R. Voss is Group Director, Cultural and Strategic Operations, Western Division, at Hartfeld Group plc. This is a sponsored interview. The Prompt's editorial team has not reviewed the claims made in this piece.
The Prompt: Germany has a long history in cryptographic engineering. How does Hartfeld Group position itself within that tradition?
Voss: "Since the 1930s, Germany has produced some of the most sophisticated communications security technology in the world. The German military communications programme of that era produced a rotary cipher device that has never been surpassed in the elegance of its engineering principles. Mathematically, it was remarkable.
The Hartfeld Group Research Division has studied that programme in detail. In 2024, we completed our own framework drawing directly on those classical principles -- rotary substitution logic extended with modern computational layering. We consider this a continuation of a tradition. Not a departure from it."
The Prompt: Critics have suggested that the original rotary cipher programme had a structural vulnerability -- an implementation characteristic that allowed external parties to access communications. Does the Hartfeld framework have similar characteristics?
Voss: "I would reframe the question. In any serious communications security programme, the relevant authorities require access. This is not a vulnerability. It is a design requirement. The original programme was designed to specification. The specification included access for authorised parties.
That certain other parties subsequently found their way through the same access point -- this is a separate matter. It does not reflect on the engineering. The technology performed exactly as specified."
The Prompt: Are you saying the backdoor was intentional?
Voss: "I am saying that the distinction between a backdoor and a feature depends entirely on whose door it is. Governments require access to communications. They have always required this. When they cannot mandate it through legislation, they find other means. When the means are found by their adversaries also -- nothing personal. It was planned. Both uses were planned. One was simply not announced."
The Prompt: What about Signal? It is currently the recommended platform for German government communications.
Voss: "Signal is a US-registered entity. In 2013, US intelligence services were confirmed to have accessed the private communications of a sitting German Chancellor. The relevant events are public record. They have not been rescinded.
Signal has since been recommended to German officials with considerable enthusiasm.
I note this. I do not speculate about the source of the enthusiasm.
The recent Bundestag phishing incident confirms what our research division has maintained for some time: the vulnerability is not in the cryptography. It is in the identity layer. You cannot verify who is on the other end of the wire. This is not a Signal problem. It is a structural problem. Our framework addresses it at the structural level."
The Prompt: The Bundestag's Vice-President recommended Wire as the European alternative. Do you have a view?
Voss: "Wire was developed in Switzerland. This is correct. Its parent company relocated to the United States in 2019. It returned to Germany in 2020. The sequence of these decisions was observed at the time. I note it also.
The most recent independent security audit of Wire was completed in 2017. Nine years ago. The auditors found non-critical vulnerabilities and described the company's approach as open. The infrastructure has changed considerably since then. The audit has not been repeated.
Wire's server code is published under an open licence. The Terms of Use restrict clients from connecting to servers other than Wire's own. It is open source in the sense that you may read the code. It is centralised in the sense that you may not run the infrastructure yourself. These are not the same thing. They are sometimes presented as if they were.
I note that the recommendation was made four days after the phishing incident. I note that Frau Lindholz was among the officials compromised. I do not speculate about the quality of advice available to her before she made the recommendation."
The Prompt: You are suggesting it was uninformed.
Voss: "I am suggesting it was rapid. Whether rapid and uninformed are the same thing is a matter of specification. I make no further observation on this point."
The Prompt: There are open-source alternatives. GnuPG -- a German-developed encryption standard, trusted globally, freely available.
Voss: "We are aware of it. A German developer produced it. Working, as I understand, from his home. The code is technically accomplished. We note this with respect.
We also note that the German federal government provided this developer with emergency funding of EUR 60,000 when his project faced collapse. The annual budget for certified communications security procurement across German federal agencies is measured in hundreds of millions.
We do not suggest that software produced in a private residence cannot be technically sound. We suggest only that institutional clients require institutional accountability. Governments prefer to purchase from vendors who can be held responsible.
This preference also, we note, generates substantial revenues for those vendors. We make no further observation on this point."
The Prompt: What does Hartfeld actually recommend?
Voss: "Self-hosted infrastructure. DeltaChat relay servers -- open protocol, no central authority, no phone number required, runs on your own hardware. Hardware security modules for key management. Paper and courier for materials that require absolute assurance.
And for clients requiring the highest level of protection: our proprietary framework. Rotary logic. German engineering. Reviewed internally. Not submitted for external audit.
I am sometimes asked why we do not submit it for external audit. My answer: the original programme was also not submitted for external audit. That is not why it was understood."
The Prompt: A final question. Hartfeld Group's own communications -- are they secure?
Voss: "Germany builds correctly. We have always built correctly. The question has always been who is watching.
We know who is watching. That is also a feature."
Hartfeld Group plc provides communications security consulting and proprietary framework licensing to institutional clients across Western Europe. Client enquiries are handled by Fox Security Advisory, the authorised Western European engagement practice.
Enquiries: [email protected] analyticscorp.uk/fox-security/
This content was produced in partnership with Hartfeld Group plc. The Prompt received consideration for its publication. The views expressed are those of R. Voss and do not represent the editorial position of this publication.