Don't use any of these email providers. First up, they are not trustworthy, especially Deutsche Telekom. DT is the privatised former state-owned telco monopolist, with a gigantic share of userbase and partial ownership by the German federal state. Most likely, every intelligence agency, domestic or foreign, that is operating in Germany with sanction of the government will have access to anything on their servers.
Also there is Quellen-TKÜ, which means that every single one of the three gives access to their servers to German law enforcement. If I remember correctly, the Quellen-TKÜ law says that any online service provider that has more than X users (10k?) has to provide access to law enforcement in such a way that the provider operators themselves don't know about the individuall access operations.
That isn't the point is it? The step forward here is that the comumunications between these providers is now encrypted by default and foreign entities such as the NSA will now have a harder job to do traffic and content analysis on German emails being sent to and from German nationals.
I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public.
If foreign intelligence agencies are allegedly granted unhindered access to their servers then I see that as a scandal. Have you got any evidence to back up that claim?
The point here isn't that ANY government can't listen on. That's a noble goal but so not achievable in a short period of time for everyone. The goal here is that German citizen isn't spied on by the US government because the US government has shown utter lack of respect to rights of anyone who isn't a US citizen. The point here is that if your own democratic government is spying on you, you have some (albeit limited) degree of control (elections) and rights (because you're voter, so they care about you). When a foreign government spies on you, you have almost zero control.
Second this. Internationals might think this sounds like some case of german quality engineering. Not. "All encrption done by the providers." says it all. It's a farce.
And I have to agree to some people in this thread, that germany IT engineering lacks behind a lot. Either our tech education is as bad as I think it is, or I don't know what. But this whole de-mail thing started as an initiative by the postal service to develop a "e-post-brief" aiming to be an official/secure/non-deniable electronic postal service. Which is ridiculous.
I think the technical right thing to do (safe, anonymous communication) is just not what any state would want. It doesn't help consumerism and it doesn't protect the ruling social norms so why would a state fund it?
What they claim to do is basically what everybody is already doing. SSL between email servers can be considered standard, as well as SSL or at least StartTLS between client and server.
De-Mail is another thing which was introduced some years ago now. In short: Messages are encrypted on the client side, then decrypted on the server, then again encrypted and sent to the recipient where it is decrypted again...Imagine your post-office opening you mail before forwarding it to the recipient.
Along with some other things no sane person would ever suggest to do with email, De-Mail is a complete farce...
TL;DR: I'm from Germany, and my opinion is that this is the most brutal kind of PR bullshit you can get...
Still better than having all your data traffic piped to the NSA. Don't forget that this pipe is behind the SSL-Wall of Google. Being from Germany too, I'm seriously considering to move my mail account from GMail to Web.de. Already started moving my private Docs away from Google.
I like Google services and even before Snowden I was aware of the fact that international communication is watched by Secret agency. But really, why do they keep track of everything?
Der Spiegel reported that Germany collaborated with the US very, very closely and even use XKeyScore. [1]
"The Americans provided the BfV with one of their most productive spying tools, a system called "XKeyscore." It's the same surveillance program that the NSA uses to capture a large share of the up to 500 million data sets from Germany, to which it has access each month, according to internal documents seen and reported on by SPIEGEL on the first of this month."
Snake oil. Election day is coming, the conservative idiots in charge want some good press. The german interpretation of e-Mail (de-Mail) is utter bullshit. Encrypted e-Mail that is decrypted multiple times on its way, of course that will prevent the Government from reading my mail. NOT.
It seems that there are enough idiots in the world who are willing to reelect that treacherous pile of smelly shit impersonating a federal government at the moment.
I don't see what a bunch of corporate entities have to do within election campaign. This is a response the the German publics concern that a foreign government is doing content analysis on emails within Germany. This makes it harder for the spooks down in Ramstein to analyse the traffic flowing between German consumers and German corporations, which is a damn good thing. This spying might also be (mis)used for corporate espionage as well.
It isn't going to stop a German police warrant or BND investigation requiring these companies to hand over your emails, and the EU data retention polices are still in place, but it does stop the foreign spooks sticking their noses in where it isn't wanted. DE-MAIL, is as you say, bullshit, but that isn't why this is really about.
I know that from my GMX account I can email someone on a Web.de account, and even if the Internet decides to route my email over the Atlantic first or through Frankfurt where I hazard a guess the NSA will be doing they optical splitting, it doesn't matter.
If they want to read my emails they have to brute force that or have a copy of the keys.
This is a small, but great step forward in my opinion.
> " For security reasons, from the beginning of 2014 the initiative partners will only transport SSL-encrypted e-mails to ensure that data traffic over all of their transmission paths is secure."
That's the most significant part of this announcement-- it means there's finally a push to phase out plaintext email transport, which allows passive surveillance to intercept mail.
If this was implemented correctly, it would keep non-German governments from being able to snoop on German emails. If Germany does not snoop on Germans without a warrant, this would actually be a good thing for Germans. If European has data protection laws that prohibit snooping on foreign people without a warrant, this would actually be a good thing for everyone.
A lot of ifs that need to be answered. But this could be a good thing.
Until the recent revelations about the NSA, we also believed (perhaps naively) that the U.S. had data protection laws that prohibited spying on citizens without a warrant. It may be just a matter of time before we find out that Germany has murky laws and secret courts that disregard fundamental legal principles just like the U.S. does, or that the German intelligence agencies work closely with the NSA. So if I really wanted secure e-mail, the only thing I could really trust at this point would be to encrypt my message on my own machine using a transparent, open source program like PGP. Once you rely on a third party to encrypt your e-mail for you (or even to provide you with encryption software), you're vulnerable to their being strong-armed by a government to give up your data.
Are they seriously talking about enforcing TLS on all SMTP? That would break deliverability to a lot of servers, but would be pretty awesome. I assume it wouldn't actually check certs in any meaningful way, though, so only protecting from passive eavesdropping, but it's a big positive step.
I'm increasingly tempted to throw that switch myself, or at least start filtering all my non-TLS'd mail into a special mailbox of "figure out if I actually care if these people become unreachable in 6mo when I actually enforce TLS." Arguably it would be worse to accept the message and then bounce it, since you'd have received the text in the clear, but maybe log and send an informative-to-end-user rejection notice based on envelope, and to me?
Sadly, a client that refuses to attempt TLS negotiation will always leak the sender address of the message it wants to send you. This happens in many protocols when TLS is bolted on as an afterthought. We're actually worse off using the standardized TLS extension to SMTP here than we are with the non-standardized SSL: a connection to port 465, followed by immediate SSL negotiation won't leak anything to a passive eavesdropper.
This only gets you so far however. An active attacker can MITM the connection with ease, since there is no convention for how to verify an SMTP peer's certificate. I don't see this changing until DNSSEC is deployed in every domain you correspond with, and the peer's certificate is somehow authenticated with information from their DNS zone.
Aside: for a protocol that is designed even worse than SMTP with regards to leaking information over insecure channels, look at IMAP:
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
C: 0 login user@example hunter12
S: BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
S: 0 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
The stupid protocol design results in the client transmitting the user's credentials in plain text as soon as it connects to the server.
Privacy-Shrivacy Bollocks. Many here do not get the point. US having intimate information of a foreign populace is akin to having an extra weapon in their arsenal. In today's world data is the new gunpowder. If you have insight(I mean really really know) into what a foreign country would buy/sell you can have an upper hand in trade negotiations. This is not some prudish step to prevent Uncle Sam to look into your private details. This is all out cold war. Diplomats across the world are talking about one thing today: Nullifying the U.S advantage. I guess China foresaw it.
Foreign leaders woke up one day to find that the US now has deep spy penetration into their local populace.
Oops. Huge national security fail.
They haven’t said much publicly, but behind closed doors they're scrambling to figure out how to get their pants back up.
