Don't use any of these email providers. First up, they are not trustworthy, especially Deutsche Telekom. DT is the privatised former state-owned telco monopolist, with a gigantic share of userbase and partial ownership by the German federal state. Most likely, every intelligence agency, domestic or foreign, that is operating in Germany with sanction of the government will have access to anything on their servers.
Also there is Quellen-TKÜ, which means that every single one of the three gives access to their servers to German law enforcement. If I remember correctly, the Quellen-TKÜ law says that any online service provider that has more than X users (10k?) has to provide access to law enforcement in such a way that the provider operators themselves don't know about the individuall access operations.
That isn't the point is it? The step forward here is that the comumunications between these providers is now encrypted by default and foreign entities such as the NSA will now have a harder job to do traffic and content analysis on German emails being sent to and from German nationals.
I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public.
If foreign intelligence agencies are allegedly granted unhindered access to their servers then I see that as a scandal. Have you got any evidence to back up that claim?
In principle I agree with you and I think you are right considering what the police is allowed to do and what not. As far as I know, a judge still needs to sign a warrant for the police to do anything.
I would be really surprised if the BND wasn't using that same access infrastructure (admittedly as supposition on my part). Combined with the story on how the BND protects our data by removing email addresses that end on .de, this again becomes worst case-ish. Now this is only metadata, but at least in the case of email, processing the metadata means having parsed the message. Since the infrastructure is supposed to be set up in such a way that they get it from the server of the provider, encrypting the communication with said provider is kind of useless, at least in regard to the NSA.
I'd also like to add that your comment makes an important point. Most people, including me, are quite OK with law enforcement operating under the rule of law within clear boundaries in this realm. But how do we get the intelligence community from hitchhiking on the law enforcement infrastructure?
Google encrypts their email by default when exchanging with the majority of email providers (including, presumably, the German ones mentioned here, as long as they already support TLS).
Likewise even German law permits surveillance on foreign communications (see the "BND Section" of their legal code).
What this here is, is marketing. Not that it's bad marketing, but it doesn't solve any of the real issues.
The point here isn't that ANY government can't listen on. That's a noble goal but so not achievable in a short period of time for everyone. The goal here is that German citizen isn't spied on by the US government because the US government has shown utter lack of respect to rights of anyone who isn't a US citizen. The point here is that if your own democratic government is spying on you, you have some (albeit limited) degree of control (elections) and rights (because you're voter, so they care about you). When a foreign government spies on you, you have almost zero control.
And Germany has, currently and historically, shown an utter contempt for the rights of it's citizens, far moreso than the current US crisis. Germany talks a good game with their data privacy laws, but those only affect citizens data being collected by corporations; They've dramatically increased their data collection laws[1], and while some have been found unconstitutional (Look up the Telecommunications Databank opinion), they've quickly been reworded and re-enacted[2].
Because of German data seizure laws, they believe they can request any data about or belonging to any German citizen without a warrant, so long as that data resides in Germany. At least one large cloud provider has German datacenters, but will not use them for storage of any German citizens data because of this.
> The goal here is that German citizen isn't spied on by the US government because
... and what they actually achieve is that german citizens are spied on by the BND, which forwards everything to the NSA.
And no, you have no democratic control over this in Germany because the german government is a corrupt bunch of liars too. At every Snowden leak regarding the BND/NSA cooperation, they changed their fairy tales a little bit.
Indeed. But it is important to note that any data collected by German intelligence agencies will be made available to other intelligence agencies, including the US ones, due to cooperation agreements in place. Unfortunately, some of these cooperation agreements are inherited from the immediate postwar history and it remains unclear whether they even can be modified or revoked.
Second this. Internationals might think this sounds like some case of german quality engineering. Not. "All encrption done by the providers." says it all. It's a farce.
And I have to agree to some people in this thread, that germany IT engineering lacks behind a lot. Either our tech education is as bad as I think it is, or I don't know what. But this whole de-mail thing started as an initiative by the postal service to develop a "e-post-brief" aiming to be an official/secure/non-deniable electronic postal service. Which is ridiculous.
I think the technical right thing to do (safe, anonymous communication) is just not what any state would want. It doesn't help consumerism and it doesn't protect the ruling social norms so why would a state fund it?
