Transparency Report
How eclipso Mail Europe handles government requests - and what we can promise you.
Warrant Canary
eclipso Mail Europe has never received any governmental or judicial orders to install security vulnerabilities or backdoors in its systems. Should we ever receive such an order, we will resist it with all available legal means.
Under German law, we are legally obligated to maintain confidentiality regarding the content of specific disclosure or surveillance orders we may receive. We therefore cannot confirm or deny the receipt of specific government requests.
What we can always state without reservation: We have not built any backdoors - and we will not do so.
Legal Jurisdiction & Data Protection
Why US surveillance laws do not apply to eclipso Mail Europe.
eclipso Mail Europe is a German company. All servers are located exclusively in Germany. Our service is therefore subject solely to German and European law - in particular the GDPR, the German Telecommunications Act (TKG), the TTDDG and the German Code of Criminal Procedure (StPO).
US surveillance laws do not apply to us. US authorities have no legal basis to compel us to hand over user data - not under FISA, not under the CLOUD Act, and not via a National Security Letter (NSL).
- German Telecommunications Act (TKG)
- Telecommunications Telemedia Data Protection Act (TTDDG)
- General Data Protection Regulation (GDPR)
- German Code of Criminal Procedure (StPO)
- Telecommunications Privacy - German Basic Law (Art. 10 GG)
- US Foreign Intelligence Surveillance Act (FISA)
- US CLOUD Act
- National Security Letters (NSL)
- FISA Court Orders (Section 702)
- Any other US or non-EU jurisdiction
Why does eclipso publish a transparency report?
We believe transparency is an important value and that our customers have the right to know how we handle government requests. This report is of course anonymized - for data protection and legal reasons, we do not and cannot disclose details about individual cases.
Is every request reviewed?
Yes - each and every disclosure request is thoroughly reviewed by our legal team and, in cases of doubt, referred to our attorney for clarification. The review takes into account German data protection law, telecommunications secrecy (Fernmeldegeheimnis) and the Code of Criminal Procedure (StPO). Requests that fail to meet the legal requirements are rejected.
Requests from foreign law enforcement agencies and authorities are declined. We refer them to the appropriate legal channels via competent German authorities.
What data can authorities request?
The following overview explains which data categories may be relevant in the context of a disclosure request or a lawful interception (TKÜ) order, and on which legal basis.
Account data includes personal information such as name, address or payment details. eclipso Mail Europe does not collect any identifying data during registration as a matter of principle - you can use our services anonymously with a free account. This principle of data minimization is not only required by Art. 5(1)(c) and Art. 25 GDPR, but reflects our fundamental approach to handling user data.
Account data may be requested by various authorities under § 174 TKG and § 22 TTDDG, provided the legal requirements are met. Since we do not collect account data, we typically have none to disclose.
Traffic data may include the following information:
- Email address(es) of the account
- IP address of the last login
- Date and time of the last login
Traffic data - like content data - is protected by telecommunications secrecy (Fernmeldegeheimnis). Disclosure is only permitted on the basis of a judicial order addressed to the requesting law enforcement authority (§ 100g StPO). This applies only to serious criminal offences (e.g. homicide, child sexual abuse material, robbery, bomb threats, extortion).
By default we store the IP address at registration and the IP address of the last account login. There is currently no data retention law applicable to email providers in Germany.
Content data includes all stored contents of a user account: emails, cloud files, address book entries and similar. Emails stored with S/MIME or OpenPGP end-to-end encryption can only be read by the user themselves - only they possess the corresponding private key. We have no access to this data either.
A German court may, upon application by the public prosecutor, order either a seizure of the account (§ 94(2), § 98(1) StPO) or real-time interception (TKÜ) (§ 100a StPO) or both:
- Seizure: Covers account contents already stored at the time of the order.
- TKÜ: Captures all incoming and outgoing content from the effective date of the order, typically for up to three months.
End-to-end encrypted emails (S/MIME, PGP) can only be delivered in encrypted form - even under a TKÜ order. Unencrypted emails received after a TKÜ order becomes effective are transmitted in plain text. Previously received emails stored on the server cannot be decrypted by us.
Historical Statistics
The following figures cover the period 2014-2017. We publish them as an archive in the interest of transparency. We aim to publish updated annual statistics going forward.
- Lawful interception orders (TKÜ): 0
- Account data requests total: 42 1,2
- Traffic data requests: 1 1,2
- 1 Invalid requests: 16 (e.g. account data query submitted with IP address and timestamp)
- 2 Mailbox does not exist: 7
- Lawful interception orders (TKÜ): 2
- Account data requests total: 38 1,2
- Account data requests formally valid: 38
- Traffic data requests: 4 3
- Traffic data requests formally valid: 3
- 1 Invalid requests: 0
- 2 Mailbox does not exist: 4
- 3 Invalid requests: 1
- Lawful interception orders (TKÜ): 2
- Account data requests total: 63 1,2
- Account data requests formally valid: 56
- Traffic data requests: 4 3
- Traffic data requests formally valid: 3
- 1 Invalid requests: 6
- 2 Mailbox does not exist: 1
- 3 Invalid requests: 1
- Lawful interception orders: 0
- Account data requests total: 36 1,2
- Account data requests formally valid: 29
- Account data requests formally invalid: 7
- Traffic data requests rejected: 1
- Traffic data requests formally valid: 0
- 1 Invalid requests: 6
- 2 Mailbox does not exist: 1
Questions about this report?
If you have questions about how we handle government requests, we are happy to help.
Contact us Privacy Policy