This is only the very beginning of a huge shift that most of the US is blind to or in denial about.
All around the world, in government offices and in business board rooms, leaders are trying to figure out how to get off the US cloud.
The US cloud has been compromised and that trust just isn't coming back.
The barrier now is not political will, but a lack of local tech talent that can build viable alternatives to the US cloud services.
Many countries are kicking themselves now for not growing/poaching tech talent more aggressively.
Interesting times when having good web developers is a big national security asset.
You'll see the more tech rich countries move first. It's no surprise Germany's a first mover here.
Of course, with any big disruption there will be winners and losers.
Who the losers will be is obvious - US cloud companies.
Sure, they'll still have the US market (which is huge), but international markets will start drying up.
Skeptical? Google is hearing a huge sucking sound of money evaporating from Germany right now. Google's so big, they may not notice a few million yet, but I assure you, they will notice eventually. Karmic justice for short-sightedness in not out-lobbying the big defense contractors in Congress.
The top contributing defense contractor (Northrop Grumman) only gave about $3 million last year. I'm sure they paid more than that for actual lobbyists, etc, but it's still not even petty cash at Google.
Of course, I don't mean to pick only on Google. There are many multi-multi-billion dollar cloud companies in the US that have been easily out-lobbied by the defense industry.
It would have been pennies compared to what they'll ultimately lose in the drying-up international markets.
So, who will be the winners? While security companies will see a boon, it's the open source companies that I think will see the biggest win.
With open, auditable code, countries can set up their own services. Of course, they'll need support and training and that's where the open source companies really shine.
It's important to remember that the goal for these countries will rarely be fool-proof privacy for each individual citizen. Instead, the goal is to prevent a foreign power from having deep intimate access to every detail of your populace.
Granted, many of these countries will use this transition to just spy on their own citizens. However, other countries will have a good functioning democracy and a citizenry that values privacy and will avoid those abuses.
For those countries that have robust protections and engender international trust, they'll have a big business advantage when it comes to foreign consumers.
"However, other countries will have a good functioning democracy and a citizenry that values privacy and will avoid those abuses."
Is this just wishful thinking or is there a specific functioning democratic government that should we all trust?
My opinion is that nobody should trust any government. Not fully at least. Not their own. Certainly not somebody else's. History has shown this to be a generally prudent position to take. I mean, why should I trust the German government more than the United States government? How about Norway or Kenya or Thailand?
I do not think there's some magical country that is about to have a big business advantage based on "trust" because their citizens value privacy (as if that were even measurable). Most likely, countries will just become a touch more insular with their technology, noting that it, like food production, is somewhat of a national security issue.
This first line is almost certainly false. I've only been paying attention to the German & Austrian news for the decade I've been living in Austria. However, for most of that time, reports that the Germans were both cooperating closely with American State Security agencies as well as running their own pervasive & intrusive espionage programs have been a recurring thing.
Even if all those reports are completely baseless, something I find wildly improbable, there's just no way to fairly describe anyone in a position of power as surprised... this has been a topic of discussion for far too long for that.
As many commenters here say, it isn't inherently more secure than a US-based service. It may be more socially secure, if the warrant system in Germany is more specific than our general system of warrants to spy on everyone foreign or domestic.
However, there's a good reason for German citizens to prefer German services: it takes money away from American service. Money is the only voice that will ever fix this.
So I ask every non-US citizen: please, take your money elsewhere. Please.
It seems like a noble move but as a german i know these companies pretty well and i am very sure they only do this to stop german users wandering off to non-german email providers like gmail. Its still a good thing of course, but dont think they do this because they feel its the right thing todo.
Heck, if they could they would even charge extra for it.
I have both gmail and GMX and to be honest if "the email made in Germany" will be the same as GMX I will gladly offer my data to NSA and stay with gmail.
In other words this whole debate about security will pass and 95% of people will forget or become ignorant so unless they create a service people actually want to use this is just a waste of money.
From my experience gmx totally don't get it and if you become their user they will eventually piss you off to the point when you will run towards NSA just to use something like gmail.
