mailbox.org transparency report 2022: 25.4% of initial requests were inadmissible
In our transparency report, we disclose the type and scope of requests for information that mailbox.org has received from public authorities. In the previous year 2022, the total number of requests has decreased the second year in a row. However, more than a quarter of all initial requests had errors.
A total of 14 out of the 55 requests we received by public authorities in 2022 were rejected because of errors that made them legally inadmissible. Seven of these requests were subsequently resubmitted in correct form and processed accordingly. The other seven requests were rejected. Compared to the previous year, the proportion of unlawful requests that were ultimately rejected did increase slightly: from 9.2% in 2021 to 12.7% in 2022.
Finally: No more unencrypted requests
2022 was the last year in which we had to accept requests through unencrypted means such as fax or e-mails in plain text. These accounted for a considerable 61.8 % of all the requests sent to us in 2022. While the German Federal Network Agency has required providers like mailbox.org to maintain a secure data interface since 2017, investigating authorities were only mandated to use “secure” data transmission from 2023 onward.
Consequently, starting from 2023, we will only respond to requests for information that are transmitted to us over adequate secure channels (PGP e-mail or letter mail).
“It is good to see that finally, more and more investigating authorities now support the “E-Mail-ESB” mechanism (PGP-encrypted transmission of requests), as required by the German Federal Network Agency. For over four years, providers like us have been obliged to use “secure” channels for data transmission, and we have been supporting this requirement right from the start. However, until now there was no binding requirement for any investigating authorities to do the same, and many continued to send requests unencrypted over the Internet, even though these requests may have contained highly sensitive data.
In late 2021, the Federal Network Agency ruled that requests for information must be sent entirely through “secure” channels, which now also includes the investigating authorities communicating to providers. Secure channels means encrypted e-mail or letter mail. Fax, which had been widely used until recently, is no longer considered “secure”. There was a grace period covering 2022 but starting at the beginning of this year, the requirements have been in force without exception, at last. We welcome this (late) development, as any user data subject to those requests will now be protected during transmission.”
Peer Hartleben, Data Protection Officer at mailbox.org
A brief comparison to the year before
- The total number of requests has decreased from 65 (2021) to 55 (2022).
- 74.6% of all requests were formally correct, compared to 84.6% in 2021.
- Most of the requests were received as a plain-text email.
Requests sent to mailbox.org in the year 2022
Total number of requests: 55
From German authorities: 51
From foreign authorities: 1
From foreign non-EU authorities: 3
Criminal investigative authorities: 55
Customs authorities: 0
Intelligence services: 0
Contact data requests: 49
Inbox confiscations: 1
Traffic data requests: 0
Telecommunications interceptions: 5
Our reports from previous years can be found in the section transparency reports.
mailbox.org follows a standardised process when dealing with requests for information from official authorities. Each request will be comprehensively reviewed and assessed by our data protection officer and a lawyer, and then either processed or rejected accordingly. When a request gets rejected, the submitting authority may correct any errors and then resubmit for another review. Data will only be released by us if a related request is actually lawful and formally correct.
- Contact data: This includes the name, address and phone number of the account holder, as well as details about their contract with us.
- E-mail data: Access to all e-mails currently held in an account's mailbox.
- Traffic data: The IP addresses associated with mail server logins when fetching, reading, or sending e-mails.
- Telecommunications interception data: Obtained through the permanent surveillance of all ongoing e-mail communication of an account.