If you live in a five eyes country and are looking at this, the takeaway is that while Germany has strict privacy laws, it also has stricter rules around investigations. General protections are better than the US (e.g. GDPR) but individual protections are probably worse. Court orders to raid datacentres are ridiculously easy to get, and the BND can do more or less what it wants as long as it doesn’t upset too many people. The courts don’t even always have to be in the same state to mess with your life. I had friends in Heidelberg once prohibited from talking about things at a conference in London by a court in Hamburg because it would upset a company in the US. It’s stupid.
As a place for Internet privacy, Germany is slightly better than France (where courts and the intelligence community have similar powers, but laws are even more stupid). If you’re American and your box is in Germany because it services Europe or because it’s cheap, crack on. If it’s in Germany because you believe it’ll protect you from the NSA… well, it won’t really.
I’m not sure what the connection here is, or perhaps as I misunderstood one of the parent posts? A court in Hamburg (a German state) can mess up with German citizens from another German state (Heidelberg is Baden-Württemberg) and prohibit them, at least in the legal sense, from saying something – in London on otherwise – because German law is like that. They could prohibit them (again, in the legal sense) from saying something at a conference anywhere.
Sure, here’s a writeup and a (I think) neutered version of the paper.
Basically FireEye had a shit-ton of open source software in a product they rebadged as their own proprietary code, I believe may have included things like Qemu being rebadged as a proprietary hypervisor. They took ERNW to a court in Hamburg at the last minute to stop their researcher from discussing the vulnerabilities on the grounds of erm… trade secrets. Because the ERNW guys live in Germany, court orders in Hamburg apply in Baden-Württemberg regardless of where the saying something may take place, as @x64k said.
From what I understand in the US it’s a lot easier to force providers to keep such actions secret (see canary statements), often making it harder or even impassible to take legal action.
The US has absolute rights in certain spaces (for example freedom of speech) that Germany does not, or at least has in a more nuanced rather than absolute manner. I’m not including covert stuff because both countries do what they want in that space largely regardless of any aforementioned rights.
I am not sure, if we are talking about the same thing here. I did not mean things that happen outside the law. To the best of my knowledge there is no equivalent to gag orders in Germany, but there in the US there are National Security Letters.
Really just talking about situations where your servers are raided by the police.
We can also talk about Freedom of Speech at large, because I do not think it’s absolute in the US. There are exceptions, like obscenity law and there is certain “caged” zones, free speech zones. But that’s really not the topic I meant.
Please tell me, if I am misunderstanding something, but this is effectively is a new protocol, so unless it gets widely implemented in MTAs/MUAs/OSs and therefor you maybe have some kind of silent migration happening it’s just yet another “secure messaging app”.
Certainly not. This was merely in response to the question on what’s holding it up. Implementations probably. Especially with mail software that is quite stable over decades it might be hard to introduce something like this without providing a finished, stable, reviewed, probably personally used in production, implementation as a proponent.
Would love to see something that manages to “silently” replaces it without the end users really noticing. Kind of what IPv6 is currently doing. Just would be nice to have it go more quickly than that. ;)
Silently is unlikely, thanks to the fundamental differences in design, and it would also be bad. With DIME, no mail is ever sent without e2e; A silent replacement would negate this advantage.
I would never make use of another internet service based in Germany.
I had a VPS with Nexus Bytes in Germany. The drive that it was on was seized by the German authorities – and all of the innocent parties lost their servers along with whoever had committed an offence. They never even contacted the server admin. According to him, when clients filed service requests he had the server checked, only to learn that the hard drives had been taken.
I’m self-hosting at home now. It’s probably the best idea anyways.
People in replies seem to be panicking and changing locations or providers, but I feel like your case is more of an exception than anything. I’ve been hosting a lot in several servers located in Germany for the past several years, all of them hosted at half a dozen (small and large) providers, and I’ve had absolutely zero issues involving anything like that.
Besides, if someone can dive in and take out drives without your server admin noticing or being informed by datacenter staff… you have bigger issues.
