Transparency report
Important update
Please be aware of the following when reading these pages:
As a result of a decision by
the European Court of Justice on June 13, 2019, email services like Posteo are no longer subject to German
telecommunications law (TKG).
- All references on these pages to German telecommunications law (TKG) as well as the label of Posteo as a "telecommunications provider according to German telecommunications law (TKG)" are therefore no longer current.
- At the present time, there is no longer any legal basis for TKÜ (surveillance of an account for a specified time period); Posteo is therefore no longer allowed to and will not implement such orders.
- Also all other requests/requirements on the basis of German telecommunications law (TKG) are invalid.
Presumably a new legal regulation will be put into motion in 2020. The legal situation is new and many questions continue to be unclear up until this point. Meanwhile, we have the first evaluations from our lawyers in criminal law and telecommunications law.
Welcome to the Posteo transparency report.
We would like you to know how often authorities request user data from Posteo. In this report, we show how often investigative authorities and intelligence services have requested data from Posteo – and how often we actually had to release data. In addition, you will find out how often these requests were formally correct and how many of the requests were illegal. The report covers all requests from authorities that Posteo received until the end of December 2019. We split the presentation of the numbers for 2019 in two because email providers are no longer subject to German telecommunications law (TKG) since a decision by the European Court of Justice in June 2019. Since then we are no longer allowed to issue information in response to requests from authorities that refer to German telecommunications law (TKG). Also the surveillance of an account for a specified time period (TKÜ) is currently no longer admissible at email services. Numbers for the current year, 2020, will be published in 2021.
Posteo publishes requests
Because many requests from authorities that reach Posteo do not comply with the legal provisions, we have continually devoted emphasis to the information process in our reports since 2015. Here we direct criticism at the chaotic conditions that rule in requests for user information under § 113 TKG. We reveal that in practice, grave security problems exist, there are regular breaches of the law and that deficiencies in controls are making the situation worse.
To prove this, we draw among other things on our own case documentation and publish examples of illegal requests from authorities. In addition, we publish our written communication with all the respective German federal state privacy officers as well as the justice ministries of the federal states. Thus you obtain an insight into our privacy-oriented background work that takes place at Posteo behind the scenes all year round.
We also occupy ourselves with the control instrument of the judicial reservation, which is in a state that in our view is no longer equitable in a constitutional state. In practice, all applications for surveillance measures were clearly approved. Though no statistics are kept on the efficacy of the judicial reservation, we have found numbers that prove this.
Our goals
In May 2014, Posteo became the first German telecommunications provider to publish a transparency report. We first had the permissibility of such a report checked with a legal opinion. With our move, we induced that in the meantime, other German providers also publish transparency reports – including, among others, Deutsche Telekom. With our transparency report, we would like to contribute to making existing grievances and legal realities public and allowing them to be debated.
We want something to change: despite that the government has been informed of some of the grievances for years, the situation has clearly not improved. Democratic control of state disclosure processes and surveillance measures in Germany must therefore be strengthened. We make proposals to this end in our transparency report. We call for the control organs to be better equipped, for example.
Answers to frequently asked questions on the legal bases and processes as well as how Posteo deals with requests from authorities are found in the "Background information and FAQs" section.
Requests for information:
Preliminary note: We are a privacy-oriented provider with a strong concept of data efficiency. We therefore possess neither personal data (user data like names and addresses), nor the IP addresses of our customers. If Posteo becomes required to release user data under a judicial ruling, authorities can therefore only receive content data (e.g. emails). In response to requests for personal information or IP addresses, we reply to the authorities that we do not possess the requested data.
Emphases
Topic Constitutional state out of control: indefensible circumstances in manual requests for user information under § 113 TKG
Update Percentage of illegal requests for user information remains high in 2017
Topic Inadequate public controls of the information process under § 113 TKG and § 112 TKG
Topic Judicial reservation: in practice, clearly all applications for surveillance measures were granted
Update Year-on-year comparison: Last rejection of telecommunications surveillance ten years ago
Background information and frequently asked questions
General:
Why does Posteo publish a transparency report once per year?
