Product Security

  • NfS: Customer-related Matters/Information Security
  • GRI 417
  • GRI 417-1

United Internet offers users solutions for secure, data privacy-compliant internet-based communication and cloud services. With its “E-Mail made in Germany” and “Cloud made in Germany” initiatives, the Group has built a sound reputation for secure sending and receipt of private e-mails, and for protecting digital privacy in the cloud.

E-Mail Made in Germany

The“E-Mail made in Germany“ initiative was launched by United Internet and Deutsche Telekom in 2013. The initiative’s member companies offer customers high standards of security and data privacy. These include encrypted transmission of all e-mails across all routes operated by members, the processing and storage of all data in Germany in accordance with German data privacy requirements, and the identification of secure e-mail addresses within the e-mail applications. Since April 2014, “E-Mail made in Germany” has only used SSL keys certified in Germany and all transmission routes have been fully encrypted. It goes without saying that all partners’ processes comply with the GDPR. In 2015, GMX and WEB.DE – e-mail services belonging to United Internet – significantly enhanced the “E-Mail made in Germany” security standard by developing an encryption solution based on the globally recognized Pretty Good Privacy (PGP) standard.

Cloud Made in Germany

In fiscal year 2017, GMX and WEB.DE introduced free end-to-end encryption of cloud content for all users. Customers can use this “safe” to encrypt their data locally before uploading, hence protecting it from third-party access. Sensitive content that has left the customer’s device is stored online only as an unreadable data set. The data is only decrypted again once it has been downloaded from the cloud to one of the user’s devices. This move by the GMX and WEB.DE portal brands strengthens their “Cloud Made in Germany“ initiative, which was launched in 2016, and hence increases internet security.

De-Mail Standard

Since 2012, the De-Mail-Standard has offered legally valid e-mail communication that can be used for online registration and notification processes involving public authorities, and for legally binding digital transactions. GMX, WEB.DE, and 1&1 have been accredited DeMail service providers since 2013. In 2016, GMX, WEB.DE, and 1&1 were certified for the first time as complying with the European Union’s eIDAS (“Electronic Identification and Trust Services”) Regulation. Based on this certified infrastructure, they will also be able to offer their users a legally valid method of communication with all other EU Member States in future. The eIDAS Regulation creates an EU-wide standard for the unique identification of all participants and the digital signature of cross-border electronic data transmissions. This creates uniform conditions in all EU Member States for the trusted, verifiable exchange of documents and legally valid communications between citizens, public authorities, and enterprises.

We had applied in the past for approval as an identity provider as defined by the German Online Access Act (Onlinezugangsgesetz – OZG) for our single sign-on system, which is based on our De-Mail infrastructure. The approval audits have now been completed and since 2020 our single sign-on system can be integrated with the service portals operated by the Länder and the federal government. We are in concrete discussions with the federal government regarding this integration and are successively making contact with the Länder via the CIOs concerned. In future, all De-Mail users and GMX, WEB.DE, and 1&1 customers should be able to use their De-Mail accounts to directly access services offered by the federal government’s and Länder citizen accounts and service portals forming part of the network, without having to log on and authenticate themselves again. This makes it much easier for citizens to use all participating e-government processes, and offers our customers and users additional uses for their De-Mail accounts.

Data Privacy and Encryption of E-mails, etc.

In addition to the abovementioned security features such as TLS, end-to-end encryption using PGP, and the “safe” function for cloud storage, all user data and content are stored in data centers whose servers are located in Germany. This means that the capture and processing of all data are subject to Germany’s strict data privacy laws and to the provisions of the EU’s General Data Protection Regulation. User consent is paramount at all times.

The two-factor authentication process introduced in June 2019 provides additional protection for user accounts. With this procedure, accounts can be protected by an additional security code that has to be entered during the log-in process, as well as a password. This second factor makes it harder for attackers to access accounts, even if they have guessed the passwords or obtained them using malware.

Secure E-commerce

Customer trust is a critical factor in e-commerce. In addition to concerns about the security of their personal data, consumers have questions regarding the reliability of online transactions, on providers’ delivery capability, and on online services. This is why we take the measures necessary to allay any consumer concerns and to build up their trust.

IT security is becoming an ever-greater audit focus from year to year. Therefore, among other things, well-known technical services provider TÜV Saarland regularly audits the online shops run by Drillisch Online’s core brands (maXXim, smartmobil.de, simplytel, PremiumSIM, winSIM, yourfone, Galaxy EXPERTE, handyvertrag.de, and free-prepaid). The annual certification and review process caters to our customers’ wishes, since security and quality are just as important to them as the price of our products and services. For us as an online retailer, certification with the well-known TÜV seal of approval offers an opportunity to reduce aborted transactions, positively impacting online sales. The requirements that have to be met to obtain the seal cover issues relating to data security and systems security, data privacy, and online content and processes, among other things. The comprehensive, multistage process needed to gain the TÜV seal of approval includes an on-site audit. This examines not only the reliability of order processing but also reviews the way in which customer service deals with customer queries and verifies the security of customers’ personal data and payments processing.

After successfully completing the certification process, we are entitled to use the “TÜV-tested Online Portal” seal of approval in Drillisch Online’s online shops. This demonstrates our commitment to offering customers a secure, satisfying online shopping experience and to undergoing thorough, systematic audits to assess whether we comply with this commitment. In addition, this certification helps us implement the GDPR’s technical and organizational security requirements.

Development of “Intelligent” Products

Security and user-friendliness are also core issues for us when enhancing our products and services. We are also making increasing use of data science, artificial intelligence (AI), and machine learning here.