What they claim to do is basically what everybody is already doing. SSL between email servers can be considered standard, as well as SSL or at least StartTLS between client and server.
De-Mail is another thing which was introduced some years ago now. In short: Messages are encrypted on the client side, then decrypted on the server, then again encrypted and sent to the recipient where it is decrypted again...Imagine your post-office opening you mail before forwarding it to the recipient.
Along with some other things no sane person would ever suggest to do with email, De-Mail is a complete farce...
TL;DR: I'm from Germany, and my opinion is that this is the most brutal kind of PR bullshit you can get...
Still better than having all your data traffic piped to the NSA. Don't forget that this pipe is behind the SSL-Wall of Google. Being from Germany too, I'm seriously considering to move my mail account from GMail to Web.de. Already started moving my private Docs away from Google.
I like Google services and even before Snowden I was aware of the fact that international communication is watched by Secret agency. But really, why do they keep track of everything?
Der Spiegel reported that Germany collaborated with the US very, very closely and even use XKeyScore. [1]
"The Americans provided the BfV with one of their most productive spying tools, a system called "XKeyscore." It's the same surveillance program that the NSA uses to capture a large share of the up to 500 million data sets from Germany, to which it has access each month, according to internal documents seen and reported on by SPIEGEL on the first of this month."
Snake oil. Election day is coming, the conservative idiots in charge want some good press. The german interpretation of e-Mail (de-Mail) is utter bullshit. Encrypted e-Mail that is decrypted multiple times on its way, of course that will prevent the Government from reading my mail. NOT.
It seems that there are enough idiots in the world who are willing to reelect that treacherous pile of smelly shit impersonating a federal government at the moment.
I don't see what a bunch of corporate entities have to do within election campaign. This is a response the the German publics concern that a foreign government is doing content analysis on emails within Germany. This makes it harder for the spooks down in Ramstein to analyse the traffic flowing between German consumers and German corporations, which is a damn good thing. This spying might also be (mis)used for corporate espionage as well.
It isn't going to stop a German police warrant or BND investigation requiring these companies to hand over your emails, and the EU data retention polices are still in place, but it does stop the foreign spooks sticking their noses in where it isn't wanted. DE-MAIL, is as you say, bullshit, but that isn't why this is really about.
I know that from my GMX account I can email someone on a Web.de account, and even if the Internet decides to route my email over the Atlantic first or through Frankfurt where I hazard a guess the NSA will be doing they optical splitting, it doesn't matter.
If they want to read my emails they have to brute force that or have a copy of the keys.
This is a small, but great step forward in my opinion.
Maybe I'm missing something, but .. what do you think is _new_ about this 'made in Germany' mails here?
Using TLS for smtp (which seems to be what you're referring to for the 'route over the Atlantic' thing)?
Using TLS for submission/the client? Every respectable site and certainly every web mail client that isn't utterly broken offers https / TLS already.
I see nothing but a stupid media campaign and fishing for scared and clueless end users that read about this in their favorite tabloid. A.k.a. the BILD/Computer BILD target crowd.
> " For security reasons, from the beginning of 2014 the initiative partners will only transport SSL-encrypted e-mails to ensure that data traffic over all of their transmission paths is secure."
That's the most significant part of this announcement-- it means there's finally a push to phase out plaintext email transport, which allows passive surveillance to intercept mail.
It's better to be subject to just your government instead of both your government and the self-proclaimed world police. The US terror machine needs to be avoided at all costs as it's the greatest threat to peace and freedom worldwide.
I am not saying that this specific service is good for the privacy of their users. I am saying that this move, phasing out non-SSL email, will _force_ the rest of the world to add SSL to outgoing email connections, thereby protecting all email worldwide from passive interception.
Right now, I think about 75% of email traffic is encrypted between sender and recipient, so this would protect that remaining 25%. (Percentages _greatly_ dependent on who and where you measure.)
I agree with that view. I think this is largely a bit of opportunist advertising, but also that this specific measure is actually useful. Like with more companies moving towards HTTPS-by-default, it's useful in cutting down the number of places where things can be easily intercepted. Even cutting down the number of places where non-government parties can intercept something is useful, because: 1) that's in itself good for privacy; and 2) non-government parties are a major source of government information, because some of them voluntarily turn over or sell the information to governments, and others end up being forced to hand it over.
