Slashdot Mirror
Germany Builds Encrypted, Identity-Confirmed Email
jfruhlinger writes "Looking to solve the problems of spam, phishing, and unconfirmed email identities, Germany is betting very, very big. The country will pass a law this month creating 'De-mail,' a service in which all messages will be encrypted and digitally signed so they cannot be intercepted or modified in transit. Businesses and individuals wanting to send or receive De-mail messages will have to prove their real-world identity and associate that with a new De-mail address from a government-approved service provider. The service will be enabled by a new law that the government expects will be in force by the end of this month. It will allow service providers to charge for sending messages if they wish. The service is voluntary, but will it give the government too much control?"
As far as I've read, they decrypt messages in the middle "to check the messages for viruses".
So why didn't we read about this on slashdot before? Or did I miss something?
If Pandora's box is destined to be opened, *I* want to be the one to open it.
I can encrypt on my own and Gmail already does a fine job removing spam. I don't need a Government oversight and much less a possibility of paying per message for this "privilege".
They put a price on every email.
The system will not provide end-to-end encryption: Mail will only be encrypted to and from the mail service providers.
While the accounts are free, individual mails will cost money.
Mail delivered to these accounts will count as delivered to the recipient, so any respite associated with the delivery starts running. Don't read your email regularly - miss deadlines.
Did I mention that mails cost money?
I have recommended to everyone who has asked me to stay away from this system if at all possible. Don't even get an account.
From the sound of it, it'll almost inevitably end up costing money. With that in mind and by the powers vested in me by absolutely nobody in particular, I hereby dub it "feemail".
(One *could* say that it is supposed to be a kinder, more respectable alternative to the rough-and-tumble wild west of existing (e)mail, but then there are those who think it's just a prettier version that will inevitably cost a bunch of money.)
Typical mix of greedy corporations in bed with clueless *and* greedy lawmakers.
I bet you:
* Mails will live unencrypted at provider's server (check!)
* Users won't have any control on their keys and identities (check)
* There will be a central place to map identities to Real Life users (check)
Darn. And OpenPGP is out there for years. Sad. But hey, with OpenPGP the Deutsche Telekom and other parasites won't be able to leech on "consumers", right?
This sounds like completely run-of-the-mill encrypted email that you also have to pay per message and identify yourself for. The one significant advantage that I can see is that you might be able to convince other people to actually use it.
This space reserved for administrative use.
...when she sent me an forward claiming the government was going to start charging for email!
Isn't that going backwards ?
Shouldn't the next one be f-mail ?
Why would I volunteer to use a government sponsored program that I may get charged for when I can just use Enigmail in Thunderbird, or gpg the message otherwise?
Second problem: "It will allow service providers to charge for sending messages".
Major fail. It sounded almost good until I read that.
boycott slashdot February 10th - 17th check out: altSlashdot.org
If you want encrypted mails then yes. If you want to do a legally binding offer or request or or or, then you cannot use OpenPGP, because there are no rules who does what with the keys. (You could create a contract with someone saying that mails signed with a specific OpenPGP key are your mails, but good luck on getting anyone to do so). With something like this, once you sign it, this key is your key. Everything signed with it is as if you had said it in public or written it with a (classical) signed paper.
The point is that mails sent through De-mail have legal binding, so you can use as proof at court.
And it's been a failure, for a number of reasons:
- it cost a fortune to deploy
- one message costs an equivalent of about 1 USD, which means no one uses it except for communicating with the government
- it relies on a proprietary (although free as beer) rather obscure application for Windows, fortunately a non-profit foundation later developed a cross-platform library for accessing the mailbox
- once you register into the system, any official letter you get is automatically considered delivered, so you cannot deny receiving it, that's why any sane lawyer will discourage from getting such an account ever unless you are obligated to
Obviously, because so much money already burnt, the mailbox system is here to stay.
If it allows banks, utilities and other real world important billing and information emails to be able to be considered trustworthy then I can see a lot of value.
Your post^Whuge government engineering proposal advocates a
( ) technical (x) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Switch back to Slashdot's D1 system.
Once the encryption on the end can be faked so someone else will end up with the costs and even have the cops knock down their door?
