Organisationen und Juristen fordern: Das besondere elektronische Anwaltspostfach muss Freie Software werden

Das Vertrauen in das besondere elektronische Anwaltspostfach (beA) hat nach bekannt gewordenen Sicherheitslücken und erheblichen technischen Mängeln das Vertrauen von Juristen und Mandanten verloren. Die Free Software Foundation Europe (FSFE) übermittelt heute ihren Offenen Brief mit Empfehlungen und Forderungen an die auftraggebende Bundesrechtsanwaltkammer (BRAK) zusammen mit drei weiteren bekannten zivilgesellschaftlichen Organisationen und 21 Juristen.

Obwohl es der Anspruch des bisher 38 Millionen teuren Projektes ist, eine sichere Ende-zu-Ende-verschlüsselte Kommunikation im Rechtsverkehr zu bieten, wurde spätestens Ende 2017 öffentlich, dass akute Sicherheitsmängel und grundlegende Konstruktionsfehler vorliegen. Auch eine bis heute geheim gehaltene Sicherheitsprüfung von 2015 hat offenbar nicht zu einer ausreichenden Verbesserung beigetragen.

Die Unterzeichner der Forderungen, neben der FSFE der Chaos Computer Club, Digitalcourage, The Document Foundation und eine Vielzahl deutschlandweit aktiver und bekannter Juristen, erwarten daher von der BRAK:

die Veröffentlichung der bisherigen und zukünftigen Entwicklung der beA-Software unter einer gängigen Freie-Software-Lizenz, öffentliche Audits des gesamten Programmcodes durch unabhängige IT-Sicherheitsforscher, Kompatibilität der Software zu allen aktuellen Betriebssystemen (u.a. GNU/Linux, Windows, MacOS).

Ohne diese Voraussetzungen kann das Vertrauen in die Software und somit das ganze Projekt nicht mehr gerettet werden. Mandanten erwarten eine vertrauliche Kommunikation und Juristen benötigen diese, um ihre anwaltliche Pflicht der Verschwiegenheit erfüllen zu können. Zudem stellen die Unterzeichner fest, dass die bisherige Geheimhaltung von Software und Sicherheitsüberprüfungen auch in diesem Fall der IT-Sicherheit mehr geschadet als genutzt hat. Stattdessen hätte von Anfang an auf etablierte Freie-Software-Komponenten und einen transparenten Prozess gesetzt werden sollen.

Dass Freie Software generell für öffentliche digitale Dienstleistungen Standard sein muss, fordert die FSFE auch in ihrer Kampagne "Public Money, Public Code", die bereits von über 16.000 Personen und mehr als 100 Organisationen und Institutionen, darunter der Stadt Barcelona, unterzeichnet wurde.

Support FSFE, join the Fellowship
Make a one time donation

Wie das besondere elektronische Anwaltspostfach (beA) noch zu retten ist

Das Besondere elektronische Anwaltspostfach sollte eigentlich seit Anfang 2018 verschlüsselte Kommunikation mit und unter Rechtsanwälten ermöglichen. Allerdings sorgen zahlreiche Sicherheitslücken dafür, dass der Dienst vorerst offline bleiben muss. Die Free Software Foundation Europe empfiehlt der auftraggebenden Bundesrechtsanwaltkammer (BRAK), durch die Veröffentlichung des Programmcodes unter einer Freie-Software- und Open-Source-Lizenz verloren gegangenes Vertrauen wiederherzustellen.

Zahlreiche Skandale und ein fragwürdiges Sicherheitsverständnis prägen das Projekt, das sich schon seit einigen Jahren in Entwicklung befindet. Eigentlich müssen Rechtsanwälte seit dem 1. Januar 2018 über diese Software erreichbar sein, doch wegen bekannt gewordener Sicherheitslücken wurde die Plattform auf unbestimmte Zeit vorerst abgeschaltet. So wurde etwa die verschlüsselte Verbindung der Anwender nicht nur über das beA, sondern auch zu sämtlichen anderen Webseiten ausgehebelt. Vor allem aber ist die Ende-zu-Ende-Verschlüsselung, eigentlich Hauptmerkmal der Software, grundlegend gefährdet, da die Bundesrechtsanwaltkammer offenbar Zugang zu allen privaten Schlüsseln und damit den eigentlich vertraulichen Nachrichten ihrer Rechtsanwälte hat. Es steht zu befürchten, dass durch die ebenfalls öffentlich gewordene Implementierung zahlreicher längst veralteter und anfälliger Komponenten weitere Sicherheitslücken existieren.

