As of this week, German lawyers are required to use an electronic communication tool designed especially for them: the special electronic lawyers’ mailbox (besonderes elektronisches Anwaltspostfach or beA). The problem is that the beA is inherently insecure, so it seems better to avoid using it. This would include, if possible, not litigating before a German court if there’s a chance that the opponent or the court might use the beA in the proceedings. This seems all the more appropriate where there is a risk of snooping or foul play by the opponent or third parties, or where the stakes are high – and when aren’t they?
The beA is a communication system under the aegis of the German Federal Bar Association (Bundesrechtsanwaltskammer or BRAK). Its purpose is to enable encrypted electronic communication between lawyers, and between lawyers and German courts or judicial authorities.
In principle, this is a very good idea. No lawyer wants to dodge electronic communication, but as and of itself electronic communication isn’t very secure. This is relevant because lawyers deal with people’s and companies’ know-how, trade secrets, internal affairs, even dirty laundry. The handling of these things by lawyers is privileged, and this is why lawyers are under the strict professional duty to keep their clients’ information confidential and secure.
In other words, there’s a real need for secure, encrypted electronic communication for lawyers. Yet, German lawyers haven’t welcomed the beA with open arms. Their reasons are manifold, a few colleagues have even taken their issues to court. Of course.
Indeed the beA is an error-prone monstrosity conceived by too many amateurs and too few experts. The debate about it has been raging in the German legal world for years, since before it was first launched. There are so many deficiencies, it’s not funny. But its main flaw is that it isn’t secure. It hasn’t been since its inception. As such, it defeats its main purpose.
Bad Starts, Repeatedly
The beA was first launched in 2016, and a plethora of shortcomings and security flaws surfaced immediately. It simply wasn’t state of the art. As a result, hardly anyone was using it, because why would they.
However, statute decreed 1 January 2018 as the official starting date for the duty to use it, if only passively. Passively means: whatever gets sent to a lawyer’s beA since the starting date has to be taken note of by this lawyer. Think summons, court orders, written pleadings by your opponent’s legal counsel, things like that.
So 1 January 2018 was the day. But as it happened, in late December 2017 the operators switched off the beA. Even more severe defects had surfaced. So severe were these that the operators decided they couldn’t unleash the beA on the (not so) unsuspecting German legal profession.
The details would call for a separate blog or two. I shan’t go into these here. Today I’d like to address a particular, unresolved security issue.
Because since 3 September 2018 the beA is back online. Thus, since then the statutory duty of all German lawyers to use it, at least passively, has come into effect. But unfortunately, not all grave security defects have been remedied. As I said, the beA is still insecure. By all appearance, this won’t be corrected any time soon.
Here’s what I mean.
Insecure Communication
Electronic communication with a lawyer needs to be secure. Communication is secure when two entities are communicating and no third party is able to listen in. For that they need to communicate in a way not susceptible to eavesdropping or interception.
This is where the encryption of beA communication shows its weakness. There’s the rub.
The beA runs as a web application based on Javascript. The application loads to the local PC of the lawyer from a server of the German Federal Bar Association (BRAK server). Then it communicates with the client software which the lawyer must install on his local PC. Ironically, the name of this software is Client Security.
Why isn’t this secure?
It isn’t secure because while each message is encrypted with a lawyer’s personal signature, once it reaches the BRAK server it gets decrypted and re-encrypted before it’s sent on to the recipient. Put another way, the beA doesn’t provide for end-to-end encryption between German lawyers and their communication partners. Instead, it works through end-to-middleman encryption, followed by middleman-to-end re-encryption.
Sounds like a bug, but it’s a feature. Officially, this is to allow the forwarding of messages to other authorised persons later. I’m not the only one who asks why we need a middleman for that, but I guess ‘other authorised persons’ is telling. There’s a name for something like this: backdoor.
The Creature That Defeats Its (Official) Purpose
To put it simply: persons officially authorised – whatever this may mean – could gain access to privileged communication between a lawyer and a client. I’m not cool with that.
In addition, someone with unauthorised access to the BRAK server could alter the Javascript web application which communicates with a lawyer’s Client Security. For example, the application could be modified so that it forwards messages to third parties as soon as they were decrypted. This wouldn’t be access through the backdoor, this would be a hack, perhaps even from inside. The thing is, we have reasons to question the German Federal Bar Association’s ability to secure its IT infrastructure against that.
The beA infrastructure is susceptible to eavesdropping or interception. It’s hard not to see this as an invitation to attempt industrial (or similar kinds of) espionage when one gets the chance. All one needs is the right company in the right legal wrangle.
What to Do?
One technical solution would be to run all beA software locally, which means on the devices of the participants alone. Like, how WhatsApp does it. Or Telegram, or Threema, or pretty much every modern messaging application out there. Or, for donkey’s years now, how PGP does it with e‑mail. Yes, e‑mail, that old Internet workhorse.
But that would mean a structural change of the beA, a change of its conception. With a view to the genesis of the beA, it should be clear that this won’t happen so quickly.
Another, behavioural solution is, well, to avoid using the beA, as long as it’s insecure as described. After all, there are other secure means of electronic communication out there.
The Performance of One’s Duty
But aren’t I a German lawyer? Aren’t I under the statutory duty to use the beA at least passively? Yes, I am. I need to take note of whatever gets sent to my beA. I can’t get around that. No German lawyer can.
My German peers and I must check our beAs, in case someone sends us a message there. Fortunately, there’s an e‑mail notification function for that (which awaits field testing though). At the same time we are sworn to confidentiality, not just passively, but actively. We have to make sure our communication with and about clients and their matters is sufficiently secure.
At this time the ironclad solution for German lawyers to comply with all their professionals duties seems to have the beA available, but to avoid using it. This would include not litigating in a German court, if possible, especially if there’s a reason to believe the opponent or the court will use the beA in the proceedings. This seems to be all the more indicated where the stakes are high, where there’s a risk of snoopery and foul play by opponents or third parties.
The Secure Alternative
There is of course a means of resolving a legal dispute where privacy and confidentiality may remain paramount and protected. Where the parties are free to use other, more secure means of communication than the beA. Where they may compel their counsel and the dispute resolvers to do the same. I’m talking, of course, about private arbitration.
I’m sure the people behind the beA didn’t aim to promote arbitration or other methods of alternative dispute resolution when they created the beA. Then again, they didn’t aim for a lot of things to happen.
To arbitrate, the parties to a legal dispute have to agree to do so, either before or after the dispute has arisen. In Germany, they might be more positive about that now, seeing which ways confidential communication may go through the beA.
Leave a Reply