Certificate classified as insecure
Over 11 million Euros in development costs have been accrued since the German Federal Bar Association (BRAK) awarded the development contract for the new BeA communication solution in November 2016. However, a secure usable solution does still not exist.
A required certificate in order to gain access has been classified as insecure, as stated on the beA web application. However, the list of shortcomings is much longer, according to IT security experts who are becoming vocal on this:
- End-to-end encryption cannot be guaranteed. Additionally, it is only possible to send email attachments to a court or lawyer that are up to 30 Mbytes in size because the beA is linked to the EGVP (Electronic Account for the courts and the authorities) infrastructure. A further email can only be sent as of 15 minutes or later after that. Typical court paper bundles exceed 500Mb in size. The mail sent to the beA distributor is decrypted by a hardware security module (HSM) and re-encrypted for the target recipient. The HSM could even redirect an email to other attorneys if the target address is overloaded, which could be from any of the registered attorneys in the system using registered private keys.
- Improper distribution of private keys and certificates
- Cross-site scripting loopholes that could lead to the acquisition of the entire web application
beA platform to go live when errors are repaired
"BRAK will only provide the beA web application once the beA platform developer has completely resolved the errors and can guarantee secure access". When will that be? The question remains unanswered and until further notice. At the beginning of March, an announcement was made on the EDP court day that lawyers could use the EGVP Classic Client until May 2018. This is an electronic communication infrastructure for the encrypted exchange of documents and files between authenticated participants.
Alternatively, a DE-email can also be used. However, setting up such a mailbox can take several weeks. In Germany, all courts are required to maintain a De-Mail mailbox, which they must publish into a public directory. However, malfunctions can occur here as well - court addresses from a certain provider could not be found. This in turn can lead to considerable delays in mail traffic and data exchange. This is a difficult situation because courts need to provide justification as to why case deadlines are not being met and these delays cost time and money.
Another question remains - even if beA should ever work for lawyers in Germany: How do they communicate on an international scale? Legal disputes do not stop at national borderlines. How can German lawyers exchange confidential information electronically with foreign experts, clients and witnesses?
End beAGate with Cryptshare
Digital file exchange with Cryptshare is more secure, faster and easier – it is especially convenient and can be used across all national borders, in multiple languages and with powerful data classification capability. The communication solution enables the secure exchange of confidential data any intellectual property, message and metadata without having restrictions on file sizes or formats. It also offers full traceability and several interfaces to archiving systems and malware protection.
BRAK has already incurred costs of 38 million Euros for the development of a malfunctioning communication solution. Whether the lawyers are prepared to pay for a system that does not work remains to be seen. We recommend considering the implementation of an established communication solution such as Cryptshare which is already used for handling legal files for the courts in several other European countries. The costs are plannable and calculable opposed to continuing to rely on a bottomless barrel.