This is the way to go, it is what I use when I want to send encrypted email. There are some big problems with PGP/GPG where government could help, these are:
Once they have done that then the normal commercial forces would kick in: some people would pay for s/ware that works, others would use FLOSS; it doesn't really matter -- it is the standard that is important.
Mail signing -- encryption is a completly different problem from spam prevention, we must not conflate the two.
Combine it with DKIM and DNSSEC and your are done.
New things are always on the horizon
... they better forget it.
It costs from 55 eurocents to send one "email" (to multiple euros if you want confirmation, even if there is no snail-mail/paper involved). The interface is arcane with no 3rd party integration, of course there's no end-to-end encryption (and the "mails" are way less legally protected than normal post) and there are some really nasty conditions attached:
- you have to check your mail EVERY WORKING DAY (that includes Saturdays, not that it matters)
- you can't delegate this "check mail" duty to anybody (note that there isn't anything wrong in letting your wife/neighbour/etc in charge of your physical mailbox if you trust them).
There is a reason I do not want my online profile linked to my real life person. Or at least as little as possible.
It is also the reason I did not participate in a GPG signing, as I would then have to identify myself with my real life name. Thanks but no thanks. (Could be that other signings are different. No idea.)
If it needs be, I can drop my online alias and create a new one. e.g. if in 20 years people want to kill me because of something I said that is acceptable now. My boss looking for whatever information he thinks he wants, he won't find anything that wasn't screened by me (if he finds the right person, because others with the same name and similar profiles exist and they are in WAY better shape then I am. One even runs marathons.)
So again, thanks but no thanks.
Don't fight for your country, if your country does not fight for you.
It's all fun and games until someone that doesn't know about the system tries to send you an email. I like the idea of having real names registered to email addresses, but certificates already do this.
Charge one penny per sent message. That is all we need to do to stop spam. So simple.
If anyone wants security, there is S/MIME, widely available and widely supported.
No, the next one after gmail would be HeMail, pronounced
Ahee-Mayal.
Homestarrunner FTW!
http://www.homestarrunner.com/main8.html
"Email" tab
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
named PEC: (http://tools.ietf.org/html/draft-gennai-smime-cnipa-pec-08> ) which has the same legal validity as certified mail.
There's also a variant (CEC-PAC) to communicate with government offices only.
Spam sent from zombies will be encrypted and signed with the certificate of the zombied computer. so how does this help?
Some drink at the fountain of knowledge. Others just gargle.
Read every day? So when you go on holiday you get into legal or financial trouble? Cute!
Yet another example of either clueless politicians, attempting to do "a good thing" all the while creating on over regulated, technically inferior system, or the clever attempt to get yet another way of snooping on the people while making them "feel good and safe" ... ... .55â a piece?) or virus/malware (whoah - get a worm on your machine, let it send out millions of DE-Mails - get poor in the process - at least then you won't be able to afford any more internet, removing one more botnet machine from the net), then re-encode for the recipient. The standard is supposed to include the option for end-to-end encryption though, but I'm not sure under which circumstances ... Anyway, as the DE-mail is kept on certain provider mailservers, with current law interpretation, any court could order all the mails to a certain person (or from) to be handed over to law enforcement ...
The good thing at the moment is that it's not mandatory to have or use the POS email service. At the prices currently discussed(55 âcent per email - same as for a regular letter!), I doubt it will find many people who are interested in using it. Though they have said that prices "may" go down
And yes, the standard usually means the mail will be decoded by the MITM, to check for spam (yeah right, at
Problem is the typical chicken and egg dilemma - too few people use public key crypto, because they don't know (or care) about it, so the ones who would use it don't have any recipients to send to, so less people use it ... ...
Guess everybody should start using a footer with a link to a web page that explains for computer dummies how to set up and operate GPG/PGP and forget all about this crap government control attempt
... the amount of peers who you have met in the real world ...
And how would that help Slashdotters?
PlusFive Slashdot reader for Android. Can post comments.
Did anyone try to think before start complaining about "clueless politician"?
