By Oliver Noyan
(EurActiv) — Companies and civil society organisations in Germany have opposed a planned expansion of the surveillance of sources and communications which provides for a more stringent application of the so-called state Trojan in an open letter published Thursday.
In the open letter, the signatories – an unusual alliance that includes civil society representatives like the Chaos Computer Club, the Bundesverband IT-Mittelstand and the Centre for Democracy & Technology and tech giants Google and Facebook – criticised the planned “adaptation of the law on the protection of the constitution” and reform of the “Article 10 Act”.
According to them, the planned amendments which would force communication services to support intelligence services makes the law one of the “harshest and most invasive surveillance laws” that could weaken or even break encryption.
The group is urging the German government to end the initiative. It also calls on policymakers more generally to “ensure cybersecurity and the integrity of encrypted communications” to strengthen people’s trust in digital services, particularly given that during the current global pandemic “digital communication plays a central role in maintaining economic and social life.”
Hacks for the state
Of particular concern is the law’s proposed expansion of state Trojans, previously approved by the Grand Coalition in 2017. The law allows authorities to hack into IT devices to monitor ongoing communication via state Trojans – known as source hacking.
Back in 2017, legal expert Ulf Buermeyer stated that the use of state Trojans “cannot be justified constitutionally”. The Society for Civil Liberties then filed a constitutional complaint against the use.
Although authorities typically install the federal Trojan via physical access to the target device, the new law would give intelligence services the power to oblige companies to inject Trojans directly. With an app or an update, the Trojan could be fed directly into the device.
In mid-May, the planned expansion was criticised by the Bundestag’s expert group as disproportionate and for creating the potential for abuse. In addition, the Federal Commissioner for Data Protection and Freedom of Information warned in a statement that essential questions of security would remain unanswered by the law.
“In the meantime, one wonders how resistant to consultation a government must be to simply no longer take note of all criticism and additionally turn private companies into auxiliary workers of the secret services,” commented Chaos Computer Club spokesperson Linus Neumann.
Danger due to security gaps
However, the amendments also have some backers, most notably in the ranks of the Christian Democrat party.
“It cannot be that the Office for the Protection of the Constitution is allowed to wiretap telephone conversations in the run-up to an imminent danger […], but when an attack is then planned via Telegram or WhatsApp, the hands of the constitutional state are supposed to be tied,” said CDU MP Volker Ulrich in a Bundestag debate.
But stark differences between eavesdropping on phone conversations and hacking IT devices exist and could even pose serious harm. Critics have complained that keeping channels open for the infiltration of federal Trojans creates serious security gaps.
“By withholding security gaps, the general IT security level is lowered. It cannot be ruled out that criminals or foreign actors will also use these security gaps,” said the country’s Data Protection Commissioner, Ulrich Kelber.
Meanwhile, Free Democrat politician Benjamin Strasser told EURACTIV.de that source tapping poses a “serious risk to IT security” and called the law an “invitation for cybercriminals”.
“There have long been other methods to access encrypted communications of suspects. Such alternative tools help the security authorities in their work, but do not create security risks for millions of ordinary citizens,” Strasser added.
Government coalition partner, the Social Democrats (SPD), also showed little enthusiasm for the amendment but said it will support it because “the principle of compromise is inherent in a coalition,” said SPD member Uli Grötsch.
The law is set to be passed before the end of this legislative period – and is then likely to end up before the Federal Constitutional Court.