Friday, 04 June 2021 08:33

Civil society, tech giants oppose Germany’s state Trojans plans Featured


Companies and civil society organisations in Germany have opposed a planned expansion of the surveillance of sources and communications which provides for a more stringent application of the so-called state Trojan in an open letter published Thursday. EURACTIV Germany reports.

In the open letter, the signatories – an unusual alliance that includes civil society representatives like the Chaos Computer Club, the Bundesverband IT-Mittelstand and the Centre for Democracy & Technology and tech giants Google and Facebook – criticised the planned “adaptation of the law on the protection of the constitution” and reform of the “Article 10 Act”.

According to them, the planned amendments which would force communication services to support intelligence services makes the law one of the “harshest and most invasive surveillance laws” that could weaken or even break encryption.

The group is urging the German government to end to the initiative. It also calls on policymakers more generally to “ensure cybersecurity and the integrity of encrypted communications” to strengthen people’s trust in digital services, particularly given that during the current global pandemic “digital communication plays a central role in maintaining economic and social life.”

Germany adopts new data protection and privacy law

German parliament this week adopted a law regulating data protection and privacy in telecommunications and telemedia. For the first time, the legislator transposed EU requirements on cookies from the bloc’s e-privacy directive. EURACTIV Germany reports.

Hacks for the state

Of particular concern is the law’s proposed expansion of state Trojans, previously approved by the Grand Coalition in 2017. The law allows authorities to hack into IT devices to monitor ongoing communication via state Trojans – known as source hacking.

Back in 2017, legal expert Ulf Buermeyer stated that the use of state Trojans “cannot be justified constitutionally”. The Society for Civil Liberties then filed a constitutional complaint against the use.

Although authorities typically install the federal Trojan via physical access to the target device, the new law would give intelligence services the power to oblige companies to inject Trojans directly. With an app or an update, the Trojan could be fed directly into the device.

In mid-May, the planned expansion was criticised by the Bundestag’s expert group as disproportionate and for creating the potential for abuse. In addition, the Federal Commissioner for Data Protection and Freedom of Information warned in a statement that essential questions of security would remain unanswered by the law.

“In the meantime, one wonders how resistant to consultation a government must be to simply no longer take note of all criticism and additionally turn private companies into auxiliary workers of the secret services,” commented Chaos Computer Club spokesperson Linus Neumann.

COVID-19: an excuse for increased digital surveillance?

To monitor the spread of the new coronavirus, EU member states have taken additional surveillance measures at the expense of fundamental rights. EURACTIV France reports.

Danger due to security gaps

However, the amendments also have some backers, most notably in the ranks of the Christian Democrat party.

“It cannot be that the Office for the Protection of the Constitution is allowed to wiretap telephone conversations in the run-up to an imminent danger […], but when an attack is then planned via Telegram or WhatsApp, the hands of the constitutional state are supposed to be tied,” said CDU MP Volker Ulrich in a Bundestag debate.

But stark differences between eavesdropping on phone conversations and hacking IT devices exist and could even pose serious harm. Critics have complained that keeping channels open for the infiltration of federal Trojans creates serious security gaps.

“By withholding security gaps, the general IT security level is lowered. It cannot be ruled out that criminals or foreign actors will also use these security gaps,” said the country’s Data Protection Commissioner, Ulrich Kelber.

Meanwhile, Free Democrat politician Benjamin Strasser told EURACTIV.de that source tapping poses a “serious risk to IT security” and called the law an “invitation for cybercriminals”.

“There have long been other methods to access encrypted communications of suspects. Such alternative tools help the security authorities in their work, but do not create security risks for millions of ordinary citizens,” Strasser added.

Government coalition partner, the Social Democrats (SPD), also showed little enthusiasm for the amendment but said it will support it because “the principle of compromise is inherent in a coalition,” said SPD member Uli Grötsch.

The law is set to be passed before the end of this legislative period – and is then likely to end up before the Federal Constitutional Court.

EU states ponder means to access encrypted data

EU member states want more competences to be able to look into messages with end-to-end encryption, according to the draft Council decisions which has been made available to EURACTIV Germany.