1. End-to-end encryption. As far as I can see the system does not provides one and does not attempt to do so. And this is right. End-to-end encryption is between me and my recipient and nobody else has anything to do with it. All middle message relay agents can do whatever they want with my encrypted message, as long as they will deliver it finally to the recipient intact. I don't care. People where using end-to-end encryption on mail message for thousandths of years over much less sophisticated transfer agents with great success.
2. Cost per message. First of all I never see a statement that Germany established "e-mail tax" so all messages _must_ cost something. It _may_ cost something. I do not know any law that prohibits Google, Yahoo and Microsoft from collecting money for emails that they transfer. In fact I'm paying right now to Google and Yahoo for e-mail services and considering number of e-mails I've sent per month the cost is much grater 5c/message. Did you guys have a clue that to relay your messages cost money? Service providers have to pay for computers, electricity, network bandwidth, heating/cooling, physical security, customers support etc. All this cost them money. Why they cannot collect fair price for the services that they provide? I'd prefer to pay fair price for the service that I need/value rather than use it for free and watch all this advertising on the sides of the screen.
I like the idea to establish network of trusted MTA - it will be positive thing. It will not solve all problems, but at least it will help with some.
This is the way to go, it is what I use when I want to send encrypted email. There are some big problems with PGP/GPG where government could help, these are:
Once they have done that then the normal commercial forces would kick in: some people would pay for s/ware that works, others would use FLOSS; it doesn't really matter -- it is the standard that is important.
Right on. All I'd have to do is to trust the German key (they could publish the fingerprint in Frankfurter Allgemeine Zeitung or something) and I could communicate with anyone in .de.
And that is why I resent the "OMG I would never trust a system where the government is involved!" comments here. Handing out public identities for people is precisely what governments *are for*. Without the government, we are clearly stuck where we are today: with unsigned and unencrypted mail.
Starts to be the same crap everywhere - not only Germany. Look at the "bastion of freedom" (The United States) again and see how it really is.
Feels like the world of Max Headroom is going to be a paradise utopia soon rather than a dystopia.
Soon we will have blipverts... And stuff like AdBlock Plus will be illegal.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Legally a mail in that system has arrived at your place, even if you cannot get it because you are on vacation or your computer/internet broke down. That's a big legal problem obviously.
There are already standards for authenticating the sender of mail and encrypting the contents of those mails, it would be far better to encourage use of these existing standards rather that come up with something completely new and incompatible with everything else.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
sounds like DBP has manged to looby for a return to the 70's and 80's with the ptt running the countrys email system
I'd love to have widely adopted secure end-to-end non-reputable email, but I think it will be a cold day in hell before *any* government will support a standard that doesn't permit them to read the email at will.
"Eve of Destruction", it's not just for old hippies anymore...
X.509/PKI user certificates. Have whatever department is responsible for passports issue certs for citizens, and whatever department is responsible for other legal entities (Corporations, societies, etc). As a bonus it also works for HTTPS.
I always thought it would be neat to take a thumb drive of public keys, and a photo ID and have the post office sign them. Maybe a yearly fee to have the USPS host the public keys on the internet.
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
This is a completely retarded idea. It was thought up by people who think email works like the postal service. What it does great is accumulate control and bureaucracy where it is not needed; what it does badly is any kind of security.
If the federal government of Germany wanted to actually effectively help people secure their online communication, they would certify actual end-to-end encryption and electronic signature programs for official use, and provide some kind of root CA (or the PGP equivalent). Instead, we will have an incompatible reinvented email implementation that will, based on the German government's track record with electronic passports, be buggy, riddled with critical vulnerabilities and badly supported on non-Windows systems, if it will even be accessible without the web at all.
I had signed up for an account just to play with it. Then I read the T&C's. Once I did though, I instantly deleted my account. Any email send to you is treated like a registered letter. They require you to check your mailbox every 24h (maybe it was more - cannot recall). So you could really miss deadlines. Its not only that nobody needs this (we already have S/Mime and PGP/GPG) - it can actually be harmful to you to have an account. Therefore: under no circumstances use DE-Mail - don't even get an account - and if you have one - cancel it right away.
after 10 years of posting about this, the germans come out with it, its about bloody time!, now we will see a sharp decline in spam emails....just you wait and see. Siting past posts does nothing for my karma, but if you want to see some of them, just check some rants and raves from my past about email spamming.