other things) telecommunication surveillance (TKÜ) that was ordered for which both we and our lawyers found the offence stated to be insufficient. Incidentally, if you think that a surveillance measure (TKÜ) couldn’t affect you because you haven’t committed any crimes, you are incorrect. In practice, people within the sphere of a suspect also have their communication surveilled or seized, even if there is absolutely no suspicion of a crime committed by that person.

    1. Legislators don’t sufficiently evaluate the effectiveness of the control instrument of the judicial reservation

    If a suspect is ascertained and police officers with the public prosecutor instigate the seizing or surveillance of an email account, legal protection for the affected party is severely restricted by the secrecy of the measure. It can not be heard before the decision of the determining judge responsible. The judge should compensate for this deficit: the judge checks the case and if convinced that the telecommunication of the suspect should indeed be surveilled or seized, allows the public prosecutor’s application. Information as to how often a judge rejects an application for a surveillance measure is therefore an important indicator of how effective the control instrument of the judicial reservation really is. If, for example, all applications for surveillance were to be approved in a particular state, this would be a strong indication that the state is on the way to becoming a surveillance state.

    How often a judge declines an application for surveillance can not be statistically ascertained

    How often a judge declines a surveillance measure mostly can not, however, be ascertained in Germany. In the Federal Office of Justice’s yearly report, only the number of rulings passed is specified, in which measures under § 100a Abs. 1 StPO were arranged, as well as the number of surveillance measures undertaken (cf. § 100b Abs. 5, 6 StPO). The German federal states have to supply these numbers to the Federal Office of Justice. Numbers such as how often an application for a surveillance measure is not satisfying to a judge are not included in the statistics, however. The judicial reservation is therefore a control instrument whose efficacy it is actually largely unknown.

    Posteo surveyed justice ministries in all German federal states

    We wanted to know if the corresponding numbers were perhaps available in the German federal states. At the start of the year, we therefore asked the justice ministries for information in writing.

    Initially, the responses were disappointing. We received the same responses time and again in which we were told that no statistics were kept as to how often applications for a surveillance measure were denied. The number of cases in which applications for surveillance (TKÜ) were denied was supposedly unknown. The fact that the number of refused applications for surveillance was not collected was supposedly because there was no necessity for reporting in the law.

    The Bavarian state justice ministry (among others) explained to us:

    [translation] The necessity to report under § 100b Abs. 5, Abs. 6 StPo does not stipulate any requirement to compile denied applications, which is why no statistics on this exist.

    The state justice ministry of Hesse told us that this would require an effort of manual analysis [translation] that seems disproportionate to me and criminal investigative authorities can not be overburdened.

    We then received the information that we sought: from Berlin, we received a reply that the senate in Berlin had collected the number of denied surveillance measures since 2006.

    Gallery 5: some responses from the Ministries of Justice

    And we were shocked.

    Since 2007, not a single application for surveillance was denied

    Since 2007, not a single application for telecommunication surveillance has been denied in Berlin. (See the respective yearly reports from the senate on the practice of telephone surveillance under §§ 100 a, 100 b StPO)

    In total, between 2008 and 2014 in Berlin, 14,621 applications for surveillance were made – and approved. The number of surveillance measures arranged increased markedly over these years.

    The fact that between 2008 and 2014, not a single one of the 14,621 applications for surveillance in Berlin was denied, certainly clarifies in our perception that doubts regarding the effectiveness of the control instruments of the judicial reservation are not only justified, but also that there is a need for clarification. How can it be possible that judges grant every single application for surveillance of a citizen over many years? What do these numbers say about the state of our constitutional state? The numbers from Berlin provide a wide overview of a large time period. In our view, they clearly prove that the instrument of the intended controls has actually not been of sufficient quality for a long time and a debate is necessary.

    Over the years, the situation has got worse: the Max Planck Institute study of 2003 came to the conclusion that only 0.4% of applications for surveillance measures were not approved, and the rate in Berlin over the last seven years in a row is 0.00%. (Source: Max Planck Institute study, p177, PDF p197 and yearly reports from Berlin.) That all orders occurred conforming to the process regulations is doubtful: in any case, the Bielefeld University study of 2003 came to the conclusion that 75% of all surveillance reviewed was not ordered in accordance with the process requirements.