We want our customers to know how many and what type of requests for information we receive from authorities. We also want to make transparent how Posteo handles such inquiries. After the large-scale surveillance of citizens by intelligence agencies became known, it is more important than ever that providers publish transparency reports. They strengthen fundamental rights, informational self-determination and democracy as a whole.
Why did Posteo first publish a transparency report in 2014, and why had no other telecommunications provider done so until then?
In 2013, we received our first requests whatsoever from police authorities. For us it was clear that we
wanted in future to publish a transparency report on requests from authorities following the model of
American telecommunications companies.
Our lawyers pointed out, however, that the legal situation regarding this in Germany was not clear and
for this reason, no German provider had published a transparency report until then. The legislator obligates
German telecommunications providers with secrecy regarding requests for information in the Telecommunications Act
(TKG) and the German G10 Act, among others. Therefore, prior to publication in May 2014, we had our
attorneys prepare a comprehensive legal opinion. We needed to clarify the situation in advance, as violating the
obligation of secrecy is punishable with up to five years’ imprisonment. The expert assessment that we
commissioned determined that publishing purely statistical information that does not allow any inferences
regarding individual cases is permitted. The Federal Ministry of Justice (Bundesministerium der Justiz) then
also confirmed this in response to
an enquiry from Christian Ströbele, MdB. Posteo then
ultimately published the first transparency report by a German telecommunication provider on the 14th of
May, 2014.
What would Posteo like to achieve by publishing transparency reports?
We would like it to be become standard in Germany that telecommunications providers publish transparency
reports. This form of transparency strengthens the possibility of democratic controls and the evaluation of
surveillance measures. When we published the first report by a German telecommunications provider in 2014,
the Deutsche Telekom followed a few hours later. In the mean time, a few other German providers have also
published appropriate reports. We offer an exchange of experiences with other providers for which this comes
into consideration.
Furthermore, we would like to instigate the provision of transparency reports by German providers in
open data format, so that a transparent overall picture of requests for information can emerge. We publish
our transparency report in an open, standardised exchange format (XML and JSON) so that any interested party
has the ability to process and work statistically with the data we provide. An additional goal of our
transparency reports is to reveal grievances in the information process and work towards improvement.
Why does Posteo publish the transparency report as open data?
For our transparency reports, we make the numbers available in a machine-readable format from now on. The
data can then be read licence-free (CC0) and continue to be processed. In this way, individuals or companies
that are interested can assess the data in a completely different form to us, for example, undertaking
analysis and comparisons, if other providers also use this format to make the data in their transparency
reports available. The key term here is “open data”. A civil society can debate better with such
transparently available data at hand. In contrast with personal data, that has a high requirement for
protection, such statistical data does not require protection, but rather should be available to all
interested parties.
For the machine-readable form, we use a so-called plist/XML scheme that can also be used by other
providers without issue and can be extended if required. The data for 2014 can be accessed as JSON or PLIST.
Do the Posteo transparency reports cover all requests that Posteo has received to date? Is there such a thing as “secret requests”, which can not be included in the statistics?
In Germany, there are no such secret requests for which we can not provide statistical information. The Posteo transparency reports therefore cover all requests that we have received. In Posteo’s first four years of business (2009–2012) we did not receive any requests from authorities; until spring of 2013, Posteo was a very small provider. Reports exist for the years 2013 and 2014. Our reports encompass all requests from investigative authorities as well as all requests from intelligence services that have reached us.
Why do authorities request user information from an email provider?
Authorities request user information for various reasons: for example, to solve a crime or to pursue a suspicion of a minor breach of the law. Where there is a suspicion of serious crimes, investigative authorities are under certain circumstances entitled to receive emails or traffic data from providers. For this, however, they require a judicial ruling. For the release of personal information (for example, name and address) on the other hand, neither a judicial ruling nor the suspicion of a serious crime is necessary. With Posteo, no personal information can be requested as we do not collect our customers’ user information.