Obwohl bereits 2015 eine Sicherheitsprüfung durch eine beauftragte Firma stattgefunden hat, dessen Reichweite und Ergebnis allerdings bis heute nicht veröffentlicht wurde, ist die ganz Tragweite der fehlerhaften Programmierung erst kürzlich bekannt geworden. Damit hat das Projekt, das die Rechtsanwälte bisher etwa 38 Millionen Euro kostet, bereits jetzt sein Vertrauen verspielt. Angesichts der zahlreichen Fehler ist die Vertraulichkeit der gesendeten Nachrichten nicht mehr zu gewährleisten – und das, wo die Nutzung der Software ab 2022 für den gesamten Dokumentenverkehr mit Gerichten Pflicht wird.

Freie Software als Grundlage für die Zukunft

An den zahlreichen Problemen des besonderen elektronischen Anwaltspostfachs besteht kein Zweifel. Doch anstatt weiter ihre Mitglieder im Unklaren zu lassen und unabhängige Sicherheitsforscher auszuschließen, sollte die Bundesrechtsanwaltkammer nun die gesamte Software unter einer Freie-Software- und Open-Source-Lizenz veröffentlichen und den weiteren Entwicklungsprozess transparent machen. Nur dadurch kann der erschütterte Vertrauen der Nutzer, also aller Rechtsanwälte, Behörden und Gerichte, langsam wiederhergestellt werden. Die Offenlegung des Programmcodes ermöglicht unabhängigen IT-Experten, bereits frühzeitig potenzielle Sicherheitslücken zu melden, damit diese behoben werden; dass eine Geheimhaltung des Quellcodes und der in Auftrag gegebenen Audits nicht zum gewünschten Ergebnis führen, hat sich nun ein weiteres Mal erwiesen.

Ohnehin ist fraglich, warum nicht von Anfang an auf bereits verfügbare Softwarekomponenten gesetzt wurde, die unter einer Freie-Software-Lizenz verfügbar sind. Für verschlüsselte E-Mails existiert beispielsweise das etablierte und vielfach geprüfte GnuPG, welches sich nahtlos in Mailingprogramme wie Thunderbird einbinden lässt. Spezielle Anforderung wie etwa die verschlüsselte Weiterleitung an Vertretungen und Assistenzen könnten auf dieser Basis ebenfalls als Freie Software veröffentlicht werden und dieselben Vorteile der Transparenz genießen. Warum Freie Software generell für öffentliche digitale Dienste Standard sein sollte, zeigt die FSFE in ihrer aktuellen Public Money, Public Code-Kampagne.

Ganz gleich ob die Bundesrechtsanwaltkammer sich für eine komplette Neuentwicklung der Software oder erhebliche Verbesserungen der jetzigen Lösung entscheidet, die Veröffentlichung unter einer freien Lizenz ist unumgänglich, um das Projekt überhaupt noch zu retten und die Sicherheitserwartungen zu gewährleisten.

Sie sind Rechtsanwalt und möchten, dass das beA Freie Software wird? Bitte melden Sie sich bei uns.

Support FSFE, join the Fellowship
Make a one time donation

FSFE Newsletter - December 2017 / January 20182017: A year full of Free Software

The Free Software Foundation Europe looks back on a very exciting year. While on one hand we managed to take our regular campaigns like I love Free Software and Ask Your Candidates to a new level with extraordinary activities, we also started three new major activities this year that will keep running in 2018 and beyond. These are Public Money Public Code, Save Code Share and the Reuse Initiative.

In the legal field we held the 10th Legal and Licensing Workshop and updated the Fiduciary Licence Agreement to version 2.0. In the technical field, we set up new tools for our community and (co-)developed new tools for our campaigns. All of them are Free Software, of course.

2017 was also a very good year for our outreach. Our community attended 75 events in 11 countries with talks, workshops and booths. In our Berlin office we have welcomed six interns from six different European countries, and our message keeps spreading with new merchandise items and promotional material.

As a result of our joint efforts, we have seen growth in many sectors: in funds, in media attention, and in our community, with the latter being the most important point. The Free Software Foundation Europe could not pursue its mission without the people that make up our community and spread our message. This is a big thank you to all of you: the countless volunteers, supporters and donors who were part of or who made the work of FSFE possible in 2017. Your contributions are priceless and we are doing our best to keep the good work going in 2018!

If you are interested in more details about our activities in 2017, read our yearly report. If you like what we are doing, join the FSFE as a supporter and help us to continue our work for Free Software!

