mailbox.org transparency report 2021: 15.4 % of requests inadmissible

Today we publish our transparency report for 2021, accounting for all requests for information that we as a provider have received by any authorities over the last year. For the first time ever, the overall number of requests has decreased when compared with previous years. The proportion of rejected requests has also turned out lower than before.

There were 65 requests in total submitted by the authorities in 2021, of which ten were rejected due to being unlawful or containing formal errors. Four of these requests were subsequently corrected and resubmitted, and then processed accordingly. The other six were ultimately rejected. In comparison to the year before, the proportion of ultimately rejected requests for information has decreased substantially (9.2 % in 2021, and 27.1 % in 2020). See the visualisation from last year's report below.

Transparency report 2020

The authorities have caught up

Probably the most remarkable observation has been the large amount of correctly submitted requests that we received last year. While only 49.4 % of all initial requests in 2020 were correctly made, the figure for 2021 is an impressive 84.6 %. One explanation for this is that requests have become more standardised across different authorities. On top of that, we reckon that an increasing number of authorities may have noticed by now that they won't get very far by submitting incorrect or unlawful requests.

Lawful interception is possible again

Previously, the legal basis for any telecommunications surveillance measures was the German Telecommunications Act (TKG), plus some special regulations for customs enforcement and the intelligence services. However, a ruling by the German Federal Constitutional Court put into question whether communications handled by e-mail providers actually fall within the scope of that legislation. mailbox.org had therefore temporarily suspended the processing of any surveillance requests that cited the Telecommunications Act as a justification.

However, an amendment to the TKG was enacted on 1 December 2021 and according to this, e-mail providers such as mailbox.org are currently subject to TKG legislation. As a consequence, the TKG has once again become a legal basis for authorities requesting telecommunications surveillance measures.

As part of the legislative process, mailbox.org CEO Peer Heinlein had been invited as an expert to contribute to the work of the relevant parliamentary committee. Last year, he published a comprehensive statement criticising the proposed changes to the law. However, these were eventually pushed through by the government regardless.

In 2021, we were ordered to put in place surveillance measures based on the TKG four times.

Fax more popular than e-mail

Surprisingly, more than half of all enquiries in 2021 reached us by fax, which indicates that this technology is still popular with many authorities. Unfortunately, the majority of e-mails that we received from the authorities in 2021 were sent unencrypted, which is not appropriate considering that these usually contain personal information about any suspects, and sometimes even sensitive details about the investigation.

In 2017, the German Federal Network Agency mandated e-mail providers like mailbox.org to offer secure interfaces, through which the authorities can make data queries. This includes support for e-mails encrypted with PGP. However, the authorities are too slow to adopt these standards, many do not use secure communication, and their staff is often not sensitised to issues of data protection and security.

Overview: The requests of 2021 and 2020 compared

  • The total number of requests fell by almost a quarter
  • 84.6 % of all requests were made correctly (2020: 49.4%)
  • Most requests were received by fax message

Read the transparency report of 2020 ->

Requests sent to mailbox.org in the year 2020

Total number of requests: 65
From German authorities: 62
From foreign non-EU authorities: 3

Organisations
Criminal investigative authorities: 65
Customs authorities: 0
Intelligence services: 0

Request type
Contact data requests: 61
Inbox confiscations: 0
Traffic data requests: 0
Telecommunications interceptions: 4

Our reports from previous years can be found in the section transparency reports.

 

 

How we deal with requests

mailbox.org follows a standardised process when dealing with requests for information from official authorities. Each request will be comprehensively reviewed and assessed by our data protection officer and a lawyer, and then either processed or rejected accordingly. When a request gets rejected, the submitting authority may correct any errors and then resubmit for another review. Data will only be released by us if a related request is actually lawful and formally correct.

Data that authorities may be interested in
  1. Contact data: This includes the name, address and phone number of the account holder, as well as details about their contract with us.
  2. E-mail data: Access to all e-mails currently held in an account's mailbox.
  3. Traffic data: The IP addresses associated with mail server logins when fetching, reading, or sending e-mails.
  4. Telecommunications interception data: Obtained through the permanent surveillance of all ongoing e-mail communication of an account.