What does Posteo do when there is an inquiry from an authority? Does Posteo take legal action against unlawful requests?
We first have each inquiry from a public authority carefully reviewed by our lawyers. We take the
protection of our users' data very seriously. If our lawyers’ check determines that a request is not legally
conforming, formally incorrect or the reach of a decision does not extend to the data requested by the
authority, we lodge complaints. Posteo will never release data if there is doubt as to the correctness or
legality of a ruling. We do not spare any expense or effort: we assure you that our lawyers, who are
specialised in telecommunications, will do everything to defend your right to informational
self-determination in the worst case scenario. We do not want to hinder (criminal) investigations, but we do
want to ensure that the investigating authorities are actually entitled to receive the requested data. If
the authorities are actually entitled to receive a Posteo user’s content data (for example, emails) due to a
judicial ruling, then we must transfer such data to them. We are required to do this by law. Such requests
are, however, very rare.
In most cases, authorities only request user information such as names and addresses, and as we do not
save such data, we can not release it.
How often has Posteo had to transfer data to eligible authorities?
In 2013 and 2014, we were only required to release data to investigative authorities in individual cases after a judicial ruling (see the transparency reports for the years 2013 and 2014). Altogether, three email accounts were affected, for which there were sometimes multiple requests (e.g. account seizure as well as TKÜ). In each case, the authorities had presented a formally correct ruling for the ongoing surveillance of an email account or an email account’s seizure. Release of the data occurred only after a thorough check by our lawyers. In the years prior to 2013 we did not receive any requests from authorities.
Have Posteo employees Posteo ever been threatened, or have there ever been attempts to persuade them to unlawfully release data?
Yes. We go into this in the transparency report under "Authorities illegally request dynamic IP addresses".
Are affected users informed by Posteo?
No, we are not allowed to inform affected users. That would make us liable for prosecution. German telecommunications providers are bound to secrecy regarding most requests for information from authorities by various laws (among others, the Telecommunications Act (TKG) and the G10 Act). This has been regulated by statute in order to preclude ongoing investigations from being jeopardised.
Types of data, requests and legal bases:
What are inventory data?
Your personal data (such as your name and address or bank account number) are called "inventory data" in the texts of the laws. When you become the customer of a telecommunications company, the company (TKG § 111) must store the following personal data for you: your name, your date of birth, and your address. When connections are made, your telephone and fax numbers, as well as (depending on the kind of connection) further data such as device numbers, connection numbers or data about the contract’s beginning and end must also be saved. For email providers, there is a special regulation – they are allowed to refrain from collecting your personal data (§ 111 TKG), and are then not required to save it. Posteo makes use of this regulation. We do not need your personal data – not even for billing purposes (see: Anonymous payment with Posteo). If email providers want to save your personal data, they must (§ 111 TKG) save the following data: the name of the email mailbox, the name of the holder of the email's mailbox, and this person’s address. If the provider stores your bank data in connection with your mailbox, such data are also existent inventory data.
Why does Posteo not collect any inventory data?
The legislator even explicitly calls on companies (§ 3a of the German Federal Data Protection Act) to avoid saving personal data whenever possible:
Data avoidance and data minimisation: The collection, processing and use of personal data and the selection and design of data processing systems must be oriented to the goal of collecting, processing and using as little personal data as possible. In particular, personal data are to be made anonymous or pseudonymous, to the extent that this is possible according to the intended purpose and does not require disproportionate efforts in relation to the protective purpose that is sought.
Bundesdatenschutzgesetz § 3a
Our design of Posteo has been guided by this requirement.
We work as economically with data as possible, to protect our users as best as possible: only data that
is not collected, can with 100% certainty not be stolen or misused. Meanwhile, countless cases have become
known in which criminals have stolen customers’ data from companies. For example, to access bank data and to
commit fraud. Our concept employs maximal privacy: we therefore do not collect any personal data, and have
made all payment processes anonymous.