> Data are encrypted directly by the provider, which means customers need no specific technical know-how and incur no extra costs. All data are stored in secure data centers located in Germany.
Not sure how this is the solution. People need to learn how to do encryption themselves. For the average John Doe (or Hans Wurst :-)) there need to be tools to accomplish that without a degree in Math or CS.
I don't think provider-side encryption is a solution at all. Collecting vast amounts of meta data would still be possible.
Telekom has actually been selling their own cloud services with "German privacy laws/not hosted in the US" before the NSA stuff. It was a very noteable point of emphasis for them when selling to small/midsized corporations so I'm not surprised they are all over this.
They are a pretty crappy company in general (imo) but they got this right very early. And by got this right I mean that they are using it for marketing/sales. I mean yay SSL but German mail providers tend to be...meh
"I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public."
Take it with a little salt anyways, there is always the possibility for American services to get Access on your Data for example if they had an Employee in any of the German companys.
They use us-based "cloud" anti virus scanner in this system. They decrypt it for scanning them. It's ridiculous stupid. No end-to-end encryption. Thats all marketing bullshit.
Think about it. In the "De-Mail" system are all sender verified. Thats means that i can kick spammer easily out. Why would they decrypt it for scanning? Bingo! Surveillance.
But this is just that what i think. I have written an comment on there blog and i'm exited what they say.
One very interesting tidbit - regardless that this is simply some PR stunt at exactly the right time - according to a renowned german news magazine Die Zeit, two of the founders of Narus, which helped develop the PRISM technology, are now working for the Deutsche Telekom. Go figure!
[+] [-] sentenza|12 years ago|reply
Also there is Quellen-TKÜ, which means that every single one of the three gives access to their servers to German law enforcement. If I remember correctly, the Quellen-TKÜ law says that any online service provider that has more than X users (10k?) has to provide access to law enforcement in such a way that the provider operators themselves don't know about the individuall access operations.
[+] [-] junto|12 years ago|reply
I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public.
If foreign intelligence agencies are allegedly granted unhindered access to their servers then I see that as a scandal. Have you got any evidence to back up that claim?
[+] [-] pepr|12 years ago|reply
[+] [-] mrottenkolber|12 years ago|reply
And I have to agree to some people in this thread, that germany IT engineering lacks behind a lot. Either our tech education is as bad as I think it is, or I don't know what. But this whole de-mail thing started as an initiative by the postal service to develop a "e-post-brief" aiming to be an official/secure/non-deniable electronic postal service. Which is ridiculous.
I think the technical right thing to do (safe, anonymous communication) is just not what any state would want. It doesn't help consumerism and it doesn't protect the ruling social norms so why would a state fund it?
[+] [-] benzimmer|12 years ago|reply
De-Mail is another thing which was introduced some years ago now. In short: Messages are encrypted on the client side, then decrypted on the server, then again encrypted and sent to the recipient where it is decrypted again...Imagine your post-office opening you mail before forwarding it to the recipient. Along with some other things no sane person would ever suggest to do with email, De-Mail is a complete farce...
TL;DR: I'm from Germany, and my opinion is that this is the most brutal kind of PR bullshit you can get...
[+] [-] blablabla123|12 years ago|reply
I like Google services and even before Snowden I was aware of the fact that international communication is watched by Secret agency. But really, why do they keep track of everything?
[+] [-] bhrgunatha|12 years ago|reply
"The Americans provided the BfV with one of their most productive spying tools, a system called "XKeyscore." It's the same surveillance program that the NSA uses to capture a large share of the up to 500 million data sets from Germany, to which it has access each month, according to internal documents seen and reported on by SPIEGEL on the first of this month."
How is this anything but propaganda?
[1] http://www.spiegel.de/international/world/german-intelligenc...
[+] [-] linohh|12 years ago|reply
It seems that there are enough idiots in the world who are willing to reelect that treacherous pile of smelly shit impersonating a federal government at the moment.
