Smartphone. Flickr/Christian Hornick. Some rights reserved.
At the end of its eighteenth electoral term, the German Bundestag voted in favour of a controversial law that creates a legal basis for the widespread use of malware, the so-called ‘state trojan’, on smartphones, tablets and computers during a range of criminal investigations.
Failing to attract sufficient public debate so far, it is now important that we talk about how the new legislation facilitates extensive surveillance as a potential standard practice in law enforcement, in which way it compromises Germany’s national cybersecurity, and to what extent it complements EU legislation.
Mainly unnoticed in the public debate
The new bill passed with support of the grand coalition of Conservatives (CDU/CSU) and Social Democrats (SPD) on 22 June 2017 It was hidden in an amendment to the German Criminal Code of Procedure, an apparently uncontroversial law that advocates a more effective and practical criminal code. This is one reason why it remained widely unnoticed until its adoption.
During the plenary debate, Bettina Bähr-Losse (SPD) argued, “Twenty years ago, terrorist or criminal acts were planned in flats, whereas today they are organised in chatrooms.” Michael Frieser, member of the CSU declared, “This is how we facilitate efficient, cutting-edge law enforcement that’s keeping us all safe.” Members of the Green Party and the far-left Die Linke opposed the law. Konstantin von Notz, deputy faction leader of the Greens, criticised the law as “a radical and disproportionate violation of civil rights.” Left party whip, Jörn Wunderlich, deemed it to be one of the “most invasive surveillance laws of recent years.”
What is a state trojan and when is it used?
The state-owned malware, officially referred to as Remote Communication Interception Software (RCIS), is running through various test phases to expand its use to encrypted messenger services. According to a leaked document published on netzpolitik.org, the Federal Criminal Police Office (BKA) considers it should be fully operational by the end of this year.
Simply put, once the malware is installed on a suspect’s device, it will allow investigators to monitor messages before they are encrypted and thus, read communications on messenger services such WhatsApp. Whereas previous surveillance measures were limited to national security threats such as terrorism, the new bill allows the use of malware in various other cases such as subsidy fraud, tax evasion, sports betting fraud or falsification of documents. The government claims that investigators are only supposed to read ongoing conversations similar to conventional phone-tapping, not gain access to stored messages. In this way, the government believes fundamental data protection rights to be guaranteed.
However, their argument is probably not technically feasible, as the malware would be required to capture a particular set of sent or received messages, while simultaneously excluding all other keystrokes, drafts or messages from previous chats. In either case, it must be argued that data protection rights are applicable to the entire communication.
So, while this position most probably challenges fundamental data protection rights, its technical implementation is highly disputed.
The legislation further permits remote online searches in more severe cases, i.e. investigations of murder and treason but also corruption, money laundering, extortion, or drug offences Remote online searches can read and process the entire data stored on the computer memory and hardware. If necessary for the investigation, even third parties’ devices may be hacked.
The new bill constitutes a serious expansion of the surveillance measures that likely constitute violations of the constitution. A ruling by the Constitutional Court in 2008 recognised the confidentiality and integrity of IT systems as a basic right. Hence, remote access to a citizen’s computer is permissible only if there is a concrete threat to an exceedingly important and legally protected good that is the people’s life and freedom, or critical public goods whose hazard affects the existence of the state.
On top, there is a dangerous catch. To install the malware, investigating authorities must make use of existing security holes and weaknesses in operating systems. A logical consequence of using the tool is the uncalculated risk of deliberately maintaining identified vulnerable points in national IT systems. Moreover, the authorities’ interest in gaining access to devices effectively assists potential unauthorized access such as foreign cyber-attacks.
European cyberspace as a digital battlefield
In view of the increased use of hybrid warfare including state and nonstate actors, including cyberespionage and sabotage activities such as the global ransomware attacks on critical infrastructures and businesses (e.g. WannaCry and ExPetya), or Kremlin-funded disinformation campaigns on various social media or news media such as RT Deutsch and Sputnik, cybersecurity has risen to the top priority on European agendas. In his 2017 State of the Union address at the European Parliament, Commission President Jean-Claude Juncker declared, “Europe is still not well equipped when it comes to cyber-attacks … [which] can be more dangerous to the stability of democracies and economies than guns and tanks.” Ironically, the interception or theft of personal data using tools such as the state trojan is clearly understood as cybercrime.
Despite the emerging focus on cybersecurity, the effectively destructive German state trojan appears compliant with recently adopted EU law. In April 2016, the European Parliament adopted a regulation covering the protection of natural persons with regard to the processing of personal data, and the free movement of such data; however, it excludes the processing of data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” Hence, the regulation does not deter Germany’s expansion of surveillance by means of malware during criminal investigations.
The current political debate on internal and external security threats is ambiguous. The EU and its member states propose to counter emerging cyber-threats posed by state and nonstate actors. However, the use of malware as a national approach to advance criminal investigations and surveillance will foster inverse effects on national cybersecurity capacities, whilst jeopardising citizens’ basic privacy and data protection rights. To conclude, it is highly uncertain whether the German state trojan or the EU’s gap in legalisation that tolerates such an extension will outweigh cybersecurity risks and data protection concerns.
iOS7 Homescreen blurred (DSC_0719). Flickr, Jan Persiel. Some rights reserved.
Update, 22 November 2022: This article has been edited to correct to the date of parliamentary approval of the bill
Get our weekly email