German email provider mailbox.org rejected approximately 25% of data requests from authorities in , according to the company’s recently published transparency report. The rejections largely stemmed from authorities failing to adhere to data protection regulations, specifically regarding encrypted transmission of requests.
mailbox.org, which positions itself as a provider of secure digital communication, publishes an annual transparency report detailing the nature and scope of governmental requests for user data. The report indicates a continued decline in the overall number of requests received, mirroring a trend observed in the previous year. The company received a total of 74 requests in , down from prior periods.
The majority of requests, as in , were submitted via email, and mailbox.org emphasizes that these were expected to be encrypted using PGP. However, a significant portion failed to meet this standard. According to Balint Gyemant, Chief Product Officer of mailbox.org, the company consistently rejects requests that do not comply with legal requirements. “Even for information requests by authorities, we adhere to the strict guidelines of the Federal Network Agency, which state that requests must be made encrypted,” Gyemant stated.
In , 15 instances involved authorities correcting unencrypted requests after being notified of the deficiency. This resulted in mailbox.org ultimately fulfilling 56 requests. However, 18 requests remained uncorrected and were subsequently rejected. The primary reason for rejection continues to be the lack of encryption during transmission.
The company employs a standardized process for handling and responding to requests from law enforcement and intelligence agencies. Each request undergoes a thorough review by both a data protection officer and legal counsel to ensure compliance with applicable laws. If a request is deemed legally sound, We see processed; otherwise, it is rejected. Authorities have the option to rectify deficient requests and resubmit them.
Of the 63 requests received via email, 27 were transmitted unencrypted. An additional six were deemed unlawful for other reasons, while five were submitted via traditional mail. Gyemant noted a positive development: “It is pleasing that in , for the first time, no requests reached us by fax. This was still the case until , even though information requests by fax have actually been prohibited since .”
The vast majority of requests originated from German authorities, with only three coming from other European Union member states and one from outside the EU. 72 requests were related to criminal investigations, while two were submitted by intelligence services. The most common type of data sought was subscriber data – including phone numbers, names, addresses, and contract details. Only two requests involved a request for complete mailbox seizure.
Notably, mailbox.org did not receive any requests for traffic data analysis (such as IP addresses used to log into the mail server or send emails) or for telecommunications surveillance in .
The transparency report from mailbox.org comes amid increasing scrutiny of data privacy and government access to user information. Similar reports from other privacy-focused email providers, such as Posteo, have revealed comparable trends, with a significant number of requests being rejected due to formal deficiencies, as reported by Heise Online. This suggests a broader issue of authorities struggling to comply with data protection regulations when seeking information from these providers.
The findings highlight the importance of encryption and adherence to legal standards in protecting user data, even when responding to legitimate law enforcement requests. Mailbox.org’s commitment to rejecting non-compliant requests underscores its focus on data privacy and its willingness to challenge authorities when necessary. The company’s stance is likely to resonate with users concerned about government surveillance and the protection of their digital communications.
