German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced
from the public-trust,-public-code dept
Given the sensitive nature of their work, lawyers need to take particular care when communicating online. One way to address this -- quite reasonable, in theory -- is to create a dedicated system with strong security built in. That's the route being taken by Germany's Federal Bar Association (Bundesrechtsanwaltskammer -- BRAK) with its "besondere elektronisches Anwaltspostfach" (special electronic mailbox for lawyers, or beA). However, the reality has not matched the theory, and beA has been plagued with serious security problems. As a post on the Free Software Foundation Europe (FSFE) site explains (original in German)
Numerous scandals and a questionable understanding of security characterize the project, which has been in development for several years. Lawyers should have been reachable through this software since January 1, 2018, but numerous known vulnerabilities have prevented the planned start of the service.
...
Although a security audit was commissioned and carried out in 2015, its scope and results have not been published to date; the full extent of the faulty programming became known only at the end of 2017. Thus the project, which has cost lawyers so far about 38 million euros, has already lost people's trust. In view of the numerous errors, the confidentiality of the sent messages can no longer be guaranteed -- and this is for software whose use from 2022 onwards becomes mandatory for all court documentation traffic.
Because of the continuing lack of transparency about the evident problems with the project, a number of German lawyers are supporting a petition that asks for an alternative approach, reported here by the Open Source Observatory:
The petition calls on Germany's Bundesrechtsanwaltskammer (Federal Bar Association, or BRAK) to publish the beA software under a free and open source software licence and open the software development process. "Only in this way can it slowly restore the trust of the users -- all lawyers, authorities and courts," the petition says.
As the petition notes (original in German):
Disclosure of the program code allows independent IT professionals to report potential security vulnerabilities early on so that they can be fixed; it has been shown once more that keeping the source code secret, and carrying out the audits as agreed in the contract [for creating the beA system] does not lead to the desired result. Free software also guarantees much-needed manufacturer independence.
Over and above the increased transparency that open-sourcing the beA code would bring, and the hope that this would allow security issues to be caught earlier, there is another good reason why the German system for lawyers should be released as free software. Since it will perform a key service for the public, it is only right for representatives of the German public to be able to confirm its trustworthiness. This is part of a larger campaign by the FSFE called "Public Money, Public Code", which Techdirt wrote about last year. Unfortunately, what ought to be a pretty uncontroversial idea still has a long way to go, as the painful beA saga demonstrates.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: germany, lawyers, open source
Reader Comments
Subscribe: RSS
View by: Time | Thread
New Bread Box Need, New Engineers Requested
If a particular system is already secure, and there would be a benefit to it being opened sourced (with the exception of the encryption algorithm) so that security could be further verified, then why would someone actually want to build a new one? That is if there was no profit motivation? Government should never have a profit motivation. Cost savings, maybe, but that would mean that something is cut, not added.
What is actually needed in such a system? A secure sending unit, a secure receiving unit, and a secure server to store the communication and a secure system for distributing the already secure communication to only those that have the appropriate security clearance to receive them. Hasn't this been built numerous times already?
Is the issue that those already built systems weren't properly translated into German? Wouldn't it be cheaper to do a better job of translation than start from scratch, and maybe build something not as secure? I don't know the names of the existing systems (as I have no need for them...today, but I know they exist, various governments around the world are complaining about them).
Sheesh
[ link to this | view in chronology ]
Re: New Bread Box Need, New Engineers Requested
Not making any comment on this particular endeavor, but general — well, email is a hot mess and that's no big secret. Over the past couple decades, more and more people beginning to think we just need to start over with a greenfield system.
[ link to this | view in chronology ]
Re: Re: New Bread Box Need, New Engineers Requested
[ link to this | view in chronology ]
Re: Re: New Bread Box Need, New Engineers Requested
Email has its problems, to be sure. I've spent decades documenting and working on them, so I think it's fair to say I have an extensive awareness of them. But for all that, it's still the "killer app", and the communications method of choice for clueful people.
[ link to this | view in chronology ]
Re: Re: Re: New Bread Box Need, New Engineers Requested
This isn't about "migrating the entire Internet." It's about secure communication specifically for lawyers.
[ link to this | view in chronology ]
Re: Re: Re: New Bread Box Need, New Engineers Requested
Why do people still not know this? Admittedly it doesn't obfuscate receiver/sender from email service servers (ie. Gmail/Google, etc.), but it's better than nothing. If your security is worth that much, maybe set up tiny, cheap RasPi email servers for your clients. Then nobody but the ISPs can snoop on who you're talking to, at least.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Ummm
Emails? from inside the business from and TO other lawyers and judges??
WHATS THE F'ING PROBLEM??
A single server setup to Connect all the lawyers and judges...Should NOT be a problem,, 1 day to 1 week..
[ link to this | view in chronology ]
Why does each professional association have to invent a new and different "secure" communicatuion system?
Why did humanity not invent the wheel several times?
Did anybody hear about PGP and Enigmail?
nuff said!
[ link to this | view in chronology ]
Re:
But then you get the Gov/Corps wanting to input backdoors, and moderating All mail..
Which makes the program SO unwieldy, and Complicated...
Some group is always trying to get into the backdoor..
Security isnt/woundnt be a problem, if it was a basic/simple setup.
I bet they want Everyone to use the same Coding on the mail, so that it can be opened by anyone..WHICH isnt private.
[ link to this | view in chronology ]
Re:
Did you hear about the NSA? They like to collect metadata, and PGP does nothing to protect it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Did anybody hear about PGP and Enigmail?
Sure, in theory it’s a solved problem.
In practice, on the other hand...
[ link to this | view in chronology ]
They're not building a communications tool
[ link to this | view in chronology ]
Re: They're not building a communications tool
[ link to this | view in chronology ]
Why didn't the German Bar Association.....
/s
[ link to this | view in chronology ]
Lack of security: Feature, not a bug
Government prosecutors will somehow be able to anticipate the actions of defence lawyers.
Why else proceed after it is shown that this system does not provide the one thing it is supposed to provide: secure email.
[ link to this | view in chronology ]