    Reporting requirements under § 100b Abs. 5, Abs. 6 StPo must be extended

    Without the yearly reports from Berlin, which the federal state of Berlin has voluntarily given out since 2006, there would be absolutely no numbers available on the effectiveness of the judicial reservation in Germany. For us, this is incomprehensible for reasons of democratic controls alone. The fact that every request for surveillance is approved according to the numbers available to us is, due to the lack of reporting requirements, not only unknown to the wider public, but the legislator can not evaluate the effect of its own control instrument. In our view, the legislator absolutely must compile nationwide statistics for the purposes of evaluation and control on how often applications for surveillance measures are actually granted, and how often judges decline surveillance (TKÜ). Only when appropriate statistics are available is control possible. Alarming developments can then be recognised early and debated.

    We therefore recommend that adapting the reporting requirements for control and evaluation purposes under § 100b Abs. 5, Abs. 6 StPO to that effect, so that not only the number of surveillance (TKÜ) measures arranged can be statistically recorded, but also the number of denied requests for surveillance (TKÜ) in order to check the effectiveness of the judicial reservation.

    Lack of time and personnel in the courts

    According to studies, a lack of time and personnel in the courts has for years also contributed to the situation. We can see an important starting point to strengthen the control of surveillance processes here. The Max Planck Institute study from 2003 already explains, for example, that the judge for an investigation, with evidence of a heavy workload, only has ten to a maximum of 30 minutes to check a decision for surveillance (TKÜ). Another judge stated then that he was forced to put his “checking priorities” into more serious cases, like bodily attacks or arrest warrants. The study determined, moreover, that police initiation of surveillance (TKÜ) was regularly taken over by federal prosecution and the judge in the investigation. The reasons for the order for surveillance (TKÜ) were, [translation] “according to the records and after self-assessment of criminal investigators surveyed, almost exclusively written by the police”, not by the judges themselves.

    With regard to the judges’ workloads there appears to have been no improvement in the last few years:

    From a current study, the Roland Rechtsreport 2014, it emerges that nine out of ten judges and federal prosecutors surveyed think it is necessary for additional judges and federal prosecutors to be employed. 85% of those surveyed said they have too little time for their legal cases. A vast majority (72%) of judges and federal prosecutors were of the view that the framework of conditions for jurisdiction in Germany are currently deteriorating. The main reason for this was that there are too few personnel.

    We think it is alarming that such conditions have clearly existed for many years, and that there have clearly been no efforts made since the study from 2003 that would have led to an actual improvement in the controls of surveillance processes. This clearly leads in practice to statistics like those from Berlin, which in our judgement are no longer fair in a constitutional state. If the possibilities for surveillance in Germany continue to develop while these deficiencies linger, this is a development that can not be beneficial to democracy.

    As the government is currently planning to reintroduce data retention and will authorise these public positions to make attacks on fundamental rights that should be subject to controls by the instrument of the judicial reservation, we summon the German Minister for Justice, Heiko Maas, to stop the draft legislation. If the possibilities for surveillance in Germany continue to be expanded while the deficiencies outlined in our transparency report still exist and clearly every application for surveillance is approved, this is a development that can not be beneficial to democracy. Data retention would allow public positions to make attacks on fundamental rights that are supposed to be subject to control by the instrument of the judicial reservation. According to the numbers we have documented, the instrument has not fairly performed its intended control tasks for many years. Controls of the information process are also deficient. Often there is no requirement to keep statistics or reports. In the practice of requests for user information under § 113 TKG, chaotic circumstances rule: almost all requests that reach us are illegal. We fear that the introduction of the law would lead to a further increase in illegal requests.

    Update Year-on-year comparison: Last rejection of telecommunications surveillance ten years ago Erstellt am 17. Januar 2018, 18:00 Uhr During the last nine years, each of the 14,476 surveillance orders from the Berlin public prosecutor's office has been approved. The last rejection happened in 2007.
    On this topic, Netzpolitik.org provides an article with current statistical details that is worth reading.

