First Senate of the Federal Constitutional Court (archive photo): »No fundamental right to necessarily report every undetected IT security gap to the manufacturer«
Uli Deck / dpa
The police in Baden-Württemberg are still allowed to hack suspects in order to slip surveillance software on them.
The Federal Constitutional Court has declared a corresponding constitutional complaint to be inadmissible.
The complaint was lodged, among others, by the Society for Freedom Rights (GFF) and the Stuttgart Chaos Computer Club (CCCS). It was directed against the amendment to the Baden-Württemberg State Police Act of November 28, 2017, with which the prosecutors were given the option of so-called source telecommunications surveillance (Quellen-TKÜ). This allows the interception of ongoing communication even in encrypted chat apps by placing surveillance software on a suspicious person's device.
The argument of the complainants, who in addition to GFF and CCCS also include journalists and an Internet provider: The country had failed to "create a legal framework for the use of state Trojans that would avoid fatal disincentives for its authorities."
In other words: The law has given the police an increased interest in "hoarding" IT security gaps in order to be able to hack the target devices.
That in turn is not compatible with the fundamental right to guarantee the confidentiality and integrity of information technology systems.
This is also known as the IT basic right and was formulated in 2008 by the Federal Constitutional Court as a special form of general personal rights - in the judgment on state Trojans at the time.
What are state trojans?
Expand the State espionage software area
Surveillance programs that law enforcement officers secretly install on suspects' devices are colloquially known as state trojans.
A distinction is made between the goal of only monitoring an ongoing communication, or that of searching the entire target device.
Expand area Quelle-TKÜ
According to Paragraph 100a of the Code of Criminal Procedure, German prosecutors are allowed to monitor the ongoing communication of suspects directly at the source (source telecommunications monitoring, in short: source TKÜ) - i.e. on their computer or smartphone, using secretly smuggled software.
This can be necessary if the communication is encrypted, for example via WhatsApp.
Without access to the device from the sender or recipient, it would not be possible to monitor it, unlike traditional SMS.
Expand areaOnline searches
Section 100b of the Code of Criminal Procedure regulates online searches.
With the help of special surveillance software, the police can secretly and remotely view all files, programs and messages on a device.
The intervention is therefore more serious than a source TKÜ.
Expand the Equipment of the Federal Criminal Police Office (BKA)
The BKA has developed appropriate software for the Quellen-TKÜ itself.
It's called Remote Communication Interception Software (RCIS).
The development cost almost six million euros.
The first version could only record Skype calls and only worked on Windows computers.
The second version can do more.
In addition, the authority bought a license for the FinFisher / FinSpy software from the German-British company Elaman / Gamma back in 2013.
According to »Welt«, however, it has only been allowed to be used since the beginning of the year.
For the online search, the BKA is still working on an in-house development.
Expand the equipment of the state criminal investigation offices
The state criminal investigation offices (as of January 2018) do not have their own Trojans.
The BKA may provide administrative assistance.
But at least until May 2018, according to the federal government, this did not happen, at least not in closed proceedings.
Offensive Skills and IT Security Issue Expand
In order for the monitoring software to even land on the target device and work there unnoticed, it must exploit security gaps in the hardware, the operating system or individual application programs.
The developers therefore aggressively exploit known, but not fixed, or newly discovered vulnerabilities instead of reporting them to the manufacturers and thus strengthening the IT security of all users.
However, the court did not follow the argument. In his press release it says: "In order to protect fundamental rights, the state is responsible for the security of information technology systems." This “fundamental legal duty to protect” demands a regulation on how the authorities have to resolve “the conflict of goals” between general IT security on the one hand and keeping IT weak points open for hacking target devices on the other. But the complainants had "not adequately demonstrated" a violation of this duty to protect. There is also "no fundamental right to the authority's obligation to immediately and unconditionally report every undetected IT security gap to the manufacturer."
This does not mean that the approach of the GFF and CCCS is fundamentally unsuitable for attacking state Trojan regulations.
The court primarily criticized the fact that they had not specified precisely enough why the state regulations »lag behind the protection goal by a considerable amount«.
The GFF chairman Ulf Buermeyer assessed the decision as a “great success” because the court had made it clear that the state has the duty to “help protect the systems from attacks by third parties”, as it says in his decision.
In several other constitutional complaints, the GFF has argued similarly to the case of the Baden-Württemberg law, the decisions on this are still pending.
Buermeyer hopes that the Federal Constitutional Court will oblige the state to manage IT vulnerabilities at some point.
When presenting the GFF complaint against the corresponding federal law in 2018, he said: »If the legislature already creates a legal basis for the use of Trojans, then it should also have to determine the circumstances under which prosecutors may or must report the necessary IT security gaps «.