The Hessian data protection officer Alexander Roßnagel calls for the farewell to the fax, which is currently still widely used by authorities, courts, lawyers and in the health care system. Due to various technical changes in the communication world, the controller classifies faxing as “an unsafe means of communication”. He therefore advises “in the interests of data security and against the background of advancing digitization” to examine and implement other methods as soon as possible.
“In principle, sending faxes presents risks that are comparable to those that are also present when sending unencrypted e-mails,” writes Roßnagel in one Note as of Tuesday. The transmission of personal data via this medium is therefore associated with “the risk of loss of confidentiality”. Personal information that has a special need for protection should therefore “generally not be transmitted by fax if no additional protective measures have been implemented by the senders and recipients”.
The communication between fax machines was originally based on establishing a connection via channel or line switching, explains the head of the authorities. “The sender and recipient – identified by their respective fax numbers – were the two terminals between which a direct connection was established.” A major drawback has always been “that the sender usually has no information on the recipient side”. For example, there was a question of who had access to a receiving device.
With the triumphant advance of the Internet, the data to be transmitted would be distributed to individual packets using the TCP / IP standard and sent “via a large number of connections between several intermediary points between the terminals”, explains Roßnagel. The connections are no longer used reserved for the two terminals. It is conceivable “that the intermediate points involved are distributed around the world and operated by a wide variety of state or private actors”. In principle, they would have the option of “accessing the packets they have sent”.
Secure means of communication
“New problems arise that cannot be solved with a call and the request to stand next to the fax machine,” the lawyer points out. According to the General Data Protection Regulation (GDPR), personal data must be processed in a way that ensures adequate security. In view of the “state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons, those responsible would have to take appropriate technical and organizational measures” in order to to ensure an appropriate level of protection.
As an alternative, more secure means of communication, Roßnagel particularly recommends sending content-encrypted e-mails (PGP or S / MIME), the little-used DE-mail and portal solutions “where the communication partners can access and provide encrypted messages and content”. “Area-specific digital communication services” such as “Communication in Medicine” (KIM) or the “Infrastructure of electronic legal transactions” could also be considered. The special electronic attorney’s mailbox (beA) contained therein is controversial, as there is no end-to-end encryption.
To lead by example, The Hessian data protection authority has recently stopped listing fax numbers on its homepage, letterhead, business cards and in e-mails. According to Roßnagel, “wants to draw attention to the technical problems, but for the time being without taking any supervisory measures”.