In Snowden's wake, crypto-startups take root in Germany
Tech entrepreneurs are seizing on the new attention to digital privacy and finding customers around the world in search of more secure tools for online communication.
COLOGNE, GERMANY — The scope of National Security Agency surveillance programs revealed by whistleblower-turned-fugitive Edward Snowden didn’t particularly alarm Felix Müller-Irion. Growing up coding and hanging out with the notorious German hacker collective the Chaos Computer Club, he knew the immense ways the Internet could be used to snoop on unsuspecting targets.
What alarmed Mr. Müller-Irion was something most people would consider a mere footnote in the global controversy following Mr. Snowden’s leaks. In 2013 Lavabit, the encrypted, or "secure" e-mail service Snowden used shut its doors after the US government subpoenaed its encryption keys. That jolted Müller-Irion into action.
"It hit me hard," recalls Müller-Irion, at the time a political science student in Maastricht University. "I thought, we had to have an alternative."
Seizing what he saw as a tremendous business opportunity, the cryptography amateur turned cryptography entrepreneur took up a mission: to make ditching Gmail or Yahoo mail feasible and easy. And Lavaboom was born.
"The prospect of offering people the chance to encrypt their e-mails was simply amazing. That would mean that NSA surveillance programs would be totally useless," says Müller-Irion, now chief executive of Lavaboom, the Cologne-based "secure" e-mail provider he founded both as a business opportunity and as a political statement.
Lavaboom is among the youngest in a new generation of startups that are gaining traction in Germany, and to a lesser extent elsewhere in Europe, as a result of the Snowden leaks. Indeed, the NSA spying scandal hit Germany especially hard after the Snowden documents indicated the American spy agency was eavesdropping on Chancellor Angela Merkel's phone calls. Those revelations set off a diplomatic feud between Berlin and Washington.
What's more, the leaks turned Snowden into something of a folk hero in Germany. Now, boosted by a robust privacy climate and some of the toughest data protection laws in the world, the new crypto-entrepreneurs are playing their part in bringing encryption into the mainstream with free and easy-to-use services.
Matthias Pfau launched his company, Tutanota, in 2011, two years before the first Snowden leak.
"People will always say that privacy is important, especially in Germany, with our history," he said. "But now people aren’t just saying it but they’re also switching e-mail providers – and they're starting to make a difference."
"If just 15 percent of people encrypted their data, we would make it very difficult for NSA to surveil ... the Internet,” Mr. Pfau says. “Fighting for our privacy right is important for freedom and democracy.”
Indeed, long before the Snowden revelations, growing digital privacy concerns led to innovations in Europe to bring more secrecy to the Internet. In 2009, it led Patrik and Sabrina Löhr, who were then working as volunteers for Greenpeace, to design an encrypted e-mail service that would be economically sustainable. That turned into a company called Posteo.
"We don't want the data from our customers,” Patrik Löhr says. Like many e-mail services, Posteo is not ad supported. Its users pay 12 euros ($13) a year to use the service. “We don't want their names, their addresses, their dates of birth. And because we don't have this data, we can't lose it or be compelled to give it away. The data you don’t have is data you can’t hack or steal."
Their Berlin startup remained relatively small until the full scope of the Snowden revelations – and the extent of NSA spying – began to sink in across Europe. Its user base grew from 10,000 in 2013 to 100,000 in 2015. Other European privacy-focused startups have followed in Posteo's footsteps, too, although experts disagree on what "secure e-mail" means. In Geneva, a group of Harvard and Massachusetts Institute of Technology encryption specialists working at the European Organization for Nuclear Research created the encrypted e-mail service ProtonMail; in Hamburg, Iranian immigrant Ali Jelveh broke crowdfunding records by raising more than $1 million in 30 minutes for his "secure" server company called Protonet.
"Germany has become a world mecca for privacy activists and entrepreneurs,” says Melbourne-based Asher Wolf, an early pioneer of cryptoparties, gatherings of everyday Internet users to learn how to use encryption.
