The biggest webmail providers in Germany will soon encourage their customers to use full-blown end-to-end email encryption. The providers, including Deutsche Telekom and United Internet, will next month roll out a browser plugin that’s supposed to make traditionally laborious PGP technology easier to use – and in the process, they’re addressing a key concern about the existing “De-Mail” system.
The De-Mail initiative dates back to 2011, when the German government decided to push for trusted email both as an e-government tool and as a way to cut down on official and corporate paper mail. De-Mail addresses are provided by the likes of Deutsche Telekom and United Internet’s Web.de, and those signing up for them need to show a form of official identification to do so. Receiving emails on a De-Mail address is free but sending them costs money.
In 2013, shortly after Edward Snowden’s leaks started causing conniptions in Berlin, the providers announced that they would start encrypting emails traveling between their various servers – something they should really have been doing anyway. However, emails sent through the system are still scanned for viruses, using a system designed by the German Office for Information Security (BSI), before they are sent to the recipient.
The new end-to-end encryption system will be more secure than that, leaving anyone other than the sender and the recipient unable to inspect what is being sent. From April, De-Mail users will be able to download a plugin for Chrome or Firefox that will supposedly make PGP easy to use, which is no mean feat. United Internet developed the plugin in conjunction with the open-source Mailvelope OpenPGP project and its code will be published, so suspicious developers and hackers will be able to check it for backdoors. The keys will be stored on the customer’s device.
If it all works as promised, this might prove a significant boost for the De-Mail initiative. A recent report showed lackluster take-up for De-Mail among citizens, largely because of the friction involved in registering an address. To that end, the providers also announced on Monday that they’re keen to use online bank accounts as a suitable form of identification – after all, you need ID to set one of those up in Germany, so the verification is already done there. According to a Deutsche Telekom spokesman, the BSI is currently reviewing this proposal.
The De-Mail PGP push appears to have the full support of the German government, providing a notable contrast with the stance of authorities in the U.S. and U.K., who oppose end-to-end encryption because they want their law enforcement and intelligence agencies to be able to more easily read people’s communications. In a statement, interior minister Thomas De Maizière said encryption was an important requirement for Germany’s desire to take the lead in the provision of digital services. He said the new plugins would provide “mass-market-suitable” end-to-end encryption for a variety of different use cases and security requirements.
Various government departments and local authorities are moving over to De-Mail – the Federal Employment Agency started using it for communicating with citizens last month, and the cities of Dresden and Cologne are doing the same. It’s not yet clear whether these authorities will use PGP for those emails, though a United Internet spokesman suggested to me that they will be encouraged to do so.
Email does always leak metadata and we are of course talking about ID-verified email addresses that will be able to show with great certainty that X was talking to Y. However, if this scheme works out it will be a huge boost in getting ordinary people to use what is still very much a niche technology, and once they’re comfortable with it they may start using PGP with regular, possibly anonymous email addresses for added privacy.
Google is also working on an end-to-end encryption plugin for its Gmail service, but that effort is still in the alpha stage and probably some way off from being ready for the mass market.
This article was updated at 5.40am PT with a reference to the cost of using De-Mail.