German e-government service gets OpenPGP-based plug-ins, but their impact is unlikely to be widespread

Have German Web mail providers beaten Google and Yahoo to the punch when it comes to protecting emails with end-to-end encryption based on the PGP (Pretty Good Privacy) system? Google and Yahoo have long been working on anencryption tool coded using OpenPGP, but it’s reportedly still in alpha.

PGP is considered one of the strongest data encryption standards — cryptographer Bruce Schneier has called PGP “the closest you’re likely to get to military-grade encryption” — but it’s notoriously complicated.

Nonetheless, this week Deutsche Telekom and United Internet, with the backing of the German government, announced that next month they will roll out browser plug-ins for Chrome and Firefox that supposedly make PGP easy to use. The plug-ins were developed with the open source Mailvelope OpenPGP project, meaning the code will be published and can be checked for backdoors. Under the new system, encryption keys will be stored on customer’s devices, and only the email sender and recipient will be able to read a message’s content.

The plug-ins are aimed at fortifying the De-Mail system, a German e-government service launched in 2011 that has seen lackluster uptake — only about 1 million people have signed up for an account. The De-Mail service is used for exchanging legal documents between citizens, businesses, and government organizations, but has been criticized for insufficient security.

According to Thomas de Maizière, Germany’s Federal Minister of the Interior, PGP support will provide a user-friendly way of increasing De-Mail’s security. De Maizière went on to call encryption an important requirement if Germany is to take a leading role in the use of digital services. (Government pronouncements on encryption should always be taken with a heaping of salt: de Maizière as recently as January was critical of encryption and advocated the use of backdoors.)

Although news reports this week spoke of Germany’s “push for widespread end-to-end email encryption,” this latest move is unlikely to greatly impact De-Mail’s popularity. The browsers used by more than 60 percent of all German Internet users will not be supported, nor will mobile apps and desktop email clients. There are also privacy concerns with the service since there is an identification verification process required to sign up for an account.

KuppingerCole, an analyst company based in Europe, expressed serious doubts about the new plug-ins’ ease of use as well. “No integration with the De-Mail user directory is offered,” meaning users are on their own when tackling PGP key exchange. “In this regard, De-Mail looks no better than any other conventional email service, since PGP encryption is already supported by many mail applications in a completely provider-agnostic manner,” said senior analyst Alexei Balaganski in a blog post.

According to Balaganski:

The only proper way of implement end-to-end communications security is not to try to slap another layer on top of the aging email infrastructure, but to implement new protocols designed with security in mind from the very beginning. And the most reasonable way to do that is not to try to reinvent the wheel on your own, but to look for existing developments like, for example, Dark Mail Technical Alliance. What the industry needs is a cooperatively developed standard for encrypted communications, similar to what FIDO alliance has managed to achieve for strong authentication.

What the industry also needs is for governments to reconcile their conflicting views about encryption.