Under which circumstances may public authorities demand inventory data from email providers? Can inventory data be queried from Posteo?
Authorities can receive no inventory data from Posteo, because we don’t collect it.
In general, inventory data may be queried from providers by numerous authorities and other authorised
parties upon suspicion of a minor misdemeanour (such as a parking violation or a noise complaint). There is
no substantive review or requirement of a judicial decision. The law allows for the identification of
internet users for the prosecution of misdemeanours of any type. When providers with more than 100,000
participants collect inventory data, they must make it automatically available for query. According to the
German Federal Network Agency (Bundesnetzagentur), about 6.92 million requests producing 34.3 million
results were carried out in this manner in 2014. (Source: 2014 Activity Report of the Federal Network Agency)
Do authorities only ask for data that companies are allowed to release within the framework of a disclosure of inventory data?
No. In the practice of inventory data requests under § 113 TKG there exist grave security problems and deficiencies. Please read our transparency report for this year, which concerns itself with this subject.
What are traffic data?
Traffic data are data that arise in telecommunications activity. Such data document, for example, the point in time at which an email was exchanged between two electronic mailboxes. Traffic data that accumulate at email providers are, for example:
- information regarding when (point in time) an email was sent from a specific email address to another email address
- information regarding the IP address from which the email was sent
Such data are stored in the email provider’s so-called "log files". They may use such data only for the following two purposes:
- for detecting, isolating and eliminating technical errors (§ 100, para. 1 TKG), for example, when sending or receiving emails
- for detecting misuse of the system (§ 100, para. 3 TKG), for example, by spammers.
When can traffic data be released to authorities? Can authorities demand that Posteo collects traffic data for the prosecution of crimes?
Traffic data are subject to the protection of telecommunications secrecy. It is therefore prohibited to release traffic data in response to simple inquiries from authorities. Law enforcement agencies need a court order to query traffic data with us. This is only granted by a judge if there is suspicion of a serious criminal act. German law also does not permit traffic data to be stored separately for the purpose of law enforcement (in particular, data retention). Only data that is lawfully stored for operational reasons may be used to issue information. This means that public authorities are not allowed to demand that we collect additional traffic data of our users. When you visit our site and log in to your mailbox, we do not store your IP address, for example.
Can Posteo release IP addresses of its users?
No. We can not collect and save these because we do not require them for operational purposes. We therefore do not possess IP addresses in connection to any accounts and can not release them as a result.
What is telecommunications secrecy, and when can it be limited?
Telecommunications secrecy is a fundamental right and, just like mail and postal secrecy, is subject to the protection of Article 10 of the German Basic Law (Grundgesetz). It stipulates that citizens have a right vis-à-vis the state for their private communications to be shielded so that facts and thoughts can be exchanged and passed on without this being observed from the outside. Both specific content (phone calls, emails) and the traffic data of telecommunications are subject to telecommunications secrecy. However, this may also be limited – the cases in which limitations are possible are governed in the German Code of Criminal Procedure (Strafprozessordnung or StPO) and the G10 Act. With law enforcement actions, a monitoring of telecommunications for a certain period of time may be ordered if there is a justified suspicion of a serious criminal act (§ 100a, StPO). The monitoring must be ordered by a judge or – if there is a danger in delay – by the Public Prosecutor's Office. Moreover, under § 100g of the StPO, the communication of traffic data may be ordered in individual cases. The G10 Act stipulates when services such as the State Offices of the Protection of the Constitution and the Office for Military Counter-Intelligence Service are entitled to monitor telecommunications. If monitoring is ordered, the telecommunications provider must provide the authorised public authorities with a copy of the telecommunications activity. The person affected by such monitoring must be informed of the measure that was conducted (by the authorities) as soon as the "purpose of the measure" permits this. The authorities must destroy the data that they received during the access.
What are content data, and under which circumstances can they be queried from email providers?
