We all know what an email is, right? Germans had the great idea of reinventing the wheel, once again. In particular I want to talk about the "E-Postbrief" which is a new service by Deutsche Post AG.
First of all, what's "E-Postbrief" supposed to mean? The "E" stands for electronic, just like when talking about conventional emails. I was wondering how to translate "Postbrief" so I consulted a dictionary to help me out:
E = electronic
Post = mail
Brief = letter
So, that would make it "electronic mail letter". Awesome.
Now, what's the difference between a conventional email and this new E-Postbrief? You can send usual letters with it, either completely electronic (should your second party also use E-Postbrief) or have them printed and sent as a normal, written letter. Both options cost a minimum of 0,55€ though. Also the electronic delivery is limited to a size of max. 20MB. The idea is to have an email with legal ground, which is legally binding, so you can get doctor's bills, etc. via E-Postbrief and save them digitally instead of having to deal with printed letters.
My first thought: Hell no, I'm not going to pay 0,55€ for each mail. But really, that's still the least of my concerns with this service.
Because what I didn't mention so far: the service is supposed to be secure and encrypted!
And how does that work? Well, not with your own public and private keys like PGP or GPG, that's for sure. Instead, it's made simple for the average citizen. That is: Deutsche Post AG is doing all the work for you. They encrypt and decrypt everything for you. Anybody else noticing this weird smell?
In case you're at least wondering what encryption algorithms they're using, well, you won't know. Because they're not telling.
Security through obscurity. Except that this pretty much equals having no security at all.
Also they claim that it's "not possible" for Deutsche Post employees to read any E-Postbrief saved in your account. The second sentence corrects that down in a way though by saying it's secured against access by "unauthorized" people. Who is authorized?
In case you're still not convinced that this is some utter insecure crap, by accepting the terms of services you agree that Deutsche Post may forward your mails (unencrypted!) to law enforcement agencies in case public security is being endangered. (aka terrori- ohshit, I'm scared.) (9. 9(3))
Did I mention your emails are mirrored and not deleted once you delete them? Yes, that's right, they'll only be deleted after an unspecified period of time. You may not see them anymore in your inbox but they're still there. That's of course just because you might delete something by accident. (2. 2(5))
Because of all the criticism, Deutsche Post added a service so you can generate your own private key and a signature. Funny though: they claim this key is only accessible to you, but who guarantees that? The key is generated on their servers, you simply download it from them. The only way to have a real secure private key is by generating it on your own machine, not anywhere else.
I only raise one question: When they reserve the right to forward mails to law enforcement agencies in an unencrypted format, how is it not possible for any employee to read mails? They have the ability to decrypt them, they have the ability to forward them, but they don't have the ability to read them? Blind employees, the security concept of the future. Germany's always one step ahead.
So, to recap these awesome features of E-Postbrief: Costs money, insecure, totally unnecessary, insecure, did I mention insecure already?
Leave it, don't use it, is my suggestion. Stick to GPG/PGP and once again: Stay private.