German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced

from the public-trust,-public-code dept

Thu, Mar 15th 2018 7:27pm — Glyn Moody

Given the sensitive nature of their work, lawyers need to take particular care when communicating online. One way to address this -- quite reasonable, in theory -- is to create a dedicated system with strong security built in. That's the route being taken by Germany's Federal Bar Association (Bundesrechtsanwaltskammer -- BRAK) with its "besondere elektronisches Anwaltspostfach" (special electronic mailbox for lawyers, or beA). However, the reality has not matched the theory, and beA has been plagued with serious security problems. As a post on the Free Software Foundation Europe (FSFE) site explains (original in German)

Numerous scandals and a questionable understanding of security characterize the project, which has been in development for several years. Lawyers should have been reachable through this software since January 1, 2018, but numerous known vulnerabilities have prevented the planned start of the service.

...

Although a security audit was commissioned and carried out in 2015, its scope and results have not been published to date; the full extent of the faulty programming became known only at the end of 2017. Thus the project, which has cost lawyers so far about 38 million euros, has already lost people's trust. In view of the numerous errors, the confidentiality of the sent messages can no longer be guaranteed -- and this is for software whose use from 2022 onwards becomes mandatory for all court documentation traffic.

Because of the continuing lack of transparency about the evident problems with the project, a number of German lawyers are supporting a petition that asks for an alternative approach, reported here by the Open Source Observatory:

The petition calls on Germany's Bundesrechtsanwaltskammer (Federal Bar Association, or BRAK) to publish the beA software under a free and open source software licence and open the software development process. "Only in this way can it slowly restore the trust of the users -- all lawyers, authorities and courts," the petition says.

As the petition notes (original in German):

Disclosure of the program code allows independent IT professionals to report potential security vulnerabilities early on so that they can be fixed; it has been shown once more that keeping the source code secret, and carrying out the audits as agreed in the contract [for creating the beA system] does not lead to the desired result. Free software also guarantees much-needed manufacturer independence.

Over and above the increased transparency that open-sourcing the beA code would bring, and the hope that this would allow security issues to be caught earlier, there is another good reason why the German system for lawyers should be released as free software. Since it will perform a key service for the public, it is only right for representatives of the German public to be able to confirm its trustworthiness. This is part of a larger campaign by the FSFE called "Public Money, Public Code", which Techdirt wrote about last year. Unfortunately, what ought to be a pretty uncontroversial idea still has a long way to go, as the painful beA saga demonstrates.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: germany, lawyers, open source

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Anonymous Coward (profile), 15 Mar 2018 @ 5:59pm

New Bread Box Need, New Engineers Requested
I am trying to discern the reason the German Government did not chose an existing secure email program and then just dictate the various addresses to be used? Was there a particular need to build a system from the ground up? Right, some contractor needed the income.

If a particular system is already secure, and there would be a benefit to it being opened sourced (with the exception of the encryption algorithm) so that security could be further verified, then why would someone actually want to build a new one? That is if there was no profit motivation? Government should never have a profit motivation. Cost savings, maybe, but that would mean that something is cut, not added.

What is actually needed in such a system? A secure sending unit, a secure receiving unit, and a secure server to store the communication and a secure system for distributing the already secure communication to only those that have the appropriate security clearance to receive them. Hasn't this been built numerous times already?

Is the issue that those already built systems weren't properly translated into German? Wouldn't it be cheaper to do a better job of translation than start from scratch, and maybe build something not as secure? I don't know the names of the existing systems (as I have no need for them...today, but I know they exist, various governments around the world are complaining about them).

Sheesh
[ link to this | view in chronology ]
- Anonymous Coward, 15 Mar 2018 @ 8:03pm
  
  Re: New Bread Box Need, New Engineers Requested
  
  Was there a particular need to build a system from the ground up?
  
  Not making any comment on this particular endeavor, but general — well, email is a hot mess and that's no big secret. Over the past couple decades, more and more people beginning to think we just need to start over with a greenfield system.
  [ link to this | view in chronology ]
  - R, 16 Mar 2018 @ 4:08am
    
    Re: Re: New Bread Box Need, New Engineers Requested
    [ link to this | view in chronology ]
  - Rich Kulawiec, 16 Mar 2018 @ 4:11am
    
    Re: Re: New Bread Box Need, New Engineers Requested
    Yes, it would be lovely to start over and apply all the lessons we've learned. However, precisely zero of the people proposing that course of action have been able to put forth a workable plan for migrating the entire Internet.
    