    Erstellt am 17. Januar 2018, 18:00 Uhr

    During the last nine years, each of the 14,476 surveillance orders from the Berlin public prosecutor's office has been approved. The last rejection happened in 2007.
    On this topic, Netzpolitik.org provides an article with current statistical details that is worth reading.

    Background information and frequently asked questions

    General:

    Why does Posteo publish a transparency report once per year? 

    We want our customers to know how many and what type of requests for information we receive from authorities. We also want to make transparent how Posteo handles such inquiries. After the large-scale surveillance of citizens by intelligence agencies became known, it is more important than ever that providers publish transparency reports. They strengthen fundamental rights, informational self-determination and democracy as a whole.

    Why did Posteo first publish a transparency report in 2014, and why had no other telecommunications provider done so until then? 

    In 2013, we received our first requests whatsoever from police authorities. For us it was clear that we wanted in future to publish a transparency report on requests from authorities following the model of American telecommunications companies.
    Our lawyers pointed out, however, that the legal situation regarding this in Germany was not clear and for this reason, no German provider had published a transparency report until then. The legislator obligates German telecommunications providers with secrecy regarding requests for information in the Telecommunications Act (TKG) and the German G10 Act, among others. Therefore, prior to publication in May 2014, we had our attorneys prepare a comprehensive legal opinion. We needed to clarify the situation in advance, as violating the obligation of secrecy is punishable with up to five years’ imprisonment. The expert assessment that we commissioned determined that publishing purely statistical information that does not allow any inferences regarding individual cases is permitted. The Federal Ministry of Justice (Bundesministerium der Justiz) then also confirmed this in response to an enquiry from Christian Ströbele, MdB. Posteo then ultimately published the first transparency report by a German telecommunication provider on the 14th of May, 2014.

    What would Posteo like to achieve by publishing transparency reports? 

    We would like it to be become standard in Germany that telecommunications providers publish transparency reports. This form of transparency strengthens the possibility of democratic controls and the evaluation of surveillance measures. When we published the first report by a German telecommunications provider in 2014, the Deutsche Telekom followed a few hours later. In the mean time, a few other German providers have also published appropriate reports. We offer an exchange of experiences with other providers for which this comes into consideration.
    Furthermore, we would like to instigate the provision of transparency reports by German providers in open data format, so that a transparent overall picture of requests for information can emerge. We publish our transparency report in an open, standardised exchange format (XML and JSON) so that any interested party has the ability to process and work statistically with the data we provide. An additional goal of our transparency reports is to reveal grievances in the information process and work towards improvement.

    Why does Posteo publish the transparency report as open data? 

    For our transparency reports, we make the numbers available in a machine-readable format from now on. The data can then be read licence-free (CC0) and continue to be processed. In this way, individuals or companies that are interested can assess the data in a completely different form to us, for example, undertaking analysis and comparisons, if other providers also use this format to make the data in their transparency reports available. The key term here is “open data”. A civil society can debate better with such transparently available data at hand. In contrast with personal data, that has a high requirement for protection, such statistical data does not require protection, but rather should be available to all interested parties.
    For the machine-readable form, we use a so-called plist/XML scheme that can also be used by other providers without issue and can be extended if required. The data for 2014 can be accessed as JSON or PLIST.

    Do the Posteo transparency reports cover all requests that Posteo has received to date? Is there such a thing as “secret requests”, which can not be included in the statistics? 

    In Germany, there are no such secret requests for which we can not provide statistical information. The Posteo transparency reports therefore cover all requests that we have received. In Posteo’s first four years of business (2009–2012) we did not receive any requests from authorities; until spring of 2013, Posteo was a very small provider. Reports exist for the years 2013 and 2014. Our reports encompass all requests from investigative authorities as well as all requests from intelligence services that have reached us.

    Why do authorities request user information from an email provider? 