Super-cheap service. Back it up yourself. I had a bash-scripted backup of my files and configs, but I hadn’t done one for a bit. That part’s my fault. I can’t say how others were impacted, but judging from the admin’s response, he was dealing with a number of tickets.
It might depend on how the provider had backup strategy set up – if backups or redundant servers/drives also included the offending material[1] that was the cause of seizure then those also had to be taken by the authorities.
[1] because for example they backup the whole machine “all in one go” and store it together for all clients using VMs on this host - which is probably the easiest to set up.
I live in this fantasy world where people use HA clusters, so that you could remove a server or two without any issues for the VMs running on them. But I guess you get what you pay for…
That doesn’t look so clean in reality I think - when the police knocks, they don’t have procedures that says - ask nicely and give time for a graceful transition/shutdown - their job is to secure the illegal material and that’s what they do and at least in some instances it is not that they take just the hard disks out - they can even take servers, the more the merrier, so it may even include the whole ha-cluster if present (in most instances I guess policeman is not a trained IT engineer to know where those illegal activities are or are not performed).
The translation provided by Google is really good. I wanted to translate it for Lobste.rs, but I couldn’t have done it better myself. To be honest, I was surprised about the quality of the translation. This is on the level of a skilled native speaker (of both languages).
I’m not sure I can agree with that assessment, the language used in the translation is very peculiar, it’s pretty clear to a native speaker that it’s an automatic translation.
It’s certainly not perfect, but a lot of the time when a non-professional translator translates stuff, the results tend to be less-than-perfect too. I notice this myself too when I translate stuff from Dutch to English or vice versa – it seems the brain has to “context switch” all the time between the languages, leading to some rather curious results. For decent results I need to come back to it an hour later and copy-edit the lot extensively, and it’s not uncommon I find that I accidentally used words in the wrong language (especially words like “the”, “a”, etc.)
Tutanota wants to file a complaint against the decision, but this has no suspensive effect. “We therefore had to start developing the monitoring function”, a spokeswoman told c’t in mid-November. If the complaint is successful, the function will not be activated or removed again.
(my emphasis).
I mean, the gist of this is that Tutanota plans to appeal, but they will have to abide with the court’s decision until the appeal is successful. I read the last sentence as “if the appeal is successful, the monitoring function will be removed”, but the machine translation is ambiguous.
My crappy B1 German skills read the section in question more as
Tutanota wants to appeal the decision, however this has no suspending effect [on the judgement]. “We still had to develop the surveillance mechanism” explained a spokeswoman in the middle of November to c’t [the publication]. Should the appeal be successful, one would not activate the function [which must nevertheless be implemented in the mean time], or, more specifically, the function would be removed once again [if it is developed fully and deployed as required before the appeal decision].
I feel like we are pushed to use E2E encryptions mechanisms that are independent of the provider (such as GPG). It is a bit sad because not everybody wants to learn/use such tools, especially non-tech-savvy people who need privacy as a fundamental right as well.
Guess running my own mail server seems like it makes more and more sense. What is left, Protonmail or using PGP and assuming everything is being read? These are the options left in my mind. Signal is what I use for all comms that need to be encrypted and ephemeral anyway.
Off topic: Does anyone know of a good general history regarding the Basic Law for the Federal Republic of Germany? I’ve read about post-war Japan’s occupation and the makings of their current Constitution. I’m basically looking for a book much like this one but about post-war Germany. Thanks in advance!
Dower’s book is great. I don’t know of an equivalent on the occupation of Germany, which is so much more complicated, given that there were four occupation zones and Cold War issues that must make the reverse course in Japan seem simple. There appears to be a fairly decent bibliography in this Wikipedia article.
In any case, like rjpcasalino, I’d be interested in recommendations too!
If you live in a five eyes country and are looking at this, the takeaway is that while Germany has strict privacy laws, it also has stricter rules around investigations. General protections are better than the US (e.g. GDPR) but individual protections are probably worse. Court orders to raid datacentres are ridiculously easy to get, and the BND can do more or less what it wants as long as it doesn’t upset too many people. The courts don’t even always have to be in the same state to mess with your life. I had friends in Heidelberg once prohibited from talking about things at a conference in London by a court in Hamburg because it would upset a company in the US. It’s stupid.