    Email has its problems, to be sure. I've spent decades documenting and working on them, so I think it's fair to say I have an extensive awareness of them. But for all that, it's still the "killer app", and the communications method of choice for clueful people.
    [ link to this | view in chronology ]
    - Anonymous Coward, 16 Mar 2018 @ 10:58am
      
      Re: Re: Re: New Bread Box Need, New Engineers Requested
      This isn't about "migrating the entire Internet." It's about secure communication specifically for lawyers.
      [ link to this | view in chronology ]
    - Anonymous Coward, 17 Mar 2018 @ 7:18am
      
      Re: Re: Re: New Bread Box Need, New Engineers Requested
      *cough*GPG*cough*Enigmail*cough*
      
      Why do people still not know this? Admittedly it doesn't obfuscate receiver/sender from email service servers (ie. Gmail/Google, etc.), but it's better than nothing. If your security is worth that much, maybe set up tiny, cheap RasPi email servers for your clients. Then nobody but the ISPs can snoop on who you're talking to, at least.
      [ link to this | view in chronology ]
TKnarr (profile), 15 Mar 2018 @ 10:29pm

It sounds like the proposed system is less an email system and more a records-management system where things like whether the recipient is authorized to receive a particular document or type of document (so that eg. documents that should be visible to only one party don't accidentally get sent to opposing counsel) come into play and "email message" is only one of many document types. I can only imagine the mess if they tried to start with an email system and impose those kinds of additional requirements on it.
[ link to this | view in chronology ]
ECA (profile), 16 Mar 2018 @ 12:32am

Ummm
Not said..
Emails? from inside the business from and TO other lawyers and judges??

WHATS THE F'ING PROBLEM??

A single server setup to Connect all the lawyers and judges...Should NOT be a problem,, 1 day to 1 week..
[ link to this | view in chronology ]
oliver, 16 Mar 2018 @ 3:28am

Hi Guys, friend of a lawyer in Germany here, this has been a clusterfuck of epic proportions.
Why does each professional association have to invent a new and different "secure" communicatuion system?
Why did humanity not invent the wheel several times?
Did anybody hear about PGP and Enigmail?

nuff said!
[ link to this | view in chronology ]
- ECA (profile), 16 Mar 2018 @ 1:31pm
  
  Re:
  Thats agreed,
  But then you get the Gov/Corps wanting to input backdoors, and moderating All mail..
  Which makes the program SO unwieldy, and Complicated...
  
  Some group is always trying to get into the backdoor..
  
  Security isnt/woundnt be a problem, if it was a basic/simple setup.
  I bet they want Everyone to use the same Coding on the mail, so that it can be opened by anyone..WHICH isnt private.
  [ link to this | view in chronology ]
- Anonymous Coward, 16 Mar 2018 @ 4:23pm
  
  Re:
  
  Did anybody hear about PGP and Enigmail?
  
  Did you hear about the NSA? They like to collect metadata, and PGP does nothing to protect it.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Mar 2018 @ 7:20am
    
    Re: Re:
    Depends on if keeping who you're talking to secret or what you're talking to them about secret matters more.
    [ link to this | view in chronology ]
- Lawrence D’Oliveiro, 16 Mar 2018 @ 8:13pm
  
  Re: Did anybody hear about PGP and Enigmail?
  Sure, in theory it’s a solved problem.
  
  In practice, on the other hand...
  [ link to this | view in chronology ]
Rich Kulawiec, 16 Mar 2018 @ 4:14am

They're not building a communications tool
They're building a target. It will be fully compromised before it goes live.
[ link to this | view in chronology ]
- Anonymous Coward, 16 Mar 2018 @ 5:18am
  
  Re: They're not building a communications tool
  A wet dream for the executive. Goal: state trojan world dominance.
  [ link to this | view in chronology ]
techie1 (profile), 16 Mar 2018 @ 2:56pm

Why didn't the German Bar Association.....
Hire V. A. Shiva Ayyadurai ??

/s
[ link to this | view in chronology ]
Whoever, 16 Mar 2018 @ 3:50pm

Lack of security: Feature, not a bug
Lack of security is a feature, not a bug.

Government prosecutors will somehow be able to anticipate the actions of defence lawyers.

Why else proceed after it is shown that this system does not provide the one thing it is supposed to provide: secure email.
[ link to this | view in chronology ]