    Authorities request user information for various reasons: for example, to solve a crime or to pursue a suspicion of a minor breach of the law. Where there is a suspicion of serious crimes, investigative authorities are under certain circumstances entitled to receive emails or traffic data from providers. For this, however, they require a judicial ruling. For the release of personal information (for example, name and address) on the other hand, neither a judicial ruling nor the suspicion of a serious crime is necessary. With Posteo, no personal information can be requested as we do not collect our customers’ user information.

    What does Posteo do when there is an inquiry from an authority? Does Posteo take legal action against unlawful requests? 

    We first have each inquiry from a public authority carefully reviewed by our lawyers. We take the protection of our users' data very seriously. If our lawyers’ check determines that a request is not legally conforming, formally incorrect or the reach of a decision does not extend to the data requested by the authority, we lodge complaints. Posteo will never release data if there is doubt as to the correctness or legality of a ruling. We do not spare any expense or effort: we assure you that our lawyers, who are specialised in telecommunications, will do everything to defend your right to informational self-determination in the worst case scenario. We do not want to hinder (criminal) investigations, but we do want to ensure that the investigating authorities are actually entitled to receive the requested data. If the authorities are actually entitled to receive a Posteo user’s content data (for example, emails) due to a judicial ruling, then we must transfer such data to them. We are required to do this by law. Such requests are, however, very rare.
    In most cases, authorities only request user information such as names and addresses, and as we do not save such data, we can not release it.

    How often has Posteo had to transfer data to eligible authorities? 

    In 2013 and 2014, we were only required to release data to investigative authorities in individual cases after a judicial ruling (see the transparency reports for the years 2013 and 2014). Altogether, three email accounts were affected, for which there were sometimes multiple requests (e.g. account seizure as well as TKÜ). In each case, the authorities had presented a formally correct ruling for the ongoing surveillance of an email account or an email account’s seizure. Release of the data occurred only after a thorough check by our lawyers. In the years prior to 2013 we did not receive any requests from authorities.

    Have Posteo employees Posteo ever been threatened, or have there ever been attempts to persuade them to unlawfully release data? 

    Yes. We go into this in the transparency report under "Authorities illegally request dynamic IP addresses".

    Are affected users informed by Posteo? 

    No, we are not allowed to inform affected users. That would make us liable for prosecution. German telecommunications providers are bound to secrecy regarding most requests for information from authorities by various laws (among others, the Telecommunications Act (TKG) and the G10 Act). This has been regulated by statute in order to preclude ongoing investigations from being jeopardised.

    Types of data, requests and legal bases:

    What are inventory data? 

    Your personal data (such as your name and address or bank account number) are called "inventory data" in the texts of the laws. When you become the customer of a telecommunications company, the company (TKG § 111) must store the following personal data for you: your name, your date of birth, and your address. When connections are made, your telephone and fax numbers, as well as (depending on the kind of connection) further data such as device numbers, connection numbers or data about the contract’s beginning and end must also be saved. For email providers, there is a special regulation – they are allowed to refrain from collecting your personal data (§ 111 TKG), and are then not required to save it. Posteo makes use of this regulation. We do not need your personal data – not even for billing purposes (see: Anonymous payment with Posteo). If email providers want to save your personal data, they must (§ 111 TKG) save the following data: the name of the email mailbox, the name of the holder of the email's mailbox, and this person’s address. If the provider stores your bank data in connection with your mailbox, such data are also existent inventory data.

    Why does Posteo not collect any inventory data? 

    The legislator even explicitly calls on companies (§ 3a of the German Federal Data Protection Act) to avoid saving personal data whenever possible:

    Data avoidance and data minimisation: The collection, processing and use of personal data and the selection and design of data processing systems must be oriented to the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous, to the extent that this is possible according to the intended purpose and does not require disproportionate efforts in relation to the protective purpose that is sought.

    Bundesdatenschutzgesetz § 3a

    Our design of Posteo has been guided by this requirement.
    We work as economically with data as possible, to protect our users as best as possible: only data that is not collected, can with 100% certainty not be stolen or misused. Meanwhile, countless cases have become known in which criminals have stolen customers’ data from companies. For example, to access bank data and to commit fraud. Our concept employs maximal privacy: we therefore do not collect any personal data, and have made all payment processes anonymous.

