PRIVACY

Surveillance - A Real Threat to Information Security and Journalism

Why the German basic right to the internet is at stake.

By Pia Staudenmaier

April 11, 2021

Whenever there is a new surveillance law that affects digital systems, people interested in internet politics are up in arms against it, plainest to see on Twitter.  However, the outrage is usually not something that has a great effect on the legislation. A few representatives may also feel related to those interested in data protection and the freedom and security online, but after all, the surveillance laws usually pass. By protests on the streets, especially with so-called 'freedom not fear' demonstrations, privacy activists also tried to gain attention for topics such as data retention policies and government spying malware.

However, all of this only had a very limited effect and was mostly ignored by lawmakers. So civil rights activists filed constitutional complaints, which lead to two interesting decisions by the Federal Constitutional Court in Germany in 2008 and 2016, restricting the use of trojans used for government surveillance and, by the opinion of some computer experts, practically making lawful use of them technologically impossible.

Why should anyone care for their country's criminal procedure law?

Criminal procedure law regulates the manner in which executive power conducts criminal law cases. Most people believe it does not concern them, but this might be just a little short-sighted. The new legislation changed inter alia §§ 100a and 100b of the Code of Criminal Procedure which gives investigation authorities the right to access the information technology system e.g. your computer or smartphone. There are many ways to get access to private systems without the person being aware of it. It is most likely either through a phishing email or by exploiting existing security gaps. It would then be possible to read every conversation on the phone, see all pictures and data and access the camera. This leads to the following problems. 

Firstly, federal authorities have an interest in systems having security gaps. Which means security gaps that are yet unknown to the companies are of use and can be exploited. Ultimately, the security gaps will not be reported but rather kept secret. This means the government would actively support it. This will help cybercriminals, and it will lower information security. This is not just a fictional scenario but actually what happened when NSA's "EternalBlue" exploit was leaked and used for the WannaCry ransomware, which caused billions of euros in damage. 

Secondly, as authoritarian governments can exploit the security gaps, investigative journalism will be a great deal harder and riskier. Two journalists in exile in Germany joined an appeal to the constitutional court initiated by the society for civil rights (Gesellschaft für Freiheitsrechte - GFF). Both did research on their government's wrongdoing and are therefore constantly under pressure whilst receiving threatening messages. They claim that security gaps in their phones and computers are most likely to be life-endangering for them. Since anyone could use them to hack into their phones and computers to find sensitive information or even the current location. This is yet another obstacle for people who are fighting for the truth and for the people who are willing to help journalists since the informants will risk their lives likewise.

Another raw point of the use of surveillance software is the validity of evidence extracted with it or such evidence that is later found on an infected device since the software could be used to tamper with evidence as well.

The Fundamental Right to the Guarantee of the Confidentiality and Integrity of Information Technology Systems

In 2008 Germany's constitutional court ruled that the general right of personality encompasses the fundamental right to the guarantee of the confidentiality and integrity of information technology systems. Since a majority of people have computers today and they are used for different purposes, such as for comprehensive administration and archiving of an individual's personal and business matters, as a digital library or for entertainment. Computers are therefore a significant part of personal development. 

This increases when the systems are connected through the internet, where many types of communication services help the individual maintain active social contacts. The society for civil rights says in the constitutional complaint, "modern information technology systems resemble an outsourced part of the brain". This being said, one wonders why the federal authorities should have more access. So far, it has already been possible to listen and read all ongoing conversations.

The court ruled in 2008 that the secret infiltration shall only be legitimate "if factual indications exist of a concrete danger to a predominantly important legal interest." Which are the life, limb, and freedom of the individual or such interests of the public a threat to which affects the basis or continued existence of the state or the basis of human existence. This restriction applies to broad surveillance. The new legislation thus could avoid it because it is supposed to permit reading ongoing conversations solely.  In a commentary to the Committee on Legal Affairs and Consumer Protection, Dr. iur. Ulf Buermeyer said it is not possible to distinguish the two procedures from a technological perspective and argued there is no way to control what the authorities will do.

Hence the risk that all the sensitive data will be read, be it on purpose or even negligently, without the strict limitation is high. The extended use of this technology, therefore, violates not only fundamental IT rights but also the fundamental rights of others. Experts in the technological field also argue this way; for example, the Chaos Computer Club issued a statement  where they demanded that the so-called "Quellen-TKÜ" should be treated equally as an online search of the devices stored data, for which the German Federal Constitutional Court set the mentioned high bar requirements. (The "Quellen-TÜK" is the lawful interception of the communication data on the device before it gets encrypted).

This expertise was mostly ignored by the federal government as well as by several governments of German states, who introduced the "Quellen-TKÜ" their new police legislation without meeting the requirements for an online search of the device. It looks like security authorities and domestic politics did not accept yet that classical wire tapping times are over. This leads to an inflated number of cases where government malware is supposed to be used. As the icing on the cake, just a few months ago, even intelligence services were given the competence to use this kind of method to gain access to telecommunication data, despite severe warnings from the federal data protection officer and several civil rights organisations.

Closing remarks

Coming back to the protest on Twitter. Unfortunately, the protest did not have the desired reach. However, the next outrage against the so-called "Staatstrojaner" is probably only a matter of time. The game the government seems to play also keeps to be the same, even if the laws do not fulfill the court's requirements, there are always a few years until the next decision is made in Karlsruhe, and up until then, the surveillance is in effect.

Pia Staudenmaier holds a bachelor of law from Freie Universität Berlin. She specialized in international law at Stockholm University with the main focus on human rights and data privacy law in the US and Europe. She worked for a technology-based Law Firm and in a legal tech startup. She was speaking at the Legal Tech Summer School 2019. In the Law and Technology Circle, she is part of the Digital Human Rights Team, focusing on data privacy.