Germany’s deep aversion to government snooping can be traced to East Germany’s infamous Stasi spying apparatus, which infiltrated almost every aspect of people’s lives with the help of hundreds of thousands of staff workers and informers spying. The most hated and feared institutions of the ex-East Germany communist government left the nation traumatized about any form of surveillance. But the deep social unrest prevailing in West Germany in the 1970s and 1980s, when left-wing Red Fraction Army terrorized the nation and the police responded with what many saw as repressive measures, also played a role.
“Every young person was seen as a suspect,” recalls Peter Schaar, a long-time federal data protection commissioner who now chairs the European Academy for Freedom of Information and Data Protection in Berlin, speaking of the troubled 1970s. When the government announced it would conduct a national population census in 1983, people took to the streets. Collecting data, they feared, would be another way of building up a surveillance state.
Schaar was among a group who took that complaint to Germany’s highest court, the Bundesverfassungsgericht. And they won. In a 1983 groundbreaking decision that stills influences privacy legislation in Germany and across the world today, Karlsruhe judges ruled that the census (in the form it was about to be conducted) aimed at "limitless surveillance and manipulation of its citizens,” thus violating people’s dignity. They established a principle that's the anchor of data protection in Germany: the right of informational self-determination.
"In Germany, the protection of personal data, and restricted use of data, and right of people to decide what can be done is one of the most fundamental principles of a democracy," says Frankfurt law professor Spiros Simitis, dubbed "the godfather of privacy" because he drafted Germany’s – and the world’s – first data protection law in 1970s, when the state of Hesse was wrangling with how to use newly computerized medical records without jeopardizing people’s privacy. "It’s up to individuals to determine who could use their data, for what purpose, on what conditions, and for how long."
Since the mid 2000s, the Bundesverfassungsgericht has evoked the census ruling to deem new antiterrorism measures illegal. For example, it struck down a law allowing police wiretapping in apartments or the use of tracking software in computers; and said that allowing telecommunication companies to store data and e-mails could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one's basic rights in many areas." Three years later, in 2014 the EU’s highest court followed suit, striking down its data retention law. (In June, the German Bundestag passed a new data retention law, but privacy activists have vowed to appeal in court.)
But now, in the wake of the Charlie Hebdo attacks in January, the US and some parts of Europe are resisting the movement toward greater privacy on the Internet and instead calling for greater government access to encrypted data.
“The attacks in Paris demonstrated the scale of the threat that we face, and the need to have robust powers through our intelligence and security agencies in order to keep our people safe,” Britain Prime Minister David Cameron told the press. “We must not allow means of communications that cannot be decoded by law enforcement.”
But the notion of privacy is so strong in Germany that few here support in a backlash. On the contrary, many Germans feel that giving government access to encrypted data would weaken safety online for everyone.
“Obama says encryption is OK but we want to have the back door to every encrypted door,” says Michael G. Schmidt a German journalist in the northern German town of Neumünster, who is specialized in encryption and IT fields. “But for us Germans, that’s not OK. Privacy is a basic human right, and it’s not thinkable that our government should have a backdoor.”
From the Netherlands, where he plotted his new secure e-mail server, Müller-Irion scoured the world for like-minded encryption talent. A Romania, Bulgarian, a British, and a German make up his team at Lavaboom One thing was certain: “Germany was always the place we’d settle in, not just because I am from Germany, because the privacy laws are simply amazing here in Germany.”
“The difference between the US and Germany is that the German government is not allowed to request LLS keys,” Lavaboom co-founder Bill Franklin says, referring to encryption keys. "This is why we can never be headquartered in the US, and. why so many privacy companies are moving not only to Europe but precisely to Germany."
Lavaboom is testing the last glitches before going full speed and offering end-to-end-encryption to hundreds of thousands of privacy-hungry consumers and companies around the world.
In a few weeks, it will switch from private to public beta mode, meaning that its product will be available to the general public as opposed to a small selected group only. With 9,000 people already signed up and 27,000 users on its waiting list, it expects to be fully available later this year.