Table of Contents
Is your secure email actually private when the government comes knocking?
Government Requests and Rejection Rates
You should understand how Mailbox handles your data privacy when authorities intervene. In 2025, the company received 74 information requests from various government agencies. They rejected one-quarter of these inquiries. This rejection rate demonstrates that the provider does not simply hand over user data upon request; they enforce strict compliance protocols.
The total number of requests decreased in 2025, continuing a trend from the previous year. While the volume of inquiries dropped, the rigorous screening process remained active. Mailbox answered 56 requests only after investigating authorities corrected 15 initially unencrypted demands. They permanently rejected 18 requests because the authorities failed to fix deficiencies.
Why Requests Get Rejected
Security protocols dictate that unencrypted requests are inadmissible. The primary reason Mailbox rejected requests in 2025 was the same as in previous years: authorities transmitted them without encryption.
When an authority demands user data, Mailbox requires them to use PGP encryption. Of the 63 requests sent via email, 27 arrived unencrypted. Balint Gyemant, the Chief Product Officer, emphasizes that adhering to Federal Network Agency requirements is mandatory.
A positive development occurred this year regarding obsolete technology. For the first time, no authorities attempted to send requests via fax. This marks a shift from 2024, where fax inquiries still occurred despite being prohibited since 2021.
The Review Process
Mailbox employs a standardized, two-step review system for every incoming order. A data protection officer and a lawyer assess each request individually to ensure it is lawful and error-free.
If a request fails this review, the authority receives a rejection notice. They may amend and resubmit the request, but Mailbox releases data only if the new submission meets all legal and security criteria. This process ensures that your data remains protected against sloppy or unlawful government overreach.
Origin and Scope of Inquiries
German authorities initiated the vast majority of these data requests in 2025. Agencies from other EU member states submitted only three requests, while authorities outside the EU submitted just one.
The context for these inquiries was almost exclusively criminal prosecution (72 requests), with intelligence services submitting only two. Authorities primarily sought subscriber data, such as contract details, names, addresses, and phone numbers.
More intrusive measures were rare. Authorities requested mailbox seizures—which confiscate all emails—only twice. Notably, there were zero requests for traffic data (IP logs) or telecommunications surveillance (real-time monitoring) in 2025.