GMX, Security and Privacy.

[[!meta description="""Yet another story about why you need to hide things from the rest of the world, and why commercial company can’t help you with

Once upon a time

I have this friend – Milou. She’s going to be a good journalist, and she worked a lot for NGOs during her studies. Hence she travelled a lot. As a NGO worker and apprentice journalists, she travelled in … hmmm … interesting places, and a country in particular – let’s call it Zoukinistan.

You’ve probably heard about Zoukinistan, it’s one of these countries the US – and part of EU – are at war with, and where those almighty democracies^Wpowers tried to create a Democracy they own.

So, this woman was going there, doing a job of getting in touch with local activists, reporting human right violations, doing journalisms, stuff like that. And she met there a lot of interesting people.

Not all these people are on the side our governments are comfortable dealing with. Not necessarily warlords or fundamentalists either. They probably just don’t want any more foreign interferences in their country. Yeah, the ones governments probably call terrorists. Or enemies. Or just those who want to expose corruption of their US backed government.

So, as a journalist, she maintains contact with those. No one knows when the next things to expose will blow up. And since she’s quite aware of all the NSA doing nasty things on US hosted servers – essentially trying to graph people in contact with this kind of activists – she goes for a non-US based email provider, and a free one.

And then GMX entered the dance.

Since Milou knows me, and since I worked a bit with her, she uses Tor, OTR, and free softwares. And I think she understands why it’s needed, and why she needs to protect her sources.

So, she created an account on and used the webmail using Tor, naively thinking GMX – being a German company – would protect her communications.

It appears that GMX is part of United Internet, a German holding which also owns 1&1 and And they own 7 datacenters in the EU and the US according to their about page. So they have data on US soil, under the Patriot Act – and you definitely don’t want to have data there if you try to protect sources from US Gov. But nothing says that the former French Caramail they bought and became part of is hosted there – in fact, and for strict latency reasons, I think they’ll leave it in EU soil, just to have good performances.

Anyway, let’s put those considerations aside for now.

So, Milou and her friend exchange emails using GMX. I’ll skip the fact https is not enabled by default. Or that they implemented it quite late between servers – after all, Google did it only after NSA had leaked a nice post-it – it’s not really that important since, after all, all emails are probably stored in clear text on a corporation server.

However, Germany, home nation of GMX, is involved in military and security mission in Zoukinistan. We also now that NSA did infiltrate German Internet companies and that the German secrete services do cooperate with NSA.

And then the Milou’s GMX account has been closed for security reasons. Since the IT support doesn’t provide any details and that I could not find anywhere on the net anything related to closing of the accounts if used via Tor – even if they made it hard for anyone to do so – and given the lack of security on their side, I think that it must be read as national security reasons.

My guess is that GMX has been required to terminate this account because it represented a threat to national security.

The interesting part would be to know which nation asked for it. Could be France (Caramail which became was French after all), US since they would not like my friend to chat with a terrorist or the German wanting the same thing.

I don’t know. Hard to find evidence when the tech people in the company refuse to provide any. And that’s weird. They could have pretended some unusual traffic came from Milou’s computer – unusual meaning in this case via Tor and Ubuntu – or that they detected some attack and the account had to be terminated, or anything else.

But no, they just "can’t answer", won’t provide any email backup, nor even any support. I don’t like drawing conclusions without facts, but it really seems like someone read those emails and have GMX close this specific account.