[+] [-] junto|12 years ago|reply
It isn't going to stop a German police warrant or BND investigation requiring these companies to hand over your emails, and the EU data retention polices are still in place, but it does stop the foreign spooks sticking their noses in where it isn't wanted. DE-MAIL, is as you say, bullshit, but that isn't why this is really about.
I know that from my GMX account I can email someone on a Web.de account, and even if the Internet decides to route my email over the Atlantic first or through Frankfurt where I hazard a guess the NSA will be doing they optical splitting, it doesn't matter.
If they want to read my emails they have to brute force that or have a copy of the keys.
This is a small, but great step forward in my opinion.
[+] [-] computer|12 years ago|reply
That's the most significant part of this announcement-- it means there's finally a push to phase out plaintext email transport, which allows passive surveillance to intercept mail.
[+] [-] mikemoka|12 years ago|reply
/* sarcasm */
[+] [-] Derbasti|12 years ago|reply
A lot of ifs that need to be answered. But this could be a good thing.
[+] [-] greenyoda|12 years ago|reply
[+] [-] rdl|12 years ago|reply
I'm increasingly tempted to throw that switch myself, or at least start filtering all my non-TLS'd mail into a special mailbox of "figure out if I actually care if these people become unreachable in 6mo when I actually enforce TLS." Arguably it would be worse to accept the message and then bounce it, since you'd have received the text in the clear, but maybe log and send an informative-to-end-user rejection notice based on envelope, and to me?
[+] [-] yrro|12 years ago|reply
Case 1: SMTP client that knows nothing about TLS
Case 2: ESMTP client that knows nothing about TLS Sadly, a client that refuses to attempt TLS negotiation will always leak the sender address of the message it wants to send you. This happens in many protocols when TLS is bolted on as an afterthought. We're actually worse off using the standardized TLS extension to SMTP here than we are with the non-standardized SSL: a connection to port 465, followed by immediate SSL negotiation won't leak anything to a passive eavesdropper.This only gets you so far however. An active attacker can MITM the connection with ease, since there is no convention for how to verify an SMTP peer's certificate. I don't see this changing until DNSSEC is deployed in every domain you correspond with, and the peer's certificate is somehow authenticated with information from their DNS zone.
Aside: for a protocol that is designed even worse than SMTP with regards to leaking information over insecure channels, look at IMAP:
The stupid protocol design results in the client transmitting the user's credentials in plain text as soon as it connects to the server.[+] [-] realrocker|12 years ago|reply
[+] [-] mattjaynes|12 years ago|reply
Oops. Huge national security fail.
They haven’t said much publicly, but behind closed doors they're scrambling to figure out how to get their pants back up.
This is only the very beginning of a huge shift that most of the US is blind to or in denial about.
All around the world, in government offices and in business board rooms, leaders are trying to figure out how to get off the US cloud.
The US cloud has been compromised and that trust just isn't coming back.
The barrier now is not political will, but a lack of local tech talent that can build viable alternatives to the US cloud services.
Many countries are kicking themselves now for not growing/poaching tech talent more aggressively.
Interesting times when having good web developers is a big national security asset.
You'll see the more tech rich countries move first. It's no surprise Germany's a first mover here.
Of course, with any big disruption there will be winners and losers.
Who the losers will be is obvious - US cloud companies.
Sure, they'll still have the US market (which is huge), but international markets will start drying up.
Skeptical? Google is hearing a huge sucking sound of money evaporating from Germany right now. Google's so big, they may not notice a few million yet, but I assure you, they will notice eventually. Karmic justice for short-sightedness in not out-lobbying the big defense contractors in Congress.
What's comical is how cheap it would be to out-lobby the defense contractors: http://www.opensecrets.org/industries/indus.php?Ind=D
The top contributing defense contractor (Northrop Grumman) only gave about $3 million last year. I'm sure they paid more than that for actual lobbyists, etc, but it's still not even petty cash at Google.
