CEO Perspective: Peer Heinlein Talks About Email Privacy

vpnMentor: What's brought you to develop mailbox.org?

We started with encryption and privacy back in 1989, when only few people even knew what e-mail was. Since then, much has changed in the world of tele-communications, but unfortunately, the issue of privacy continues to be a burning issue for users worldwide.

People always argue that encryption is too complicated and therefore not usable, and that PGP doesn’t work at all. At mailbox.org, we try to show that it is possible to provide a secure e-mail system even with the existing SMTP protocols. We did not want to develop something completely new because e-mail is so widely distributed and used, it would be difficult to change fundamentally. Instead of reinventing the wheel, we are concentrating our efforts towards making e-mail more secure and more comfortable to use at the same time.

mailbox.org is a rebranding of our previous ISP, and based on a new service concept. Overall, we think it’s an excellent service. We have customers from all over the world who frequently feed back to us that it runs well and is a very good place to host private e-mails and data.

vpnMentor: In your opinion, to what extent must a user compromise their convenience to secure their data?

I don’t think our users have to make any compromises here. We've demonstrated that security technology can be integrated right into the interface without sacrificing protection. Also bear in mind that many customers prefer ease of use and peace of mind over the manual handling of encryption keys, and they fully trust us to safeguard their data and privacy. And many of them don’t really trust their mobile devices, so they don’t want to store their private key on unsafe systems.

Take, for example, PGP encryption, which is fully integrated in our web-mail system. Key creation with local clients can be a bit of a hassle but at mailbox.org, this can be achieved by a single mouse click, and no software needs to be installed. The user can do all this through the web interface, and our underlying system takes care of the rest – it just works!

What many people don’t instantly see is that private and secure e-mail accounts cost money and need to be paid for. It’s very simple: if you don't want to host your e-mail servers at a commercial ISP that sells off your data to third parties, then you should be prepared to pay at least 1 or 2 Euros a month for that kind of service..

vpnMentor: You've stated on your website that your monitoring is safer than government monitoring. What is the German policy with regards to government email surveillance?

In general, the German law is fairly protective of the right of privacy. Of course, there are occasions where legal interception is permitted when someone is engaged in illegal activities, but even then, third party access is very restricted.

One of the problems we have found in our work is that all over the world, people do not trust their own governments. We are striving to provide security even against the government, but we also have to make sure that our systems are not open to misuse and abuse.

One of our biggest advantages is that we do not store and analyze data unless we are explicitly asked to do so. By default, we do not keep personal data in our records, such as information about where our customers live, or even how they paid us. The rationale behind this is, again, very simple: If we don’t keep personal data about our customers at all, then there won’t ever be a situation where we would have to give that data to someone else.

We also instruct our customers to doubly encrypt their sensitive data. Once an e-mail is encrypted, no one without a valid key can open and read it – which includes us, the service provider. So even in cases where we may be forced to allow government access to a mailbox, encrypted e-mail messages will always remain secure.

vpnMentor: How do you expect the planned amendment to rule 41 in the USA to affect German policy in the future?

We are located in Germany and subject to German law, so I don’t see how anyone could force upon us any foreign rules that are not based in German law. This would be a problem only if we had US-based dependencies, or US-based departments, which we do not.

vpnMentor: What recovery measures would you recommend for someone who's identity or e-mail address had been forged?

If someone is just forging your e-mail address as a sender without having access to your inbox, there isn’t much we can do to help. The reason is that those emails are sent from somewhere else in the world, by someone who's probably never seen your real mail servers. All they have done is create an e-mail message that contains the sender's address. You might receive some bounces or other backscatter e-mails out of this situation but this is something no-one can protect themselves against.

It’s like in real life: You can’t do anything about it if someone writes your name on a piece of paper or writes a letter in your name to somebody else..

We are also seeing that spammers frequently try to access the user’s inboxes, because they want to use the infrastructure to send out their spam e-mail, which explains why many spam e-mails are sent from real-life accounts.

Even experienced users could fall for phishing traps, which is why we also provide one-time password logins, two-step authentication and other security features. This guarantees that our customers always have secure access to their inboxes all over the world, even if they're working on a computer that is not secure as such. We must anticipate that external systems may be compromised by key-loggers and other sniffing tools operating in the background and the additional security options are an effective countermeasure to this..

If someone does manage to hack into your e-mail inbox and send messages in your name, they can also access a lot of other information about you. We are talking about years of e-mail history, containing private information or business intelligence that could be used for blackmailing. Everybody has a private life that they do not want to share with anyone, and thus, everybody is a target. This is another point where encryption becomes very important because even if someone has access to your account, they can’t access all that information if it is encrypted!

At the bottom line, such trouble can easily be prevented with a mix of awareness of what's going on around the internet, and technology, which provides the protective measures before it's too late.

vpnMentor: What kind of malware do you encounter most commonly on your server firewall?

It's hard to say because we don't experience many hacking attempts on our service infrastructure. Our protection systems give us the ability to track just the normal noise of internet, and filter out whatever is detected as suspicious. Most often, the problem is not with us as the ISP but the client’s computer. It's easier and more lucrative for intruders to access the user's device rather than a heavily protected e-mail server. People are always using their mobile devices and often don’t know that such personal devices may actually be very exposed to. This lack of public awareness is the biggest challenge to personal privacy.

vpnMentor: How can mailbox.org help in filtering out malicious emails which are supposedly sent by friends?

Our defense against viruses comprises multiple layers of protection, incorporating antivirus scan engines based on both signatures and behaviors. These robust mechanisms prove highly efficient in detecting bot-nets and spammers by analyzing their actions, eliminating the need to inspect the content of their messages. As a result, such messages are automatically filtered out of the inbox.

If for any reason spam e-mails are still coming through, we are able to scan their content for malware, but if the e-mail is encrypted, the ISP will not be able to scan it. This is where Antivirus software comes in to protect the device or computer, which is always prone to attacks. Good ISP's locate 99% of the viruses and filter them out before they go into the inbox. But there are always new viruses to look out for which the software has not yet identified as malicious or which are unfamiliar to the system.

vpnMentor: What are the next developmental milestones for mailbox.org?

We have several integrations planned for improving our java XMTE services to provide real time communications to our customers and a better integration into the front end.

We are also working with some other ISP's on a better key exchange for PGP encryption.

At the moment, if you do not have the key of the recipient, you have to look out and find it on a public key server, but keys found online are not trustable. We are working on a system that can provide the public key in a transparent and automatically usable way. This will enable our clients to send encrypted emails even to unknown recipients.

In my opinion, it's the last missing part before PGP encryption or S/MIME encryption, which makes it absolutely usable without the need to know what you're doing. To me, the success of this move would be that all of my clients would have 100% encrypted email accounts, including both incoming and outgoing emails, and that nobody will ever have access to their plain-text emails.

vpnMentor: In your opinion, what trends can we expect to see in the world of email security in the next 5 years?

People will always try to develop something new. We've had several projects in the last few years that promised us new ways of communication which are similar to email in terms of usability, but are safer and more protected. Obviously none of these projects have succeeded so far and the root of the problem is the duality between the need to protect the sender's anonymity and the need to maintain the recipient's security.

Another trend is that a lot of ISP's are interested in providing better encryption. Awareness has risen tremendously in recent years and people are demanding the ISP's offer better encryption and improved services. This is encouraging news, because up until recently nobody even knew or cared that their data could be exposed. But obviously, there is still a lot to be done before we can regain our private lives on the internet.