If this was implemented correctly, it would keep non-German governments from being able to snoop on German emails. If Germany does not snoop on Germans without a warrant, this would actually be a good thing for Germans. If European has data protection laws that prohibit snooping on foreign people without a warrant, this would actually be a good thing for everyone.
A lot of ifs that need to be answered. But this could be a good thing.
Until the recent revelations about the NSA, we also believed (perhaps naively) that the U.S. had data protection laws that prohibited spying on citizens without a warrant. It may be just a matter of time before we find out that Germany has murky laws and secret courts that disregard fundamental legal principles just like the U.S. does, or that the German intelligence agencies work closely with the NSA. So if I really wanted secure e-mail, the only thing I could really trust at this point would be to encrypt my message on my own machine using a transparent, open source program like PGP. Once you rely on a third party to encrypt your e-mail for you (or even to provide you with encryption software), you're vulnerable to their being strong-armed by a government to give up your data.
> Until the recent revelations about the NSA, we also believed (perhaps naively) that the U.S. had data protection laws that prohibited spying on citizens without a warrant.
If people believed that email that a person didn't host themselves was protected, it was only because they were lazy and didn't so much as Google the laws in question.
The reason we keep telling you that the NSA behavior is probably legal isn't because we want it to be legal, it's because we want you to stop living in a fantasyland ;). Look at ECPA for instance, it's been around since 1986. CALEA has been around since 1994.
You are right in that this Telekom solution does not allow for truly secure communication. However, it does prevent men in the middle from snooping on your emails, which is a step in the right direction.
Are they seriously talking about enforcing TLS on all SMTP? That would break deliverability to a lot of servers, but would be pretty awesome. I assume it wouldn't actually check certs in any meaningful way, though, so only protecting from passive eavesdropping, but it's a big positive step.
I'm increasingly tempted to throw that switch myself, or at least start filtering all my non-TLS'd mail into a special mailbox of "figure out if I actually care if these people become unreachable in 6mo when I actually enforce TLS." Arguably it would be worse to accept the message and then bounce it, since you'd have received the text in the clear, but maybe log and send an informative-to-end-user rejection notice based on envelope, and to me?
Sadly, a client that refuses to attempt TLS negotiation will always leak the sender address of the message it wants to send you. This happens in many protocols when TLS is bolted on as an afterthought. We're actually worse off using the standardized TLS extension to SMTP here than we are with the non-standardized SSL: a connection to port 465, followed by immediate SSL negotiation won't leak anything to a passive eavesdropper.
This only gets you so far however. An active attacker can MITM the connection with ease, since there is no convention for how to verify an SMTP peer's certificate. I don't see this changing until DNSSEC is deployed in every domain you correspond with, and the peer's certificate is somehow authenticated with information from their DNS zone.
Aside: for a protocol that is designed even worse than SMTP with regards to leaking information over insecure channels, look at IMAP:
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
C: 0 login user@example hunter12
S: BAD [ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
S: 0 NO [PRIVACYREQUIRED] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
The stupid protocol design results in the client transmitting the user's credentials in plain text as soon as it connects to the server.
There was the IMAPS (separate port, ssl negotiation first) vs. IMAP + STARTTLS.
I'm also relatively ok with "only run imap (with tls) over a vpn, with the vpn having an endpoint on a network very close to the imap server, or on the imap server". Not really viable for SMTP inter-domain.
I wish Free S/WAN and the idea opportunistic encryption for IPSec hadn't failed to get OE widely deployed at the IP layer. Seeing who connects where, sizes of data flows back and forth, etc. would also leak information to a global passive observer, of course, but a lot less, and padding/cover traffic would be viable.
Privacy-Shrivacy Bollocks. Many here do not get the point. US having intimate information of a foreign populace is akin to having an extra weapon in their arsenal. In today's world data is the new gunpowder. If you have insight(I mean really really know) into what a foreign country would buy/sell you can have an upper hand in trade negotiations. This is not some prudish step to prevent Uncle Sam to look into your private details. This is all out cold war. Diplomats across the world are talking about one thing today: Nullifying the U.S advantage. I guess China foresaw it.
Foreign leaders woke up one day to find that the US now has deep spy penetration into their local populace.
Oops. Huge national security fail.
