IT Security: BSI wants to hold webmail providers more accountable

The Federal Office for Information Security (BSI) is issuing a clear demand to operators of digital mailboxes: they must systematically and comprehensively assume responsibility for the IT security of their services, as the protection of consumers from risks such as phishing and identity theft is currently still inadequately implemented. This is the tenor of the white paper published on Monday in the "Digital Consumer Protection" series on "secure, transparent, and user-friendly webmail services".

In the white paper, the BSI complains that an elementary part of email security – particularly easy-to-use end-to-end encryption (E2EE) and protection against attacks – still rests too heavily on the shoulders of users. Increasingly, technical protection mechanisms exist that could operate automatically. Given that email is the central key component for managing digital identities and is often used to restore other accounts, ensuring reliability, security, and user-friendliness is of considerable importance, especially for particularly frequently used webmail services such as Gmail, GMX, web.de, and Hotmail.

The authors identify five central fields of action to implement the principles of Security by Design and Security by Default for user-friendly IT security. Accordingly, providers should implement simple and secure authentication methods as standard. This includes the mandatory introduction of two-factor authentication (2FA) or modern passkeys, which identify users via biometric characteristics. Complementary measures include a state-of-the-art password policy and technical measures such as rate limiting when entering identifiers.

Better protection against spam and phishing

The BSI sees interoperable and easy-to-use end-to-end encryption (E2EE) as a central building block for communication confidentiality. Since E2EE is currently only a niche topic due to manual key management, the BSI demands that the use of open standards such as OpenPGP and S/MIME be enabled directly in the webmailer. This requires automated generation and management of key pairs within the service, as well as low-threshold exchange of public keys, for example via the Web Key Directory (WKD). In addition, transport encryption must be implemented via DANE or MTA-STS.

The office also demands effective protection mechanisms against spam and phishing, whereby responsibility should not be solely shifted to end users. A multi-layered system that relies on backend methods such as SPF, DKIM, and DMARC to verify sender authenticity must be supplemented by user-friendly functions for reporting unwanted emails and fraud attempts. For this purpose, the BSI already provided guidance last year.

Furthermore, a secure and traceable option for account recovery is essential, especially in the event of account takeover by third parties, the office writes. The processes must be clearly managed and securely designed, as conventional recovery methods such as backup emails or security questions are susceptible to manipulation.

Basis for digital participation

Providers should also provide transparent security profiles and traceable trust models. Since the functionality of central security mechanisms is not directly verifiable for consumers, the disclosure of used protocols and processes strengthens trust and supports customers in choosing a secure service.

"Secure email communication is a fundamental prerequisite for digital participation and self-determination," emphasize the authors. In addition to technical further developments, binding framework conditions, a societal consensus on protection standards, and targeted political impulses are therefore necessary. The appeals are therefore directed "equally at business, politics, and civil society." Relevant service providers have "now the opportunity to visibly build trust by implementing the concrete measures listed in this white paper through voluntary self-commitment." The BSI's head of department for digital consumer protection, Caroline Krohn, says that only when protective measures are understandable, interoperable, and suitable for everyday use "do they unfold their full effect."

(wpl)