European Webmail Privacy: Even Worse Than I Thought


I've been critical of the claim that European privacy law offers more protection against government surveillance than American law. Apparently not critical enough. An Ars Technica reporter with a pro-privacy inclination decided to seriously investigate using a German email system to get the benefits of European privacy law.

His tale of disillusionment revealed three privacy deficits in European law that even I hadn't noticed when I trashed the myth of European privacy superiority. First, unlike their US counterparts, German email providers are unable to issue transparency reports of the sort that US companies have been publishing:

"German law forbids providers to talk about inquiries for user data or handing over user data," Löhr added. "We are currently investigating a possible way with our lawyer to issue a transparency report about questions from police like Google, Microsoft, and [many] other US providers do, but we can not promise we will be able to do so. We try hard." Indeed, the German Telecommunications Act of 2004 (PDF) states very clearly, "The person with obligations shall maintain silence vis-à-vis his customers and third parties about the provision of information." In other words, German communications services would be under a gag order by default.

Of course, given their other disadvantages on the government-privacy front, maybe European providers aren't exactly eager to issue transparency reports. For example, in the US, authorities have to get a specific “gag” order to prevent subscribers from getting notice that their mail has been seized; while gag orders are common in the US, they often expire after a time and can usually be challenged. It appears that Europe simply doesn't make disclosure an option. Silence, not disclosure, is the law's default.

[A]n American provider could notify its...

To continue reading