The Law and Business of Social Media
July 16, 2017 - European Union, Data Security, Privacy

German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap.

Since the government’s respective plans became public, the new bill has drawn widespread criticism in Germany. First, the content of the new provisions is highly controversial:

  • Compared to most other countries (including the U.S.), where such measures are not permitted, the measures to be introduced by the new law would significantly lower the German standard of protection of individuals’ privacy against governmental access.
  • In 2008, the German Federal Constitutional Court introduced a new fundamental right aimed at protecting end user devices against access and tampering by the authorities. In its decision, the court also set a high level of safeguards that were meant to prevent intrusion into an individual’s private life. Even though the new law also generally contains such safeguards, it is likely that it will be found to violate privacy rights and thus be declared void if brought before the Court.
  • Authorities have to rely on security loopholes or designated backdoors to hack into end user devices – which is diametrically opposed to tech companies’ aim of making their products as safe as possible.

Second, the way the bill was rushed through Parliament was subject to heavy criticism. Ultimately, the governing parties managed to push wide-ranging surveillance powers through Parliament in just a few days by burying these new provisions under seemingly insignificant procedural amendments on short notice. Former Federal Data Protection Commissioner Peter Schaar issued a statement labeling this procedure “reckless” given the grave implications the new law would have for the individual freedoms of the people.

The issue of governmental access to end user devices remains a very hot topic globally, creating complicated (legal) issues between technology companies and law enforcement.

The new law will come into force immediately once it passes the Federal Council (Bundesrat) and after its publication in the Federal Gazette.