Participants at the FSFE community meeting 2017.

Help us grow and make a difference in 2018

What else have we done? Inside and Outside the FSFE Part of a new copyright proposal currently discussed by the European Union is Article 13, which imposes the installation of arbitrary upload filters on every code hosting and sharing provider. Together with over 80 organisations, the FSFE called the EU member states to reject the harmful Article 13 and to Save Code Share. The Dutch government released the source code and documentation of "Basisregistratie Personen", a 100 million Euro IT system that registers information about inhabitants within the Netherlands. The FSFE applauds the Dutch government's move towards releasing publicly financed code as Free Software. Max Mehl, project manager of the FSFE, explains the current status of the FSFE's work on proposed European Radio Lockdown. While the FSFE was not accepted as member of committee, which assists the European Commission with drafting the delegated acts, we keep raising our demand to save users' rights and Free Software, backed by more than 50 civil society organisations. The FSFE submitted its response to the public consultation on the Directive on the re-use of public sector information. In our response we argue that source code needs to be added to the list of 'documents' that governments and other public bodies need to make available for re-use in an open and machine readable format. When it comes to publicly financed software, it should be released to the public under Free Software licences. Thanks to April, the French Free Software association, we now have a French translation of our "Public Money? Public Code!" campaign video. Erik Albers wrote a report of the FSFE's community meeting and the common spirit with some pictures (http://blog.3rik.cc/2017/12/report-about-the-fsfe-community-meeting-2017/) Earlier this year, after a public consultation, we took the decision to change the name of our supporter program, the Fellowship of the FSFE, and talk about our supporters by their true name: Supporters. At the same time as we're completing this change, we're also decommissioning our old Fellowship SmartCard in favor of a brand new FSFE supporter patch. Matthias Kirschner, President of the FSFE, argues in a blogpost as a reply to Scott Peterson from Red Hat, that the terms "Open Source Software" and "Free Software" are referring to the same kind of software but only differ in their emphasis. And that it is challenging to impossible and maybe even unnecessary to find a "neutral" term. Jonas Öberg, Executive Director of the FSFE, introduces the FSFE's forms API in a blogpost, a way to send emails and manage sign-ups on web pages used in the FSFE community. Daniel Pocock, community representative of the FSFE, shared a picture of the fixme.ch hackerspace in Lausanne which promotes the FSFE. Michael Kappes blogs about a group of supporters from the Berlin local FSFE group who went to the FIfF-Konferenz in Jena to set up a booth for the FSFE. Björn Schiessle, German team co-coordinator, blogs about how to achieve practical software freedom in the cloud. We welcome our new associate: Open Labs, Albania FSFE has a new t-shirt celebrating the 100 freedoms of Free Software. Also, we have a lot of other nice shirts and merchandise in our online shop - for Christmas or for any other reason. Thanks to our growing community and the big demand by people around the world to spread the word about the FSFE and Free Software, we are looking for an office assistant as a part-time job to help us with packing and posting. In 2018, again, we are looking for students who can join our team in Berlin for three months or more as a mandatory part of their studies or before graduation. Do not miss it! Upcoming events with the FSFE

As in recent years, the FSFE will be present with an FSFE assembly at the Chaos Communication Congress, one of the biggest technology related events in Europe. The assembly will be equipped with current merchandise and promotional material, run a Free Software track, invite people to play a Free Software game or to join us in several Free Software song sing-along sessions. After all, the assembly shall be a place for our community to get together and connect with each other. If you are attending Chaos Communication Congress too, use this opportunity to meet and get to know the people behind FSFE, including volunteers and staffers.

As usual, find all the other future events with or by the FSFE listed on our events page.

Get Active

Use the vacation time to read our yearly report and share it among your friends. Let people know about the importance of Free Software and why they should care about it. Tell them that people around the world form communities with the aim to bring technological freedom, transparency, knowledge and emancipation to everyone. Spread the word about the four freedoms and if possible, help others to exercise their freedoms too. Join our cause.

Contribute to our newsletter

If you would like to share any thoughts, pictures, or news, send them to us. As always, the address is newsletter@fsfe.org. We're looking forward to hearing from you!

Thanks to our community, all the volunteers, supporters and donors who make our work possible. And thanks to our translators, who enable you to read this newsletter in your mother tongue.

