by Henning Lindhoff
Lawyers love faxing. We don't like e-mails that much - too unsafe,"says Dr. Dominik Herzog, lawyer, cabaret artist and coach. "Instead of the unsafe e-mail, we wanted something safe, something personal." The result was the "special electronic lawyer's mailbox", in short "beA".
Cost: 38 million euros. Initially planned start date: Early 2016.
On December 23,2017, however, there was a temporary end:"We didn't act with the necessary caution at all times and got involved too quickly with a solution proposed by our technological service provider." With these words, Ekkehart Schäfer, President of the Federal Bar Association (BRAK) apologized to his colleagues.
Since 1 January this year, the 165,000 attorneys practicing in Germany have been obliged to use the beA. Since 2015 they have been paying an annual levy to the chamber. In addition, each law firm has to pay for the installation of the system.
But this has serious shortcomings, which is why BRAK took it off the grid. The reason was a considerable security leak. A certificate required for access was considered unsafe.
Spicy: Only three days earlier, the Federal Constitutional Court had dismissed the complaint of a lawyer against the legal obligation to use the beA (file number 1 BvR 2233/17).
Courageous then this statement in the letter of the BRAK of December 23rd:"No document sent via the beA was public, the communication is always confidential and encrypted". There is no guarantee for this. Questions and complaints continue to increase until today.
This is because the lawyers do not have any specific information from the side of the chamber on the questionable safety situation, not least from a legal point of view. You have to trust the research of two members of the Chaos Computer Club.
Markus Drenger and Felix Rohrbach from the Chaos-Computer-Regionalclub in Darmstadt presented their respective analysis at the 34C3-Congress of the club in Leipzig at the end of December. However, the two computer scientists did not hack the beA software, but analysed only publicly accessible documents. Referring to trade secrets, the beA supplier Atos had refused to provide them with further information. But even this glance at what was accessible to everyone was enough to uncover considerable technical shortcomings:
For example, the system's own anti-spam protection slows down the lawyer's work in such a way that lawyers can only send an e-mail to courts or colleagues every 15 minutes. More than 30 megabytes cannot be shipped. However, the greatest shortcoming is the security infrastructure of the beA system.
Each e-mail is encrypted by the sending lawyer's computer and sent to the beA distribution list. Here a module comes into action that decrypts the e-mail and encrypts it again for the recipient. For this purpose, all coding keys of all attorneys are stored on the central beA servers. End-to-end encryption looks different,"commented Markus Drenger on the 34C3," because if the beA distributor is hacked, all mails can be decrypted and read.
His colleague Felix Rohrbach reported on further details of the software, for which the manufacturer Atos had collected 38 million euros. For example, individual open source components of the software have not been maintained since August 2015.
Whether and, if so, when the special lawyer's mailbox can be put back into operation is unclear today. Markus Drenger admitted that the vulnerabilities could not be fixed within three to four months.
Meanwhile, the Federal Chamber of Lawyers (Bundesrechtsanwaltskammer) drew the first consequences and stopped payments to the software service provider Atos at the end of December.
Apart from the financial blow to the office, trust in the Federal Bar Association was shaken. After all, there is nothing less at stake than professional secrecy - and thus an important piece of the rule of law.
Ekkehart Schäfer and his colleagues know that. They have already declared war on transparency, which has all too often been lacking. In addition to all kinds of external experts, they now also want to involve the Federal Office for Information Security (BSI) in further development. An expert opinion will be made publicly available at a later date. The reaction of the Chaos Computer Club is already eagerly awaited.