They haven’t said much publicly, but behind closed doors they're scrambling to figure out how to get their pants back up.
This is only the very beginning of a huge shift that most of the US is blind to or in denial about.
All around the world, in government offices and in business board rooms, leaders are trying to figure out how to get off the US cloud.
The US cloud has been compromised and that trust just isn't coming back.
The barrier now is not political will, but a lack of local tech talent that can build viable alternatives to the US cloud services.
Many countries are kicking themselves now for not growing/poaching tech talent more aggressively.
Interesting times when having good web developers is a big national security asset.
You'll see the more tech rich countries move first. It's no surprise Germany's a first mover here.
Of course, with any big disruption there will be winners and losers.
Who the losers will be is obvious - US cloud companies.
Sure, they'll still have the US market (which is huge), but international markets will start drying up.
Skeptical? Google is hearing a huge sucking sound of money evaporating from Germany right now. Google's so big, they may not notice a few million yet, but I assure you, they will notice eventually. Karmic justice for short-sightedness in not out-lobbying the big defense contractors in Congress.
The top contributing defense contractor (Northrop Grumman) only gave about $3 million last year. I'm sure they paid more than that for actual lobbyists, etc, but it's still not even petty cash at Google.
Of course, I don't mean to pick only on Google. There are many multi-multi-billion dollar cloud companies in the US that have been easily out-lobbied by the defense industry.
It would have been pennies compared to what they'll ultimately lose in the drying-up international markets.
So, who will be the winners? While security companies will see a boon, it's the open source companies that I think will see the biggest win.
With open, auditable code, countries can set up their own services. Of course, they'll need support and training and that's where the open source companies really shine.
It's important to remember that the goal for these countries will rarely be fool-proof privacy for each individual citizen. Instead, the goal is to prevent a foreign power from having deep intimate access to every detail of your populace.
Granted, many of these countries will use this transition to just spy on their own citizens. However, other countries will have a good functioning democracy and a citizenry that values privacy and will avoid those abuses.
For those countries that have robust protections and engender international trust, they'll have a big business advantage when it comes to foreign consumers.
"However, other countries will have a good functioning democracy and a citizenry that values privacy and will avoid those abuses."
Is this just wishful thinking or is there a specific functioning democratic government that should we all trust?
My opinion is that nobody should trust any government. Not fully at least. Not their own. Certainly not somebody else's. History has shown this to be a generally prudent position to take. I mean, why should I trust the German government more than the United States government? How about Norway or Kenya or Thailand?
I do not think there's some magical country that is about to have a big business advantage based on "trust" because their citizens value privacy (as if that were even measurable). Most likely, countries will just become a touch more insular with their technology, noting that it, like food production, is somewhat of a national security issue.
Consider trust as a spectrum instead of a boolean value.
For example, Switzerland's long run as THE place where you could put your money and have a high level of trust that it would be safe and it would be anonymous.
They've lost their reputation somewhat over the last few years, but what made it THE place where you could trust your money?
They had laws, a government, and a citizenry that valued those privacy protections. On top of that, they had centuries of history of adhering to those principles even in the face of consequences from foreign forces (except for travesties like their treatment of Jewish account holders).
I don't think many people trusted the Swiss absolutely 100%. It was a small country with little military power and lots of money - which made it vulnerable. However, it was the best alternative at the time if you wanted to store money relatively safely and anonymously.
It made the Swiss rich. It was highly lucrative to be THE place to store money.
It'll be interesting to see who becomes the Swiss equivalent for data privacy.
If it helps, you can think of hosting your email in Germany as simply restoring some of the rights that the US Constitution used to give you. The US most likely doesn't have unfettered access to the German mail servers. If the NSA wants your data, they would actually have to justify it to the Germans.
It would be far from perfect, but it could be a bit of a hack to restore some of your 4th amendment rights.
>If the NSA wants your data, they would actually have to justify it to the Germans.
does Germany still have "German bureaucracy" ? From my anecdotal experience with German business they seem to place huge value on the "correct" way of doing things.
We shouldn't ever trust our government, and we should absolutely never trust someone else's.
However, I trust the political system more in Germany than I do elsewhere. It is designed (ironically by the Allies) to be stable and multi-partisan. Germany is used to coalitions and party's such as the Piratenpartei and the Greens actually have a voice here. The votes count, every single one.
Every single one, except for those ending up with parties below 5%: Those poor fellows aren't considered at all, which means that they're handled like non-voters, even though they certainly expressed their intent.
A ranking vote mechanism would help matters (if your primary vote doesn't end up with a party >=5%, your secondary vote is considered instead, etc.), but that would make the system favor smaller parties: not going to happen.
I agree, there are actually bucket loads of smart people here, but there is one blocker, which is that whoever wants to build the next European cloud alternatives, has to do it in English first. Germans speak English well, but they have a different attitude to English than say the Dutch.
One other issue is funding. Germans don't much like risk. Startups are risky, and if German investors were able to stick their necks out a little further they could find a happy medium between the current risk adversity and the craziness that is SIlicon Valley.
In a week? Not even the US. Over a normal time frame? Two dudes from Stanford built Google.
Get over your America-centrism. The only reason the American Cloud hasn't been duplicated more extensively than it already has is that there's been no business reason to do so - it was cheaper to use what was there, much of which was in America, I'll grant you.
No, Europe is behind. I know, I work there. Maybe not so much in talent, but in a way to leverage it.
As hard as getting a H1B is, as bad as the SW patents are, it's there that Google, FB, etc grew. And not "in the US" but in tiny patches on the West and East coast.
Don't underestimate the power of vision and drive combined (not forgetting very good sources of financing). Also, Europe (yes, I'm talking about Germany, but this concern others as well) suffers from chronic bureaucracy, while the Europeans are still thinking about something in the US it was already prototyped and generating a revenue. Ireland is the safest from this, but has other issues.
Europe is absolutely behind, yes. (I live there.) But not for lack of talent.
I'm a pretty flaming liberal and I stand behind unionization of traditional industries 100% - when you get to the point of large capital against a large population of workers, I believe Europe's model is not bad and far better than the travesty we witness in America, where the government is solidly on the side of capital. But most of Europe is absolutely horrible for small business that isn't working with a very, very stable business model.
In other words, if I'm opening a metalworking shop in Swabia, everybody knows what I'm doing, and it's going to be enough just to turn out solid work and treat people fairly. My market is predictable, and when I hire people, it's fair to expect me to have to jump through some hoops to let them go, because they have a right to expect some stability in this well-understood market.
But if I'm trying out a new idea - Germany ain't the place to try that unless I can essentially do it by myself or with a couple of friends. Their incremental, stable business attitudes are great for hardware, bad for software (although there are small software companies there that really kick ass, of course - in my experience, often tools used in industry that can work on the same industrial business model).
Fast iteration and early fail is not something Germans excel at - individual Germans, sure; German society, no no no. And that's true to a lesser extent throughout Europe. But it's been a key to success in Silicon Valley. How that gets implemented, I'm not sure.
But in terms of getting Europe off the American cloud - this isn't a problem. The concept of the cloud has been proven (except for privacy/security issues, obviously), and so it's far less likely that a given iteration in that space will fail. It's a good setup for European companies in that sense.
And again, I want to stress that the problem is not a lack of talent and that anybody that thinks that a lack of talent is the problem is deluded.
I think the real reason is language. Europe does not share one language. There is no European media, no European public, hence creating a brand and reaching a lot of people is infinitely more difficult than in the US.
French consumers will learn about a German startup only if it gets picked up by the english speaking media (which may take years).
I think European startups should look to Isreal for a clue. Israeli startups don't have a home market to speak of so they go straight for the US market.
Language is one reason, yeah; I'm not sure how strong a reason it is overall.
You know one very serious problem? Shipping. Amazon can sit in California and send something cheap anywhere in the United States, but if I'm sitting in Hungary and want to buy something in Germany, it might literally be cheaper for me to just drive there and back to get it, depending on the item. That really carves up the market into minuscule chunks.
Someday soon, somebody is going to start offering low-cost shipping throughout Europe and they're going to end up billionaires.
So what you're saying is that only the United States is capable of building cloud infrastructure, until people go to other places to build it there, from the United States. And your face is still straight. You exemplify the very attitude that's killing the United States.
This first line is almost certainly false. I've only been paying attention to the German & Austrian news for the decade I've been living in Austria. However, for most of that time, reports that the Germans were both cooperating closely with American State Security agencies as well as running their own pervasive & intrusive espionage programs have been a recurring thing.