As a place for Internet privacy, Germany is slightly better than France (where courts and the intelligence community have similar powers, but laws are even more stupid). If you’re American and your box is in Germany because it services Europe or because it’s cheap, crack on. If it’s in Germany because you believe it’ll protect you from the NSA… well, it won’t really.
Germany is a mighty state indeed to have legal power over people in London.
Hence, Brexit ;)
I’m not sure what the connection here is, or perhaps as I misunderstood one of the parent posts? A court in Hamburg (a German state) can mess up with German citizens from another German state (Heidelberg is Baden-Württemberg) and prohibit them, at least in the legal sense, from saying something – in London on otherwise – because German law is like that. They could prohibit them (again, in the legal sense) from saying something at a conference anywhere.
On behalf of an American company. You’ll have to drag in international relationships too…
Edit I feel we’re missing a lot of context here. @stevelord, do you have links with more info?
Sure, here’s a writeup and a (I think) neutered version of the paper.
Basically FireEye had a shit-ton of open source software in a product they rebadged as their own proprietary code, I believe may have included things like Qemu being rebadged as a proprietary hypervisor. They took ERNW to a court in Hamburg at the last minute to stop their researcher from discussing the vulnerabilities on the grounds of erm… trade secrets. Because the ERNW guys live in Germany, court orders in Hamburg apply in Baden-Württemberg regardless of where the saying something may take place, as @x64k said.
Thanks for taking the time for follow up, I appreciate it!
Nitpick but Hamburg would be the mighty state in this instance. Germany is a country.
But you left out am important part of the quote:
I was gonna nitpick your nitpick until I learned that Hamburg is indeed its own state under the BRD. Being an ancient Hansestadt has its privileges.
What do you base this assumption on?
From what I understand in the US it’s a lot easier to force providers to keep such actions secret (see canary statements), often making it harder or even impassible to take legal action.
The US has absolute rights in certain spaces (for example freedom of speech) that Germany does not, or at least has in a more nuanced rather than absolute manner. I’m not including covert stuff because both countries do what they want in that space largely regardless of any aforementioned rights.
I am not sure, if we are talking about the same thing here. I did not mean things that happen outside the law. To the best of my knowledge there is no equivalent to gag orders in Germany, but there in the US there are National Security Letters.
Really just talking about situations where your servers are raided by the police.
We can also talk about Freedom of Speech at large, because I do not think it’s absolute in the US. There are exceptions, like obscenity law and there is certain “caged” zones, free speech zones. But that’s really not the topic I meant.
Makes me wonder what’s holding DIME up.
It is about time for privacy (in the form of encryption) to be baked into the protocol. SMTP is an anachronism.
This is interesting.
Please tell me, if I am misunderstanding something, but this is effectively is a new protocol, so unless it gets widely implemented in MTAs/MUAs/OSs and therefor you maybe have some kind of silent migration happening it’s just yet another “secure messaging app”.
It is indeed a new protocol, and it would of course need software support. This doesn’t mean we should give up at the starting line.
Certainly not. This was merely in response to the question on what’s holding it up. Implementations probably. Especially with mail software that is quite stable over decades it might be hard to introduce something like this without providing a finished, stable, reviewed, probably personally used in production, implementation as a proponent.
Would love to see something that manages to “silently” replaces it without the end users really noticing. Kind of what IPv6 is currently doing. Just would be nice to have it go more quickly than that. ;)
Silently is unlikely, thanks to the fundamental differences in design, and it would also be bad. With DIME, no mail is ever sent without e2e; A silent replacement would negate this advantage.
Time to think about closing my tutanota account, I guess.
I would never make use of another internet service based in Germany.
I had a VPS with Nexus Bytes in Germany. The drive that it was on was seized by the German authorities – and all of the innocent parties lost their servers along with whoever had committed an offence. They never even contacted the server admin. According to him, when clients filed service requests he had the server checked, only to learn that the hard drives had been taken.
