German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced

from the public-trust,-public-code dept

Given the sensitive nature of their work, lawyers need to take particular care when communicating online. One way to address this — quite reasonable, in theory — is to create a dedicated system with strong security built in. That’s the route being taken by Germany’s Federal Bar Association (Bundesrechtsanwaltskammer — BRAK) with its “besondere elektronisches Anwaltspostfach” (special electronic mailbox for lawyers, or beA). However, the reality has not matched the theory, and beA has been plagued with serious security problems. As a post on the Free Software Foundation Europe (FSFE) site explains (original in German)

Numerous scandals and a questionable understanding of security characterize the project, which has been in development for several years. Lawyers should have been reachable through this software since January 1, 2018, but numerous known vulnerabilities have prevented the planned start of the service.

Although a security audit was commissioned and carried out in 2015, its scope and results have not been published to date; the full extent of the faulty programming became known only at the end of 2017. Thus the project, which has cost lawyers so far about 38 million euros, has already lost people’s trust. In view of the numerous errors, the confidentiality of the sent messages can no longer be guaranteed — and this is for software whose use from 2022 onwards becomes mandatory for all court documentation traffic.

Because of the continuing lack of transparency about the evident problems with the project, a number of German lawyers are supporting a petition that asks for an alternative approach, reported here by the Open Source Observatory:

The petition calls on Germany’s Bundesrechtsanwaltskammer (Federal Bar Association, or BRAK) to publish the beA software under a free and open source software licence and open the software development process. “Only in this way can it slowly restore the trust of the users — all lawyers, authorities and courts,” the petition says.

As the petition notes (original in German):

Disclosure of the program code allows independent IT professionals to report potential security vulnerabilities early on so that they can be fixed; it has been shown once more that keeping the source code secret, and carrying out the audits as agreed in the contract [for creating the beA system] does not lead to the desired result. Free software also guarantees much-needed manufacturer independence.

Over and above the increased transparency that open-sourcing the beA code would bring, and the hope that this would allow security issues to be caught earlier, there is another good reason why the German system for lawyers should be released as free software. Since it will perform a key service for the public, it is only right for representatives of the German public to be able to confirm its trustworthiness. This is part of a larger campaign by the FSFE called “Public Money, Public Code“, which Techdirt wrote about last year. Unfortunately, what ought to be a pretty uncontroversial idea still has a long way to go, as the painful beA saga demonstrates.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “German Lawyers Call For Their Profession's Bug-Ridden, Soon-To-Be Mandatory, Email System To Be Open Sourced”

Subscribe: RSS Leave a comment
17 Comments
Anonymous Anonymous Coward (profile) says:

New Bread Box Need, New Engineers Requested

I am trying to discern the reason the German Government did not chose an existing secure email program and then just dictate the various addresses to be used? Was there a particular need to build a system from the ground up? Right, some contractor needed the income.

If a particular system is already secure, and there would be a benefit to it being opened sourced (with the exception of the encryption algorithm) so that security could be further verified, then why would someone actually want to build a new one? That is if there was no profit motivation? Government should never have a profit motivation. Cost savings, maybe, but that would mean that something is cut, not added.

What is actually needed in such a system? A secure sending unit, a secure receiving unit, and a secure server to store the communication and a secure system for distributing the already secure communication to only those that have the appropriate security clearance to receive them. Hasn’t this been built numerous times already?

Is the issue that those already built systems weren’t properly translated into German? Wouldn’t it be cheaper to do a better job of translation than start from scratch, and maybe build something not as secure? I don’t know the names of the existing systems (as I have no need for them…today, but I know they exist, various governments around the world are complaining about them).

Sheesh

Anonymous Coward says:

Re: New Bread Box Need, New Engineers Requested

Was there a particular need to build a system from the ground up?

Not making any comment on this particular endeavor, but general — well, email is a hot mess and that’s no big secret. Over the past couple decades, more and more people beginning to think we just need to start over with a greenfield system.

Rich Kulawiec (profile) says:

Re: Re: New Bread Box Need, New Engineers Requested

Yes, it would be lovely to start over and apply all the lessons we’ve learned. However, precisely zero of the people proposing that course of action have been able to put forth a workable plan for migrating the entire Internet.

Email has its problems, to be sure. I’ve spent decades documenting and working on them, so I think it’s fair to say I have an extensive awareness of them. But for all that, it’s still the “killer app”, and the communications method of choice for clueful people.

Anonymous Coward says:

Re: Re: Re: New Bread Box Need, New Engineers Requested

coughGPGcoughEnigmailcough

Why do people still not know this? Admittedly it doesn’t obfuscate receiver/sender from email service servers (ie. Gmail/Google, etc.), but it’s better than nothing. If your security is worth that much, maybe set up tiny, cheap RasPi email servers for your clients. Then nobody but the ISPs can snoop on who you’re talking to, at least.

TKnarr (profile) says:

It sounds like the proposed system is less an email system and more a records-management system where things like whether the recipient is authorized to receive a particular document or type of document (so that eg. documents that should be visible to only one party don’t accidentally get sent to opposing counsel) come into play and “email message” is only one of many document types. I can only imagine the mess if they tried to start with an email system and impose those kinds of additional requirements on it.

ECA (profile) says:

Re: Re:

Thats agreed,
But then you get the Gov/Corps wanting to input backdoors, and moderating All mail..
Which makes the program SO unwieldy, and Complicated…

Some group is always trying to get into the backdoor..

Security isnt/woundnt be a problem, if it was a basic/simple setup.
I bet they want Everyone to use the same Coding on the mail, so that it can be opened by anyone..WHICH isnt private.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »