Germany pushes for widespread end-to-end email encryption

The biggest webmail providers in Germany will soon encourage their customers to use full-blown end-to-end email encryption. The providers, including Deutsche Telekom and United Internet, will next month roll out a browser plugin that’s supposed to make traditionally laborious PGP technology easier to use – and in the process, they’re addressing a key concern about the existing “De-Mail” system.

The De-Mail initiative dates back to 2011, when the German government decided to push for trusted email both as an e-government tool and as a way to cut down on official and corporate paper mail. De-Mail addresses are provided by the likes of Deutsche Telekom and United Internet’s Web.de, and those signing up for them need to show a form of official identification to do so. Receiving emails on a De-Mail address is free but sending them costs money.

In 2013, shortly after Edward Snowden’s leaks started causing conniptions in Berlin, the providers announced that they would start encrypting emails traveling between their various servers – something they should really have been doing anyway. However, emails sent through the system are still scanned for viruses, using a system designed by the German Office for Information Security (BSI), before they are sent to the recipient.

 The new end-to-end encryption system will be more secure than that, leaving anyone other than the sender and the recipient unable to inspect what is being sent. From April, De-Mail users will be able to download a plugin for Chrome or Firefox that will supposedly make PGP easy to use, which is no mean feat. United Internet developed the plugin in conjunction with the open-source Mailvelope OpenPGP project and its code will be published, so suspicious developers and hackers will be able to check it for backdoors. The keys will be stored on the customer’s device.
If it all works as promised, this might prove a significant boost for the De-Mail initiative. A recent report showed lackluster take-up for De-Mail among citizens, largely because of the friction involved in registering an address. To that end, the providers also announced on Monday that they’re keen to use online bank accounts as a suitable form of identification – after all, you need ID to set one of those up in Germany, so the verification is already done there. According to a Deutsche Telekom spokesman, the BSI is currently reviewing this proposal.


Blog anglais, La cyber-sécurité, Mises à jour et nouvelles de l'industrie