I’m self-hosting at home now. It’s probably the best idea anyways.
People in replies seem to be panicking and changing locations or providers, but I feel like your case is more of an exception than anything. I’ve been hosting a lot in several servers located in Germany for the past several years, all of them hosted at half a dozen (small and large) providers, and I’ve had absolutely zero issues involving anything like that.
Besides, if someone can dive in and take out drives without your server admin noticing or being informed by datacenter staff… you have bigger issues.
You’re quite right.
My initial reaction in this thread was, I admit, quite an overreaction.
Not only that, but I am too busy (lazy) to change my box’s location at the moment, but I no longer feel like it’s an urgent issue.
The Linode box my site runs on is located in Germany. Will be changing locations ASAP.
wait what. No redundancy?
Super-cheap service. Back it up yourself. I had a bash-scripted backup of my files and configs, but I hadn’t done one for a bit. That part’s my fault. I can’t say how others were impacted, but judging from the admin’s response, he was dealing with a number of tickets.
It might depend on how the provider had backup strategy set up – if backups or redundant servers/drives also included the offending material[1] that was the cause of seizure then those also had to be taken by the authorities.
[1] because for example they backup the whole machine “all in one go” and store it together for all clients using VMs on this host - which is probably the easiest to set up.
I live in this fantasy world where people use HA clusters, so that you could remove a server or two without any issues for the VMs running on them. But I guess you get what you pay for…
That doesn’t look so clean in reality I think - when the police knocks, they don’t have procedures that says - ask nicely and give time for a graceful transition/shutdown - their job is to secure the illegal material and that’s what they do and at least in some instances it is not that they take just the hard disks out - they can even take servers, the more the merrier, so it may even include the whole ha-cluster if present (in most instances I guess policeman is not a trained IT engineer to know where those illegal activities are or are not performed).
Google Translate link:
https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fwww.heise.de%2Fnews%2FGericht-zwingt-Mailprovider-Tutanota-zu-Ueberwachungsfunktion-4972460.html
The translation provided by Google is really good. I wanted to translate it for Lobste.rs, but I couldn’t have done it better myself. To be honest, I was surprised about the quality of the translation. This is on the level of a skilled native speaker (of both languages).
I’m not sure I can agree with that assessment, the language used in the translation is very peculiar, it’s pretty clear to a native speaker that it’s an automatic translation.
It’s certainly not perfect, but a lot of the time when a non-professional translator translates stuff, the results tend to be less-than-perfect too. I notice this myself too when I translate stuff from Dutch to English or vice versa – it seems the brain has to “context switch” all the time between the languages, leading to some rather curious results. For decent results I need to come back to it an hour later and copy-edit the lot extensively, and it’s not uncommon I find that I accidentally used words in the wrong language (especially words like “the”, “a”, etc.)
Really?
(my emphasis).
I mean, the gist of this is that Tutanota plans to appeal, but they will have to abide with the court’s decision until the appeal is successful. I read the last sentence as “if the appeal is successful, the monitoring function will be removed”, but the machine translation is ambiguous.
My crappy B1 German skills read the section in question more as
I feel like we are pushed to use E2E encryptions mechanisms that are independent of the provider (such as GPG). It is a bit sad because not everybody wants to learn/use such tools, especially non-tech-savvy people who need privacy as a fundamental right as well.
Guess running my own mail server seems like it makes more and more sense. What is left, Protonmail or using PGP and assuming everything is being read? These are the options left in my mind. Signal is what I use for all comms that need to be encrypted and ephemeral anyway.
Off topic: Does anyone know of a good general history regarding the Basic Law for the Federal Republic of Germany? I’ve read about post-war Japan’s occupation and the makings of their current Constitution. I’m basically looking for a book much like this one but about post-war Germany. Thanks in advance!
Dower’s book is great. I don’t know of an equivalent on the occupation of Germany, which is so much more complicated, given that there were four occupation zones and Cold War issues that must make the reverse course in Japan seem simple. There appears to be a fairly decent bibliography in this Wikipedia article.
In any case, like rjpcasalino, I’d be interested in recommendations too!