CAcert supports parishes
Not so long ago, our communications were usually still protected by paper envelopes and a strict postal secret. But nowadays, when we write an e-mail or an SMS, we usually send a message in plain text through a huge unknown network. And at least since Snowden we know that there are a lot of hidden places that are interested in our messages and store them unauthorized. The laws that are supposed to protect us are simply ignored. So communicating unencrypted through the Internet is now like writing confidential data on a postcard and then passing it on to a chain of people in need of gossip - in the naive belief that they will handle it discreetly.
Parishes are public corporations (Landeskirche) or integrated into the structure of church law, but in both case, they process confidential personal data of their members. This is not only about tax data. Let us think of the volunteers who visit the sick and lonely as members of the visiting group, or of the parish secretary who sends an e-mail to the pastor concerning Mr Z.
Virtual - real comparison
In former times such messages were delivered orally or packed in an envelope, be it sent by mail or distributed by the community helper M. by bicycle. That may have been a bit homely, but from the point of view of privacy and data protection it was not so wrong. Today, with the blessings of the virtual world, everything is much easier and faster by e-mail. But where is the envelope of the e-mail that prevents the address of the sick Mrs. F. or the message concerning Mr. Z. from being read by someone on the way?
To keep the comparison between the (old) real world and the (new) virtual world in mind: e-mails are not electronic letters, but electronic postcards. And here the concrete question arises: Which messages should or may a church administration send by postcard? None? We are happy to share this view. And because this statement applies not only to traditional paper cards, but also to electronic postcards (alias e-mail), we ask you to read the next section!
The e-mail envelope
If only there were only e-mail envelopes... There are e-mail envelopes. They are very safe, easy to fill and to stick. But to open them, you need the right letter opener. From this we can conclude the following: e-mail envelopes are excellently suited for all mailings.
- internal administrative
- with employees
- with the tax office or the political municipality
The function (e-mail envelope, technical "GPG encryption" and letter opener, technical "public key") can be easily set up internally and also for employees and volunteers by the IT manager. Then even the most private messages can be sent by e-mail without hesitation.
Electronic signature creates security
For "normal" e-mails to parishioners and other external bodies we do not recommend the e-mail envelopes. However, all e-mails can be sent with an electronic signature. This function is included in the e-mail envelopes. The recipient's e-mail program uses the electronic signature to recognise that the e-mail is really from you and not from someone who pretends to be from the church. It can be pointed out in the footer of the e-mail: e.g. "With the digital signature, your e-mail program recognises that this message comes safely from me and has arrived unchanged. For more information, see "wiki.cacert.org/Phishing" (or a subpage on your website).
Recommendation for everyday use
- internal (among employees): e-mail envelope always or as soon as sensitive data is affected.
- all mails always digitally signed, if necessary with a note in the footer
A few technical words (for your IT manager)
We recommend the implementation with open source and free software. It is not the Church's job to finance large companies. Like the churches, the manufacturers and providers of free solutions work with volunteers and cover the infrastructure costs with donations. The solution must be open source, so that the source code and especially the correct implementation of the encryption can be continuously monitored by independent bodies.
By e-mail envelope we mean encryption with GPG/PGP. The digital signature is also done with GPG/PGP. Only the end-to-end encryption guarantees that only the desired conversation partners have the possibility to decrypt the messages and that there is no possibility for uninvited third parties to read along. The required certificate is obtained from the free certificate authority CAcert.
For small parishes with very few employees, they can have certificates issued directly to themselves with their own name. This can be done very quickly in just three steps (whether Mac/Win/Lin or not):
- create an account with CAcert, have your identity verified ("to assure")
- create certificate
- Open e-mail program, import certificate, default: always sign. (IT manager can help if necessary or do it directly with a few clicks)
All the above functions are possible. Internal encryption is no longer necessary. With the digital signature, with which the parish addresses itself to the public, it would indeed be nicer to have in the certificate not only the name of the employee, but also that of the parish or parish. The appearance is much more professional. For the name of the organisation in the certificate an organisation assurance is needed. This is a bit more complex, but also has the advantage that certificates for employees can be issued internally. Details can be found in our Organisational Assurance leaflet.
A few words about finances
CAcert is a mutual aid community with over 360,000 members (CAcert community). The Certificate Authority is run through a non-profit association under New South Wales law (CAcert Inc.). All work is done by volunteers. The costs of the computing centre are covered by membership fees and donations.
A secure solution, as outlined above, can also be implemented with commercial providers. In this case, certificate costs of around 70 francs per employee per year are to be expected. Just to give you a brief overview: the pastor, two secretaries, a pastoral assistant, three catechists, a parish helper, the sick visiting group, ... Only with this example of a rather small congregation do we already reach the four-digit range.
When working with CAcert, we recommend that you contribute to the infrastructure costs with an annual donation. Depending on the size of the parish and its financial strength, this may be 100, 200 or even 500.