Even if all those reports are completely baseless, something I find wildly improbable, there's just no way to fairly describe anyone in a position of power as surprised... this has been a topic of discussion for far too long for that.
US Citizens have some (reasonable) expectation they won't be spied on without some cause. They may even get back to that situation eventually through legal challenges against the supra-legal shit going on.
The rest of us, well, we were always subject to this oversight and it won't change. We just didn't have our noses rubbed in it very often and US media don't give a damn. I expect Chinese companies are just as paranoid about data flowing through the US as the US are about their data being in China.
It's a timely reminder for us all. Remember that putting your data elsewhere doesn't mean anything if (a) it transits the US unencrypted or (b) the parent company is US owned.
Sure, but unlike foreign countries, the US gov't and most US businesses have little or no motivation to get off the US cloud.
There will be private citizens who care and a few companies, but I don't think it'll impact the internal US market much. If you're in the US it's probably more effective to pursue political action rather than boycotting US businesses.
They assume that you write your email on their web interface, to which you connect over https. and when they send your mail to anotjer server, they do so over a ssl encryption.
of course, if you use an email application, you can enable/disble ssl/tls if you wish to do so.
As many commenters here say, it isn't inherently more secure than a US-based service. It may be more socially secure, if the warrant system in Germany is more specific than our general system of warrants to spy on everyone foreign or domestic.
However, there's a good reason for German citizens to prefer German services: it takes money away from American service. Money is the only voice that will ever fix this.
So I ask every non-US citizen: please, take your money elsewhere. Please.
It seems like a noble move but as a german i know these companies pretty well and i am very sure they only do this to stop german users wandering off to non-german email providers like gmail. Its still a good thing of course, but dont think they do this because they feel its the right thing todo.
Heck, if they could they would even charge extra for it.
I have both gmail and GMX and to be honest if "the email made in Germany" will be the same as GMX I will gladly offer my data to NSA and stay with gmail.
In other words this whole debate about security will pass and 95% of people will forget or become ignorant so unless they create a service people actually want to use this is just a waste of money.
From my experience gmx totally don't get it and if you become their user they will eventually piss you off to the point when you will run towards NSA just to use something like gmail.
> Data are encrypted directly by the provider, which means customers need no specific technical know-how and incur no extra costs. All data are stored in secure data centers located in Germany.
Not sure how this is the solution. People need to learn how to do encryption themselves. For the average John Doe (or Hans Wurst :-)) there need to be tools to accomplish that without a degree in Math or CS.
I don't think provider-side encryption is a solution at all. Collecting vast amounts of meta data would still be possible.
Telekom has actually been selling their own cloud services with "German privacy laws/not hosted in the US" before the NSA stuff. It was a very noteable point of emphasis for them when selling to small/midsized corporations so I'm not surprised they are all over this.
They are a pretty crappy company in general (imo) but they got this right very early. And by got this right I mean that they are using it for marketing/sales. I mean yay SSL but German mail providers tend to be...meh
"I don't have a problem with a German judge in a German court, granting a search warrant with reasonable grounds where all checks and balances are in place. I do have a problem with secret courts with secret laws and gag orders hiding this kind of thing from the public."
Take it with a little salt anyways, there is always the possibility for American services to get Access on your Data for example if they had an Employee in any of the German companys.
They use us-based "cloud" anti virus scanner in this system. They decrypt it for scanning them. It's ridiculous stupid. No end-to-end encryption. Thats all marketing bullshit.
Think about it. In the "De-Mail" system are all sender verified. Thats means that i can kick spammer easily out. Why would they decrypt it for scanning? Bingo! Surveillance.
But this is just that what i think. I have written an comment on there blog and i'm exited what they say.
One very interesting tidbit - regardless that this is simply some PR stunt at exactly the right time - according to a renowned german news magazine Die Zeit, two of the founders of Narus, which helped develop the PRISM technology, are now working for the Deutsche Telekom. Go figure!
Translated from German (via Google Translate), the first paragraph reads:
The so-called Dagger Complex ... is a base of military intelligence services of the United States in Darmstadt at the district border to the town of Griesheim. It is located at the south of the former way Eberstädter August Euler airfield. It is believed that the secret services operate in the United States spy here.
