beA – sure, but safe!
The GFF takes the German Federal Bar Association to court over safety standards for the mandatory special electronic attorney mailbox (beA)
Together with an initiative started by attorneys, GFF has filed a lawsuit against the Federal Bar Association (Bundesrechtsanwaltskammer, BRAK) over security deficiencies in a mandatory electronic mailbox system for attorneys.
Since January 1, 2018, lawyers have been obliged to keep a “special electronic attorney mailbox” (besonderes elektronisches Anwaltspostfach, beA) available for communication with courts and authorities as well as among each other. This mailbox system is supposed to be encrypted, keeping the data safe.
In December 2017, IT security experts at the Chaos Computer Club (CCC) uncovered serious security gaps that forced the BRAK to take the beA offline: They discovered that encryption could be lifted on a central server so that all messages could be recorded. Thus, the messages are not continuously secure on the way from sender to recipient. The BRAK reactivated the beA on September 3, 2018. With its lawsuit, filed with the Berlin Bar Court on June 15, 2018, GFF therefore intends to enforce end-to-end encryption.
beA is a danger to lawyers' professional secrecy
In its current form, beA poses a threat to a central pillar of the rule of law: professional secrecy of lawyers. People who entrust themselves to a lawyer must be sure that no one else can access their electronic communication, i.e. that their messages remain confidential. The same applies to companies' trade secrets, since in-house lawyers are equally obliged to use the technologically unsafe beA.
Among the plaintiffs are Stefan Conen, Chairman of the Berlin Association of Criminal Defenders; Karl Jägen, lawyer and legal adviser; Prof. Dr. Remo Klinger, lawyer; Christoph R. Müller, lawyer; Daniel Rink, lawyer and legal adviser; Michael Schinagl, lawyer and Halina Wawzyniak, lawyer and former Member of the Bundestag.
The GFF's commitment
The GFF coordinates the legal action brought by the attorneys before the Bar Court of Berlin, with the aim of obliging the BRAK to introduce end-to-end encryption. The Bar Court had already stopped the beA in 2016 because it lacked a legal basis (AGH Berlin, decision of June 6, 2016 – II AGH 16/15 (in German)). Now the issue is to ensure that the beA complies with the legal requirements created in response to that decision. An application for interim measures to prevent the beA from restarting in September 2018 did not seem appropriate to the plaintiffs.
When protecting sensitive personal data of clients, there must be no half-baked solutions and no quick fixes. Data protection and data security take precedence.
- The complaint is supported by an extensive publicity campaign. You can access our campaign page here.
- Plaintiffs are currently writing their reply to the respondents’ brief in opposition.
- Click here for the press release on the lawsuit of Sept. 3, 2018 (in German).