In the wake of the shutdown of two secure e-mail providers in the United States, three major German e-mail providers have banded together to say that they’re stepping forward to fill the gap. There’s just one problem: the three companies only provide security for e-mail in transit (in the form of SMTP TLS) and not actual secure data storage.

GMX, T-Online (a division of Deutsche Telekom), and Web.de—which serve two-thirds of German e-mail users—announced on Friday that data would be stored in Germany and the initiative would “automatically encrypt data over all transmission paths and offer peace of mind that data are handled in compliance with German data privacy laws.” Starting immediately, users who use these e-mail services in-browser will have SMTP TLS enabled, and starting next year, these three e-mail providers will refuse to send all e-mails that do not have it enabled.

"Germans are deeply unsettled by the latest reports on the potential interception of communication data," said René Obermann, CEO of Deutsche Telekom, in a statement. "Our initiative is designed to counteract this concern and make e-mail communication throughout Germany more secure in general. Protection of the private sphere is a valuable commodity."

These companies have dubbed this effort “E-mail made in Germany,” and tout “secure data storage in Germany as a reputable location.” In practice, that appears (Google Translate) to simply mean that starting in 2014, these providers will “only transport SSL-encrypted e-mails to ensure that data traffic over all of their transmission paths is secure.”

Germany has notoriously strong data protection laws—likely the strongest in the world. But those laws do have law enforcement exceptions for security agencies, like the BND, Germany’s equivalent to the National Security Agency. The BND likely can easily access e-mails stored unencrypted on German servers with little legal or technical interference. Clearly, forcing users (particularly less tech-savvy ones) to use SMTP TLS provides a modicum of better protection for data in transit, but it's hardly anywhere close to improved security for stored data.

Law enforcement can still get stored e-mail

German tech media and the well-respected Chaos Computer Club have lambasted this approach, dismissing it as “pure marketing.”

“The basic problem with e-mail is that it’s a postcard readable by all—[this] changes nothing,” wrote Andre Meister on the noted Netzpolitik.org blog (German).

Lukas Pitschl of GPGTools told Ars this was merely a “marketing stunt,” which would “not add real value to the security of e-mail communication.”

“If you really want to protect your e-mails from prying eyes, use OpenPGP or S/MIME on your own desktop and don't let a third-party provider have your data,” he told Ars. “No one of the ‘E-Mail made in Germany’ initiative would say if they encrypt the data on their servers so they don't have access to it, which they probably don't and thus the government could force them to let them access it.”

The Chaos Computer Club practically laughed (Google Translate) at this new announcement:

“What competitors [have had] for years as standard—a forced encryption when accessing a personal e-mail account—is now sold promotionally as a new, effective technological advancement,” the group wrote. “The NSA scandal has shown that centralized services are to be regarded as not trustworthy when it comes to access by secret [agencies].”