Internet faxing is safe and secure

Comfort at the expense of security?

These days I read on Facebook the complaints of an MFA in which the paper fax had been replaced by an e-mail fax. The convenience of the old fax machine is over - now she has to constantly check for e-mails and print out the attachments separately. The previously well-functioning workflow in practice was messed up, and her boss is now considering going back to paper faxes. I silently wondered if that would even be possible ...

"Fax copying" - an indispensable means of everyday communication since the early 1980s - is actually a technology that many people have declared dead in the age of e-mail [1]. Fax machines have already completely disappeared from most offices, and many manufacturers have now stopped production [2]. In many other countries, SMS, messenger and e-mail have already completely supplanted faxes. In German medical practices, on the other hand, it is still the backbone of communication with other practices, hospitals or laboratories. In many cases, faxed documents are more likely to be accepted than e-mails, especially if their evidential value is important or if signatures are required. And last but not least, unlike electronic mail, faxes cannot contain viruses. However, modern technology has not stopped at faxing either - as a rule, in most cases there is no longer a real fax machine at least at one end of the line. So-called fax services, internet-based offers from service providers, make it possible to send and receive faxes without a conventional fax machine [3].

The days of paper faxes are numbered

With so-called "Mail-to-Fax" or "Web-to-Fax" services, the sender sends an e-mail to which the documents to be sent are attached as an image file, or sends the documents to be sent to a service provider via a website. The fax service provider then converts the email into the appropriate format and then sends it to the recipient's fax machine. With "fax-to-e-mail" services, incoming faxes on a special fax number are converted into e-mails by the fax service provider and then sent to the recipient. The received documents are attached to the e-mails in the form of graphics or PDF files and can be processed further electronically. The use of such fax services has several advantages: faxes can also be sent with mobile devices such as smartphones and tablets and, despite additional fees for the fax service, sending becomes cheaper if the documents are no longer printed out.

What is certain is that the days of conventional fax machines are finally numbered: Telekom and other large network operators are currently changing the switching technology for telephone and fax connections - by 2018, Telekom wants to completely abolish the analog telephone connection and all customers with Internet telephony (Voice -over-IP, VoIP for short) [4].

IP fax: prone to interference and insecure

In the past, the exchange switched its own point-to-point connection for a telephone and fax connection, via which the fax machines communicated directly with one another using analog signals. In the new VoIP network, the fax machine signals are digitized and transmitted in individual data packets over the Internet. However, conventional fax machines cannot cope with this technology, because data can be garbled or completely lost when the analog audio signals are digitized and when they are transmitted in packets. During phone calls, this is noticeable through background noises or small failures, which are ignored or compensated for by the human brain. Conventional fax machines lose their synchronization in the event of interruptions in the connection and therefore react sensitively to such malfunctions with illegible faxes or interruptions [5, 6]. To put it a bit more drastically: "Where there is only VoIP, the fax is dead." [7, 8]. Sending or receiving faxes via Internet telephony or using fax services not only has technical problems, but also another disadvantage that is decisive for the transmission of sensitive data: the data transmission is not protected against unauthorized access by third parties.

It is true that the conventional fax traffic processed via the telephone network can in principle also be intercepted by third parties. However, you have to make an active effort, you need a court order as well as the appropriate technology and access in order to be able to access the point-to-point connection. In the case of data traffic via VoIP, on the other hand, especially when using a fax service, the disclosure of the data to unauthorized third parties cannot be avoided.

Data protection not guaranteed

For example, suppose you want to send patient reports to a colleague using a "mail-to-fax" service. You create an e-mail, address it to the fax service and attach the findings to the e-mail as image files. The e-mail is sent and initially stored on the server of your e-mail service provider in the e-mail outbox. The e-mail is forwarded and ends up on the fax service provider's server, possibly after further intermediate stops on the way and the recipient's e-mail inbox, where the received data is also stored. A program on this server now takes the received attachments and converts them into fax signals, which are then sent to the recipient's fax machine. Each server in this chain has administrators, people who have unrestricted access to all data stored on the server and who are unauthorized third parties in the sense of professional secrecy according to Section 203 of the German Criminal Code.

You can basically protect data on its way through the network from being accessed by the server administrators by means of encryption. But this option is ruled out when using a fax service, because in the end it is not possible to create a readable fax from an e-mail with encrypted content. And even when sending normal faxes over VoIP connections, in which data packets are exchanged between servers, the data is transmitted unencrypted and can therefore be read by the server administrators [9]. Data protection advocates therefore strongly recommend basic end-to-end encryption of the content of the conversation in these cases [10]. Even when sending patient data via a normal fax machine, where you do not know the exact path of the data and the technology used by the recipient, you risk a criminal disclosure of secrets according to § 203 StGB - the responsibility initially lies with the recipient, if this one Fax-to-mail service used. Nevertheless, in the opinion of lawyers, this point of view can change if the sender has to assume, as a rule, that the recipient is using such a service.

What to do? Resist all temptations and promises and keep the old analog phone lines for as long as possible. Generally do not send patient data by e-mail or fax. And hope that the introduction of secure electronic doctor-to-doctor communication via the telematics infrastructure will not be further delayed [11].


(1) http://www.heise.de/tr/blog/artikel/Zauberformel-Fax-2733763.html
(2) https://www.retarus.com/blog/de/wie-funky-ist-heute-eigentlich-noch-das-fax/ and http://www.faz.net/aktuell/wirtschaft/faxgeraet- is-still-popular-in-Germany-offices-13806252.html
(3) http://www.computerwoche.de/g/die-besten-online-faxdienste,102662, http://www.computerwoche.de/a/ratgeber-faxen-ueber-das-internet,593006
(4) https://www.test.de/IP-Telefonie-Was-der-Wechsel-fuer-Telekom-Kunden-bedeutet-4900386-0/
(5) http://www.computerwoche.de/a/warum-das-fax-im-ip-netz-streikt,3213699
(6) .http: //www.apotheke-adhoc.de/nachrichten/apothekenpraxis/nachricht-detail-apothekenpraxis/umfrage-fax-ist-in-apotheken-unersetzlich/
(7) http://www.shz.de/deutschland-welt/netzwelt/voip-ist-bald-schluss-mit-den-faxen-id10976891.html
(8) http://www.elektronik-kompendium.de/sites/net/1103151.htm
(9) https://datenschutz-berlin.de//content/themen-az/voip/der-datenschutz-bei-voip, http://www.bfdi.bund.de/SharedDocs/Publikationen/Allgemein/Aerzteblatt. pdf? __ blob = publicationFile & v = 1
(10) http://www.shz.de/regionales/newsticker-nord/datenschuetzer-weichert-warnt-vor-kombination-facebook-whatsapp-id5791121.html, https://www.datenschutz.rlp.de/de /ds.php?submenu=grem&typ=dsb&ber=086_endtoend
(11) http://www.aerztezeitung.de/praxis_wirtschaft/e-health/gesundheitkarte/article/909829/e-card-dieses-jahr-keine-tests.html?sh=4&h=-1314397425




Alexander Wilms has been looking after his wife's general practitioner for more than 15 years and was instrumental in the development of RED Medical, the first web-based doctor software. The servers are in a German high-security data center. The patient data is only stored in encrypted form. The software has all relevant certifications from the KBV and the data protection seal of approval from the Independent State Data Protection Center (ULD) and TÜV Saarland.