Content data are nothing more than the "content" of your communications – your emails. The German
legislator has placed a hurdle on the release of content that is quite high: your emails are subject to
telecommunications secrecy. As we never voluntarily release mailboxes (§ 94, para. 1, StPO) but always
formally object to inquiries, a seizure under criminal law of a Posteo mailbox must be ordered by a judge (§
94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO). Moreover, a TKÜ order under criminal
law for monitoring a mailbox for a certain period of time may be effected only for certain serious criminal
acts. Every court order must be presented to us (the provider) by the public authorities, and is reviewed by
our attorneys for scope and formal correctness before we pass on any data. The customer affected may not be
informed of a TKÜ order. That would make us liable for prosecution.
Please read our transparency report for this year, which concerns itself with this subject.
What is the difference between a mailbox seizure and a TKÜ?
If there is a seizure under criminal law of a Posteo mailbox (§ 94, para. 2, StPO, § 98, para. 1, sent. 1 or para. 2, sent. 1, StPO), we are obliged to pass on all emails that were in the relevant electronic mailbox at the point in time of the seizure. If there is a TKÜ order for monitoring a mailbox, we are obliged to divert to the authorised public authorities all emails that are received in or are sent from the relevant mailbox, beginning with the time of the order. Previously stored emails are not affected by a TKÜ. However, both measures – seizure and ongoing monitoring – may be combined with each other.
Common questions on the release of data: encryption, passwords and “eavesdropping interfaces”
I read that email providers with more than 10,000 users must install a governmental eavesdropping interface. Is that true and is that the so-called SINA box?
There is no SINA box at Posteo yet. A SINA box is not an eavesdropping interface that allows authorities access to data at a provider. More information on the SINA box and the way German email providers transmit data to authorities can be found in our blog post on this topic. In the telecommunication surveillance act, there is a requirement for telecommunications providers with at least 10,000 members to install a special computer (SINA box). For us, it is not possible to determine without doubt how many members our service has, as we do not collect any user information from our users. We only know the number of email accounts. The Bundesnetzagentur assumes that we have meanwhile crossed the threshold. We have therefore intensively occupied ourselves with this topic during the last year. This resulted in various questions that we are now pursuing. As soon as there is any news on this, we will report it in our blog.
Can Posteo be forced by investigative authorities or intelligence services to crack encryption?
No, unlike in the United States or the UK (for example), this is not possible in Germany. There are no laws in Germany that could oblige us to break encryption. We had this clarified through our lawyers before developing encryption features such as Posteo crypto mail storage. This, for example, is technically designed such that Posteo can not remove the encryption applied by the user – only the user can do this themselves. If a user furnishes data with end-to-end encryption, this can not be removed by the respective provider.
Can authorities force Posteo to build backdoors and the like at Posteo?
No. There is no legal basis for this in Germany.
Can Posteo release my Posteo password to authorities?
No. We do not store your password in plain text, but only as so-called "salted hash values". Thus, we do not know your password, and cannot release it either to you or to any third party. You can find more information on the encryption of passwords at Posteo on our encryption topic page.
I have stored a mobile phone number at Posteo. Can this number be released to authorities?
No. Your mobile number is encrypted in our database, again, as a "salted hash". We do not know your mobile phone number, and cannot release it to any third party. You can find more information about encryption of mobile telephone numbers at Posteo on our encryption explanation page.
Is Posteo affected by the planned reintroduction of data retention?
The government’s draft law for the planned reintroduction of data retention ("Gesetz zur Einführung einer
Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") stipulates that the entire area of
email should be exempt from being saved. This means that if it remains like this, Posteo is not counted
among the obligated parties.
Independent of this, we reject data retention in principle. We are currently following the situation
very closely.
Can investigative authorities access my data at all if I furnish my emails with end-to-end encryption or my Posteo email account is encrypted (with crypto mail storage)?
If we are required by a judicial ruling to release an email account, we need to release content data, as it
exists. Email data saved with us that has been encrypted by the customer, e.g. using our crypto mail storage
or with the help of end-to-end encryption, can not be decrypted by Posteo in retrospect.
If emails are encrypted, they will therefore be released encrypted.