It´s funny that web.de is also on board. If you have a look at the business model of web.de, they are always trying to get they users automatically locked into an overpriced subscription model after the free trial period ends.
yes, you pay a subscription fee, but this does not automatically mean that you are getting scanned.
I am hove no problem with subscription fees. I have a problem within companies who try to push they clients into subscription through some kind of free trials which then get automatically converted into yearly contract.
I think the best we can hope for the future of the web is that there will be reliable service providers in many different legal jurisdictions so that users can make a political calculation as to which government they can trust with their information. And that transport encryption remains trustable.
It seems to me that NSA is working directly against the interests of American technology companies. Ironic. I think this is going to be remembered as the high-water mark of American Social Media.
I grew up in Michigan and well remember the demise of the auto-industry. They had a good thing going, and thought it could never end. People grew complacent.
There is no guarantee that American technology business will continue to dominate. Eric Schmidt's "you have no privacy" attitude was both arrogant and short-sighted. We've needlessly shot ourselves in the foot.
There's a big gap between the philosophies of "Everything is public by default" and "Secretly giving all of your private communications to the NSA". The former is utopian, though naive. The latter is just old school tyranny.
Certainly it would be easier, but even NSA doesn't have enough hard drives to store all of GMail, Outlook.com, Skype, etc.
Some selectivity is required for them to do analysis, for the same reason we would run "grep foo <star>.cpp" instead of "find / -name '<star>.cpp' -exec grep foo {} \;"
> Certainly it would be easier, but even NSA doesn't have enough hard drives to store all of GMail, Outlook.com, Skype, etc.
Actually, that's an interesting point. I don't bother keeping copies of television series I've downloaded and watched laying about on my disk, because I know I can just go and retrieve them from the internet again if-and-when I want to watch them. In effect, I'm using the internet as a large, slow (but reliable!) disk.
The parallel being, I don't see why the NSA would bother to build its own datacenters for storing data. Google's, Apple's, Microsoft's, whoever's datacenters, are the NSA's datacenters. They don't have to retain information themselves; they just have to send a FISA notice to these companies telling them to retain the information, indefinitely, until the NSA has need of it.
> The parallel being, I don't see why the NSA would bother to build its own datacenters for storing data. Google's, Apple's, Microsoft's, whoever's datacenters, are the NSA's datacenters. They don't have to retain information themselves; they just have to send a FISA notice to these companies telling them to retain the information, indefinitely, until the NSA has need of it.
That's something I noted when this all blew up, was that simply keeping the NSA from getting the data was not good enough, as they could simply compel the phone company (or whoever) to hold onto it, and that we needed to be ready for something like this to be close to the "new normal".
However it could still be better to go this route, in that even though the NSA can get metadata on everyone that's 3 hops or thereabouts away from the phone company, that's still not a huge mass of data. And the phone company could notice if there was a large number of requests being made, do random audits to verify that NSA's Compliance office approved that given search, etc.
But then you would have to ensure those in the phone company with access to the logs for that program themselves have security clearances since they would in a very real sense be monitoring the progress of national security investigations (imagine if you had a sysadmin that was an AQ sympathizer noticing the NSA has penetrated a terror cell and he manages to tip off the cell in time).
Certainly it would be easier, but even NSA
doesn't have enough hard drives to store
all of GMail, Outlook.com, Skype, etc.
Gmail has enough drives - why shouldn't the NSA?
Gmail offers 15 gigabytes of storage space, almost certainly over-allocated - I know only one or two people who have hit that limit, personally I'm at less than 3 gigabytes. Gmail has 425 million users, according to [1]
According to Wikipedia's Utah Data Center article[2], it's estimated to have 3 to 12 exabytes of storage in the near term. So, space enough to store 1.0 billion to 4.2 billion 3 gigabyte gmail accounts, or 7.6 to 30.3 gigabytes per gmail user.
Somewhat short of 'all internet traffic all the time' but they could get all of gmail easily.
Also there is Quellen-TKÜ, which means that every single one of the three gives access to their servers to German law enforcement. If I remember correctly, the Quellen-TKÜ law says that any online service provider that has more than X users (10k?) has to provide access to law enforcement in such a way that the provider operators themselves don't know about the individuall access operations.