    Under which circumstances may public authorities demand inventory data from email providers? Can inventory data be queried from Posteo? 

    Authorities can receive no inventory data from Posteo, because we don’t collect it.
    In general, inventory data may be queried from providers by numerous authorities and other authorised parties upon suspicion of a minor misdemeanour (such as a parking violation or a noise complaint). There is no substantive review or requirement of a judicial decision. The law allows for the identification of internet users for the prosecution of misdemeanours of any type. When providers with more than 100,000 participants collect inventory data, they must make it automatically available for query. According to the German Federal Network Agency (Bundesnetzagentur), about 6.92 million requests producing 34.3 million results were carried out in this manner in 2014. (Source: 2014 Activity Report of the Federal Network Agency)

    Do authorities only ask for data that companies are allowed to release within the framework of a disclosure of inventory data? 

    No. In the practice of inventory data requests under § 113 TKG there exist grave security problems and deficiencies. Please read our transparency report for this year, which concerns itself with this subject.

    What are traffic data? 

    Traffic data are data that arise in telecommunications activity. Such data document, for example, the point in time at which an email was exchanged between two electronic mailboxes. Traffic data that accumulate at email providers are, for example:

    • information regarding when (point in time) an email was sent from a specific email address to another email address
    • information regarding the IP address from which the email was sent

    Such data are stored in the email provider’s so-called "log files". They may use such data only for the following two purposes:

    1. for detecting, isolating and eliminating technical errors (§ 100, para. 1 TKG), for example, when sending or receiving emails
    2. for detecting misuse of the system (§ 100, para. 3 TKG), for example, by spammers.

    When can traffic data be released to authorities? Can authorities demand that Posteo collects traffic data for the prosecution of crimes? 

    Traffic data are subject to the protection of telecommunications secrecy. It is therefore prohibited to release traffic data in response to simple inquiries from authorities. Law enforcement agencies need a court order to query traffic data with us. This is only granted by a judge if there is suspicion of a serious criminal act. German law also does not permit traffic data to be stored separately for the purpose of law enforcement (in particular, data retention). Only data that is lawfully stored for operational reasons may be used to issue information. This means that public authorities are not allowed to demand that we collect additional traffic data of our users. When you visit our site and log in to your mailbox, we do not store your IP address, for example.

    Can Posteo release IP addresses of its users? 

    No. We can not collect and save these because we do not require them for operational purposes. We therefore do not possess IP addresses in connection to any accounts and can not release them as a result.

    What is telecommunications secrecy, and when can it be limited? 

    Telecommunications secrecy is a fundamental right and, just like mail and postal secrecy, is subject to the protection of Article 10 of the German Basic Law (Grundgesetz). It stipulates that citizens have a right vis-à-vis the state for their private communications to be shielded so that facts and thoughts can be exchanged and passed on without this being observed from the outside. Both specific content (phone calls, emails) and the traffic data of telecommunications are subject to telecommunications secrecy. However, this may also be limited – the cases in which limitations are possible are governed in the German Code of Criminal Procedure (Strafprozessordnung or StPO) and the G10 Act. With law enforcement actions, a monitoring of telecommunications for a certain period of time may be ordered if there is a justified suspicion of a serious criminal act (§ 100a, StPO). The monitoring must be ordered by a judge or – if there is a danger in delay – by the Public Prosecutor's Office. Moreover, under § 100g of the StPO, the communication of traffic data may be ordered in individual cases. The G10 Act stipulates when services such as the State Offices of the Protection of the Constitution and the Office for Military Counter-Intelligence Service are entitled to monitor telecommunications. If monitoring is ordered, the telecommunications provider must provide the authorised public authorities with a copy of the telecommunications activity. The person affected by such monitoring must be informed of the measure that was conducted (by the authorities) as soon as the "purpose of the measure" permits this. The authorities must destroy the data that they received during the access.

    What are content data, and under which circumstances can they be queried from email providers? 