Intelligent Mailbox Function

GMX and WEB.DE’s intelligent mailbox provides customers with a handy way of categorizing and grouping e-mails, allowing these to be dealt with more quickly and simply in a clear overview. Key e-mails can be found more rapidly and additional useful administration functions are provided for handling mass mailings. This saves time and makes the process more user-friendly. For example, the parcel tracking function allows the standard information about a shipment’s status to be displayed above users’ e-mails, and to group all orders together in an overview. In addition, users can customize offerings to suit their own specific interests, and decide themselves which extra functions should be enabled in their mailboxes. There were 5.69 million active intelligent mailbox function users as of the end of the 2021 reporting period (2020: 3.51 million; 2019:9: 0.25 million).

The intelligent mailbox function is self-learning, and by training the systems we will soon be able to offer the technology to create and offer additional e-mail categories. This will provide users with even more clearly structured mailboxes. The 2021 reporting period saw the introduction of the “Contracts & Subscriptions” category, which provides useful functionality that helps users to manage their contracts and subscriptions. Among other things, it offers an overview of their contract documents, enables comparisons to be made between tariffs, and provides a termination template and termination reminder alert for use if desired. For further details, please see the section entitled “Improved Spam Recognition Enhances E-mails’ Relevance and Security.” It goes without saying that the familiar data privacy requirements set out in the GDPR also apply to “intelligently captured” data at GMX and WEB.DE.

Improved Spam Recognition Enhances E-mails’ Relevance and Security

We work continuously to improve our recognition and filtering of spam – unsolicited or even harmful messages – so that these do not reach our users in the first place. In the 2021 reporting period, we were able to increase the proportion of spam mails that were recognized and filtered out by our proprietary spam scanner from 2% to 20% – a rise of 18 percentage points – thanks to the use of new methods and data science. Spam complaints from users during the same period declined by 10.5%. This shows us that the “right e-mails” are being identified as spam.

Spam can be anything from dangerous or harmful e-mails aimed at distributing viruses or at phishing down to unsolicited mails such as frequent mass mailings for advertising purposes.

We achieved this improvement by deploying new virus scanners and optimizing configurations. In addition, we started developing a proprietary spam scanner in 2020 that is customized for our services and that uses machine learning techniques, among other things. An initial prototype went live in 2020, with Version 1 following in the 2021 reporting period.

What is more, the standard allowing users to unsubscribe from newsletters, which was developed in 2019, helps them clean out their mailboxes and only receive the e-mails they actually want to receive. This is based on Internet Engineering Task Force standard RFC 8058 (One-Click Unsubscribe), which allows recipients to cancel newsletters directly in their e-mail mailboxes with a single click. The “unsubscribe” link is always positioned directly next to the e-mail sender. This means that users no longer have to search for it or visit the sender's homepage. The Certified Senders Alliance (CSA), an initiative launched by industry association eco – Verband der Internetwirtschaft e. V., has added this standard to its rulebook, meaning that it is widely observed by leading senders. The service has been well received by our customers.

All in all, we were able to significantly increase both the relevance of incoming mails and the security of e-mail usage for our customers’ benefit.

User Feedback and AI Further Enhance Spam Recognition

Incoming e-mails at GMX and WEB.DE are checked for whether they comply with spam criteria as a matter of course. If an e-mail is identified as spam, it is moved to a separate folder. However, new and constantly changing spam attack methods may lead to unwanted e-mails landing in customers’ in-boxes. Conversely, desirable e-mails may end up in the spam folder. Many users already address this issue by manually moving e-mails to the correct folders, training their personal spam filters in the process.

GMX and WEB.DE are now also using this individual user feedback for their general spam filters and for training their AI systems. This will allow us to protect users faster and more effectively against new types of spam. It goes without saying that users must have agreed to this. They can do this in their e-mail settings by activating the “Spam recognition using moved e-mails” option. In this case, GMX and WEB.DE can analyze and categorize content such as the subject lines or URLs of the e-mails that have been moved, plus associated traffic data such as the senders or IP addresses. The analyses are largely performed automatically by computer systems, and only in isolated cases by hand. The data is used strictly for its intended purpose and is processed in accordance with the provisions of European data privacy law. Users can revoke their consent at any time by changing their spam recognition settings. A total of 573,401 customers gave their approval for enhanced e-mail spam recognition in the 2021 reporting period (2020: 376,207; 2019: 159,437). The figure for unsolicited e-mails was 687,466 (2020: 454,400; 2019: 190,869).

In addition, we are using machine learning to improve our identification of e-mail accounts that are controlled by botnets, so as to prevent spam mails from being distributed in this way.

Using Machine Learning to Identify Fraud

In our hosting business, we have developed a machine learning-based method of using domain names to predict whether the domain itself could be used fraudulently or misused.

Many security attacks today, such as spam mails and phishing, use domain names that make a serious impression on recipients. For example, e-mails may be sent from addresses or contain links to websites whose names are highly similar to well-known, trustworthy domains. Users often do not recognize such tricks immediately. This type of fraud focuses on (or attacks) recipients, but can also impact our hosting customers, whose domains could be blocked by other providers as a result of such fraudulent activity. Our own organization can also be negatively impacted by this if the customer does not pay the costs incurred for registering the domain.

The data product that we have developed learns from previous domain registrations that have been identified and flagged by our fraud experts, and can assess pending domain registrations within milliseconds. One result is that customers may be offered a restricted range of payment options that require additional authentication, among other things, in order to minimize the risk for our Company. This function was added to our processes in 2019 and has already led to a reduction in the fraud rate.

In addition, French and Spanish were added to the system in the 2021 reporting period alongside the existing languages, German and English. This permits analyses to be made in other markets as well. The next step we are planning is to drive forward the system’s use at the other Group companies that are active in the hosting area. Machine learning is an excellent way of identifying attempted fraud – the methods for which are constantly changing – and we are therefore confident that we will be able to develop and provide additional useful services going forward.