The special electronic lawyer mailbox (beA)
The “besonderes elektronisches Anwaltspostfach” (special electronic lawyer mailbox, or beA) is a program, required by German law to be used by lawyers in their communication, designed to ensure secure file transfer between client, lawyer and court. But significant flaws in the usability and security were found in the software. Read the full story here and find out which alternative lawyers can use now.
The beA and its creators
After considerable initial difficulties, beA is now in operation. Since September 3. 2018, the software is online – again, after it had to be taken off the network due to a lack of security, in its’ initial launch.
One of the reasons for developing this mailbox was to facilitate a nationwide communication between the approximately 164,000 lawyers, their clients, the approximately 300,000 employees of lawyers and the courts. On the other hand, beA is supposed to ensure that important messages are delivered more reliably and faster than via mail, letter or fax. At the latest by the year 2022 pleadings are to be exclusively submitted electronically to courts.
In October 2014, the internationally operating company Atos IT Solutions and Services GmbH was commissioned by the German Federal Bar Association (BRAK) to develop the beA. The top priority in the development was to provide the software with a high level of information security and ease of use. In the year 2016, the conditions should have been met to make the mailbox available to lawyers. However, at the end of November 2015, the provision of the beA was postponed to September 29, 2016 due to a lack of user-friendliness.
Two lawyers from Berlin and Cologne caused a further delay in activation. The electronic mailbox had been completed to date. But those two lawyers, however, obtained an interim disposal. It obligated BRAK not to release the beA for lawyers, who had not yet given their expressed consent. Only after further technical obstacles were eliminated, the beA software could go live for the first time on November 28, 2016.
Security vulnerabilities and insufficient encryption
Surprisingly, the beA had to be disconnected on December 22. 2017, just nine days before the start of the passive obligation to use it. The reason for this further delay was a certificate that is required for access. This certificate was classified as insecure and had to be closed immediately.
This circumstance resulted in a safety inspection prescribed by the Federal Office for Security and Information Technology (BSI) by the certified expert company secunet AG. While many lawyers had already followed the development of beA with critical scrutiny since the beginning, the project now had to withstand even more headwinds.
In fact, the beA’s technical infrastructure is designed that encrypted messages are routed from the sender to the data center, where a "transcoding" process (i.e. decrypting and re-encrypting with a different key) is conducted and the message is then forwarded to the recipient. The main issue with this form of data delivery is that it constitutes a starting point for attackers. You just cannot be sure that the data received is still the exact same as originally sent. Additionally, no one can rely on the contents not being read out by third-parties. “Transcoding” means that the data is unencrypted for a moment – therefore, briefly unprotected. This conversion might be done in a special (protected) hardware module, but this ultimately only makes the attack slightly more difficult and is by no means a guarantee that an attack is no longer possible.
Critics see this process endangering the lawyer client privilege and therefore call for a retrofitting with an end-to-end encryption (E2EE). This actually represents a simple technical solution, since E2EE belongs to the current security standard and is already used by many well-known companies and messenger services such as Telegram or WhatsApp.
The (approx.) 90 pages report was finally submitted to the BRAK on June 20, 2018. It turned out that the insecure certificate was just the tip of an iceberg. Further analysis revealed that encryption privacy could not be fully achieved. A penetration test also resulted in a total of 36 errors, four of which were classified as "critical operating errors". In an extraordinary conference of presidents, the presidents of the 28 bar associations were forced to decide to launch the beA once more in a two-stage process.
First, Client Security was made available for download on July 4. 2018. With the Client Security a first registration at the beA was made possible again. In the second step, all the necessary vulnerabilities, which prevented a re-launch, were eliminated. The elimination of the remaining technical errors is supposed to take place during operation. This includes the implemented Hardware Security Module (HSM). According to the reviewers, this would not be necessary anymore, if the cryptographic possibilities were to be fully exploited.
The current status of the beA
The beA is now in operation again since September 3. 2018, and provides each lawyer with an automatically equipped electronic mailbox.
However, lawyers have already spotted a gap on September 4. 2018, where it is possible to see the status of the messages in the mailbox of a lawyer on the other side. Due to the existing passive use obligation, messages in the mailbox of lawyers, who have not yet registered for the beA apply as delivered, regardless of whether they have already read the message or not. This could lead to legal disadvantages for clients, should deadlines expire.
Encrypted file transfer - Whisply as a safe alternative to the beA
If you now prefer not to rely solely on beA for securely exchanging files with clients and colleagues, the Whisply web application is a safe alternative. With Whisply it is very easy to send files from the browser using state-of-the-art end-to-end encryption using an AES-256 encryption.
Whisply allows you to add additional security layers on top of every file transmitted. For example, it is possible to send the recipient a web link, which self-destructs after a specified amount of time, so only the recipient may download the file and the download link loses its’ validity. For further security you can protect the link using a PIN or a password. Simply send the link and PIN (or password) via two different channels (for example via email and SMS) to ensure the highest level of security.
Whisply enables secure files transfer between lawyer and client without having to actively use the beA.
Looking for secure file transfer? Let us introduce Whisply
In addition to securely storing your data you sometimes need to transfer files securely to non-Boxcryptor-users? Have a look at Whisply! Whisply is our service for end-to-end encrypted file transfer. It is available to all Boxcryptor users - and files can be send securely to non-Boxcryptor-users, too. Get more information on Whisply and start sending files securely today.