Enlarge image
"Surveillance law set in stone" - Federal Police officers
Photo: Boris Roessler / dpa
Since 2017, German investigators have been allowed to hack suspects' devices under certain circumstances and slip surveillance software on them to read their communications.
The federal police and all 19 federal and state intelligence services are now given similar powers.
The corresponding changes in the Constitutional Protection Act and in the Federal Police Act were passed by the Bundestag on Thursday with the votes of the grand coalition.
Black-Red wants to give the authorities the opportunity to get encrypted communication from suspects.
Appropriate monitoring software, also known as state trojans, should branch off chats or calls before they are encrypted or after they have been decrypted again.
Mathias Middelberg, domestic policy spokesman for the CDU / CSU parliamentary group, said in the plenary that "bringing constitutional protection law to the state of the art" is the essential core - and it is "about a very manageable number of cases per year."
Uli Grötsch from the SPD said that his party is primarily concerned with the fight against right-wing terrorism with the new laws.
The most important components of the new regulations:
In the future, the federal police will also be able to preventively monitor people's communications, i.e. before they have committed a crime.
The prerequisite for this is that it is a matter of averting "an urgent danger to the existence or security of the federal government or a state or to the life, limb or freedom of a person or property of significant value, the preservation of which is in the public interest."
Contact persons of the suspects may also be hacked under certain circumstances.
What are state trojans?
Expand the State espionage software area
Surveillance programs that law enforcement officers secretly install on suspects' devices are colloquially known as state trojans.
A distinction is made between the goal of only monitoring an ongoing communication or searching the entire target device.
Expand area Quelle-TKÜ
According to Section 100a of the Code of Criminal Procedure, German prosecutors are allowed to monitor ongoing communication between suspects directly at the source (source telecommunications monitoring, in short: Quellen-TKÜ) - i.e. on their computer or smartphone, using secretly smuggled software.
This can be necessary if the communication is encrypted, for example via WhatsApp.
Without access to the device from the sender or recipient, it cannot be monitored, unlike with classic SMS.
Expand areaOnline searches
Section 100b of the Code of Criminal Procedure regulates online searches.
With the help of special surveillance software, the police can secretly and remotely view all files, programs and messages on a device.
The intervention is therefore more serious than a source TKÜ.
Expand the Equipment of the Federal Criminal Police Office (BKA)
The BKA has developed appropriate software for the Quellen-TKÜ itself.
It is called "Remote Communication Interception Software" (RCIS).
The development cost almost six million euros.
The first version could only record Skype calls and only worked on Windows computers.
The second version can do more.
In addition, the authority bought a license for the FinFisher / FinSpy software from the German-British company Elaman / Gamma back in 2013.
According to »Welt«, however, it has only been allowed to be used since the beginning of the year.
For the online search, the BKA is still working on an in-house development.
Expand the equipment of the state criminal investigation offices
The state criminal investigation offices (as of January 2018) do not have their own Trojans.
The BKA may provide administrative assistance.
But at least until May 2018, according to the federal government, this did not happen, at least not in closed proceedings.
Offensive Skills and IT Security Issue Expand
In order for the monitoring software to land on the target device and work there unnoticed, it must exploit security gaps in the hardware, the operating system or individual application programs.
The developers therefore aggressively exploit known, but not fixed, or newly discovered vulnerabilities instead of reporting them to the manufacturers and thus strengthening the IT security of all users.
In the draft of the federal government, it was also provided that the federal police may also access stored, i.e. not only currently ongoing, communication.
This would have given this source telecommunications monitoring (source TKÜ) measure called also features of the even more extensive online search (see info box).
The corresponding sentence has been deleted in the version that has now been adopted.
The news services are also only allowed to use the source TKÜ.
In the amendment to the Constitutional Protection Act, the parliamentary groups also slightly defused a passage that had particularly worried industry.
The federal government actually wanted to oblige providers, app operators, e-mail services and other telecommunications providers to help the intelligence services distribute state Trojans.
Only Internet providers are affected by the law that has now been passed, in particular (but not only) "through support for the diversion of telecommunications" to the respective authorities.
According to the explanatory memorandum for the law, the abolition of encryption is explicitly not one of the company's obligations.
Saskia Esken is against the new powers
Nevertheless, the industry association Bitkom protests on Twitter, among other things: »The security and trustworthiness of telecommunications networks and services are valuable assets and must not be undermined.
Bitkom advocates broad social debate instead of rapid regulatory action «.
The opposition is also outraged.
There have already been constitutional complaints against the state Trojan regulations of 2017, but a judgment is still pending.
There are also likely to be complaints against the new laws in Karlsruhe, as several organizations have already announced.
The domestic political spokeswoman for the Green parliamentary group, Irene Mihalic, told the editorial network Germany on Wednesday that it was "completely incomprehensible why the sources TKÜ entered the law in this form, although the Federal Constitutional Court is sued against the measure in other laws." . The coalition would have been well advised to wait for the verdict from Karlsruhe.
Anke Domscheit-Berg from the parliamentary group Die Linke tweeted: "The consequences of the state Trojan are not only serious for IT security, but also mean an expansion of the surveillance infrastructure." Like IT security experts, she is concerned that the authorities are dependent on open IT security gaps for their Trojans. As long as these are not made known and closed by the manufacturers concerned, they pose a risk to the safety of all users, is the argument. Because others could find the loopholes and use them for illegal purposes.
Mario Brandenburg, the technology policy spokesman for the FDP in the Bundestag, also announced before the vote: "The SPD and the Union have set a surveillance law in stone," which is "an expression of the surveillance fantasies" of the Federal Ministry of the Interior.
Even the SPD co-chair, Saskia Esken, is against the new regulations.
She wrote on Twitter on Wednesday: “I still consider the decision to use state Trojans to be wrong, especially in the hands of secret services.
This form of surveillance is a fundamental encroachment on our freedoms and a security risk for our economy. «In the parliamentary group of your party, however, this position was not a majority.