mailbox.org transparency report 2022: 25.4% of initial requests were inadmissible

In our transparency report, we disclose the type and scope of requests for information that mailbox.org has received from public authorities. In the previous year 2022, the total number of requests has decreased the second year in a row. However, more than a quarter of all initial requests had errors.

A total of 14 out of the 55 requests we received by public authorities in 2022 were rejected because of errors that made them legally inadmissible. Seven of these requests were subsequently resubmitted in correct form and processed accordingly. The other seven requests were rejected. Compared to the previous year, the proportion of unlawful requests that were ultimately rejected did increase slightly: from 9.2% in 2021 to 12.7% in 2022.

Finally: No more unencrypted requests

2022 was the last year in which we had to accept requests through unencrypted means such as fax or e-mails in plain text. These accounted for a considerable 61.8 % of all the requests sent to us in 2022. While the German Federal Network Agency has required providers like mailbox.org to maintain a secure data interface since 2017, investigating authorities were only mandated to use “secure” data transmission from 2023 onward.

Consequently, starting from 2023, we will only respond to requests for information that are transmitted to us over adequate secure channels (PGP e-mail or letter mail).

“It is good to see that finally, more and more investigating authorities now support the “E-Mail-ESB” mechanism (PGP-encrypted transmission of requests), as required by the German Federal Network Agency. For over four years, providers like us have been obliged to use “secure” channels for data transmission, and we have been supporting this requirement right from the start. However, until now there was no binding requirement for any investigating authorities to do the same, and many continued to send requests unencrypted over the Internet, even though these requests may have contained highly sensitive data.

In late 2021, the Federal Network Agency ruled that requests for information must be sent entirely through “secure” channels, which now also includes the investigating authorities communicating to providers. Secure channels means encrypted e-mail or letter mail. Fax, which had been widely used until recently, is no longer considered “secure”. There was a grace period covering 2022 but starting at the beginning of this year, the requirements have been in force without exception, at last. We welcome this (late) development, as any user data subject to those requests will now be protected during transmission.”
Peer Hartleben, Data Protection Officer at mailbox.org

A brief comparison to the year before

1. The total number of requests has decreased from 65 (2021) to 55 (2022).
2. 74.6% of all requests were formally correct, compared to 84.6% in 2021.
3. Most of the requests were received as a plain-text email.

Requests sent to mailbox.org in the year 2022

Total number of requests: 55
From German authorities: 51
From foreign authorities: 1
From foreign non-EU authorities: 3

Organisations
Criminal investigative authorities: 55
Customs authorities: 0
Intelligence services: 0

Request type
Contact data requests: 49
Inbox confiscations: 1
Traffic data requests: 0
Telecommunications interceptions: 5

Our reports from previous years can be found in the section transparency reports.