Your editor, Erik Albers

Help us grow and make a difference in 2018

Support FSFE, join the Fellowship
Make a one time donation

FSFE releases refreshed set of REUSE practices and a tool to help developers comply

The REUSE Initiative has received an updated set of practices that simplify the process of declaring copyright and licence information. To help facilitate developers with updating their projects, the FSFE has also published a tool that verifies whether a project is compliant.

Copyright and licensing is difficult. Finding out the exact copyright and licence of a piece of code is often times more difficult than it should be. Missing or scattered licence information makes it very labour-intensive to verify whether you can legally use a piece of code. For a thorough legal review, you have to manually check every file for licence information, and every file has a different way of declaring its copyright and licence.

But what if we could automate this? That is what the REUSE Initiative postulates. By defining a standard for copyright and licence declaration, the legal process of complying with licences becomes a lot easier. Simply include a standard, computer-readable header tag to every file, and extracting the licence information should be as simple as running a parser.

Earlier in October, we released a set of practices towards that end. Now, we have updated those practices to streamline them some. To accompany the streamlined changes, we have published a tool for developers to check whether they comply with our recommendations.

The primary change between the old version and the new is that you no longer need to declare two tags; only one. 'License-Filename' has been deprecated, and instead its functionality has been rolled into 'SPDX-License-Identifier'. This is more in line with existing projects, and is less effort to boot.

Complying with the REUSE recommendations is very simple. Why not give it a spin? We would love to hear from you.

Support FSFE, join the Fellowship
Make a one time donation

Radio Lockdown: Current Status of Your Device Freedom

For more than two years the Free Software Foundation Europe has worked on the issue of Radio Lockdown introduced by a European directive which may hinder users to load software on their radio devices like mobile phones, laptops and routers. We have informed the public and talked to decision makers to fix critical points of the directive. There is still much to do to protect freedom and IT security in our radio devices. Read about the latest proceedings and the next steps.

In 2014, the European Parliament passed the Radio Equipment Directive which, among other regulations, make vendors of radio hardware responsible for preventing users from installing software which may alter the devices' radio parameters to break applicable radio regulations. While we share the desire to keep radio frequencies clean, the directive's approach will have negative implications on users' rights and Free Software, fair competition, innovation and the environment – mostly without equal benefits for security.

[R]adio equipment [shall support] certain features in order to ensure that software can only be loaded into the radio equipment where the compliance of the combination of the radio equipment and software has been demonstrated. – Article 3(3)(i) of the Radio Equipment Directive 2014/53/EU

This concern is shared by more than 50 organisations and businesses which signed our Joint Statement against Radio Lockdown, a result of our ongoing exchange and cooperation with the Free Software community in Europe and beyond.

The Radio Equipment Directive was put in effect in June 2017, but the classes of devices affected by the controversial Article 3(3)(i), which causes the Radio Lockdown, have not yet been defined. This means the directive doesn't concern any existing hardware yet. The definition of what hardware devices are covered will be decided on by the European Commission through a delegated act and is expected to be finished at the earliest by the end of 2018.

The Commission shall be empowered to adopt delegated acts in accordance with Article 44 specifying which categories or classes of radio equipment are concerned by each of the requirements [...] – Article 3(3), paragraph 2 of 2014/53/EU

However, that list is already being prepared in the Expert Group on Reconfigurable Radio Systems, a body of member state authorities, organisations, and individuals whose task is to assist the European Commission with drafting the delegated acts to activate Article 3(3)(i). The FSFE applied to become a member of this committee but was rejected. The concerns that the members of the Expert Group do not sufficiently represent the civil society and the broad range of software users has also been raised during a recent meeting in the European Parliament.

Nevertheless, we are working together with organisations and companies to protect user freedoms on radio devices and keep in touch with members of the expert group. For example, we have shared our expertise for case studies and impact assessments drafted by the group members. We are also looking forward to a public consultation phase to officially present our arguments and improvement suggestions and allow other entities to share their opinion.

All our activities aim to protect Free Software and user rights on current and future radio devices. This is more important than ever since only a few members of the expert group seem to understand the importance of loading software on radio devices for IT security, for example critical updates on hardware which is not or only sporadically maintained by the original vendor. We will continue our efforts to make decision makers understand that Free Software (a.k.a. Open Source Software) is crucial for network security, science, education, and technical innovation. Therefore, broad exceptions in the class definition are necessary.

Conducting such lengthy policy activities requires a lot of resources for non-profit organisations like the FSFE. Please consider helping us by joining as an individual supporter today or a corporate donor to enable our work.

Support FSFE, join the Fellowship
Make a one time donation