Of course, I don't mean to pick only on Google. There are many multi-multi-billion dollar cloud companies in the US that have been easily out-lobbied by the defense industry.
It would have been pennies compared to what they'll ultimately lose in the drying-up international markets.
So, who will be the winners? While security companies will see a boon, it's the open source companies that I think will see the biggest win.
With open, auditable code, countries can set up their own services. Of course, they'll need support and training and that's where the open source companies really shine.
It's important to remember that the goal for these countries will rarely be fool-proof privacy for each individual citizen. Instead, the goal is to prevent a foreign power from having deep intimate access to every detail of your populace.
Granted, many of these countries will use this transition to just spy on their own citizens. However, other countries will have a good functioning democracy and a citizenry that values privacy and will avoid those abuses.
For those countries that have robust protections and engender international trust, they'll have a big business advantage when it comes to foreign consumers.
[+] [-] jbail|12 years ago|reply
Is this just wishful thinking or is there a specific functioning democratic government that should we all trust?
My opinion is that nobody should trust any government. Not fully at least. Not their own. Certainly not somebody else's. History has shown this to be a generally prudent position to take. I mean, why should I trust the German government more than the United States government? How about Norway or Kenya or Thailand?
I do not think there's some magical country that is about to have a big business advantage based on "trust" because their citizens value privacy (as if that were even measurable). Most likely, countries will just become a touch more insular with their technology, noting that it, like food production, is somewhat of a national security issue.
[+] [-] Vivtek|12 years ago|reply
It is amazing to me that someone could say this with a straight face.
[+] [-] Quequau|12 years ago|reply
Even if all those reports are completely baseless, something I find wildly improbable, there's just no way to fairly describe anyone in a position of power as surprised... this has been a topic of discussion for far too long for that.
[+] [-] mtgx|12 years ago|reply
[+] [-] EliRivers|12 years ago|reply
Why? Do US citizens not like privacy?
[+] [-] ColinWright|12 years ago|reply
[+] [-] aw3c2|12 years ago|reply
[+] [-] a3n|12 years ago|reply
However, there's a good reason for German citizens to prefer German services: it takes money away from American service. Money is the only voice that will ever fix this.
So I ask every non-US citizen: please, take your money elsewhere. Please.
[+] [-] kayoone|12 years ago|reply
Heck, if they could they would even charge extra for it.
[+] [-] virtualritz|12 years ago|reply
[+] [-] walshemj|12 years ago|reply
and the uk will revert to OSI based email using dialcom software - "just don't tell anyone about the Level 7 accounts"
[+] [-] michalu|12 years ago|reply
In other words this whole debate about security will pass and 95% of people will forget or become ignorant so unless they create a service people actually want to use this is just a waste of money.
From my experience gmx totally don't get it and if you become their user they will eventually piss you off to the point when you will run towards NSA just to use something like gmail.
[+] [-] tillk|12 years ago|reply
Not sure how this is the solution. People need to learn how to do encryption themselves. For the average John Doe (or Hans Wurst :-)) there need to be tools to accomplish that without a degree in Math or CS.
I don't think provider-side encryption is a solution at all. Collecting vast amounts of meta data would still be possible.
[+] [-] kriro|12 years ago|reply
They are a pretty crappy company in general (imo) but they got this right very early. And by got this right I mean that they are using it for marketing/sales. I mean yay SSL but German mail providers tend to be...meh
[+] [-] Radle|12 years ago|reply
"I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public."
Take it with a little salt anyways, there is always the possibility for American services to get Access on your Data for example if they had an Employee in any of the German companys.
[+] [-] Vivtek|12 years ago|reply
[+] [-] axelfreeman|12 years ago|reply
Think about it. In the "De-Mail" system are all sender verified. Thats means that i can kick spammer easily out. Why would they decrypt it for scanning? Bingo! Surveillance.
But this is just that what i think. I have written an comment on there blog and i'm exited what they say.
[+] [-] lukele|12 years ago|reply
Source: http://www.zeit.de/2013/33/nsa-spionage-industrie-profiteure