    Content data are nothing more than the "content" of your communications – your emails. The German legislator has placed a hurdle on the release of content that is quite high: your emails are subject to telecommunications secrecy. As we never voluntarily release mailboxes (§ 94, para. 1, StPO) but always formally object to inquiries, a seizure under criminal law of a Posteo mailbox must be ordered by a judge (§ 94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO). Moreover, a TKÜ order under criminal law for monitoring a mailbox for a certain period of time may be effected only for certain serious criminal acts. Every court order must be presented to us (the provider) by the public authorities, and is reviewed by our attorneys for scope and formal correctness before we pass on any data. The customer affected may not be informed of a TKÜ order. That would make us liable for prosecution.
    Please read our transparency report for this year, which concerns itself with this subject.

    What is the difference between a mailbox seizure and a TKÜ? 

    If there is a seizure under criminal law of a Posteo mailbox (§ 94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO), we are obliged to pass on all emails that were in the relevant electronic mailbox at the point in time of the seizure. If there is a TKÜ order for monitoring a mailbox, we are obliged to divert to the authorised public authorities all emails that are received in or are sent from the relevant mailbox, beginning with the time of the order. Previously stored emails are not affected by a TKÜ. However, both measures – seizure and ongoing monitoring – may be combined with each other.

    Common questions on the release of data: encryption, passwords and “eavesdropping interfaces”

    I read that email providers with more than 10,000 users must install a governmental eavesdropping interface. Is that true and is that the so-called SINA box? 

    There is no SINA box at Posteo yet. A SINA box is not an eavesdropping interface that allows authorities access to data at a provider. More information on the SINA box and the way German email providers transmit data to authorities can be found in our blog post on this topic. In the telecommunication surveillance act, there is a requirement for telecommunications providers with at least 10,000 members to install a special computer (SINA box). For us, it is not possible to determine without doubt how many members our service has, as we do not collect any user information from our users. We only know the number of email accounts. The Bundesnetzagentur assumes that we have meanwhile crossed the threshold. We have therefore intensively occupied ourselves with this topic during the last year. This resulted in various questions that we are now pursuing. As soon as there is any news on this, we will report it in our blog.

    Can Posteo be forced by investigative authorities or intelligence services to crack encryption? 

    No, unlike in the United States or the UK (for example), this is not possible in Germany. There are no laws in Germany that could oblige us to break encryption. We had this clarified through our lawyers before developing encryption features such as Posteo crypto mail storage. This, for example, is technically designed such that Posteo can not remove the encryption applied by the user – only the user can do this themselves. If a user furnishes data with end-to-end encryption, this can not be removed by the respective provider.

    Can authorities force Posteo to build backdoors and the like at Posteo? 

    No. There is no legal basis for this in Germany.

    Can Posteo release my Posteo password to authorities? 

    No. We do not store your password in plain text, but only as so-called "salted hash values". Thus, we do not know your password, and cannot release it either to you or to any third party. You can find more information on the encryption of passwords at Posteo on our encryption topic page.

    I have stored a mobile phone number at Posteo. Can this number be released to authorities? 

    No. Your mobile number is encrypted in our database, again, as a "salted hash". We do not know your mobile phone number, and cannot release it to any third party. You can find more information about encryption of mobile telephone numbers at Posteo on our encryption explanation page.

    Is Posteo affected by the planned reintroduction of data retention? 

    The government’s draft law for the planned reintroduction of data retention ("Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") stipulates that the entire area of email should be exempt from being saved. This means that if it remains like this, Posteo is not counted among the obligated parties.
    Independent of this, we reject data retention in principle. We are currently following the situation very closely.

    Can investigative authorities access my data at all if I furnish my emails with end-to-end encryption or my Posteo email account is encrypted (with crypto mail storage)? 

    If we are required by a judicial ruling to release an email account, we need to release content data, as it exists. Email data saved with us that has been encrypted by the customer, e.g. using our crypto mail storage or with the help of end-to-end encryption, can not be decrypted by Posteo in retrospect.
    If emails are encrypted, they will therefore be released encrypted.