Constitutional Court: State Trojans are taboo for "everyday crime"
According to the Federal Constitutional Court, the police may not use state Trojans if an offense is punishable by a maximum prison sentence of 3 years or less.
(Image: Skorzewiak/Shutterstock.com)
The Federal Constitutional Court has issued a landmark ruling on the extent of secret surveillance on the internet. According to the ruling, the police may no longer use state Trojans if a prosecuted offense is punishable by a maximum prison sentence of three years or less. In the fight against “everyday crime,” investigators will therefore no longer be able to secretly install software on computers, smartphones, or other digital devices to monitor data. At the same time, the highest German court has declared the legal regulation on secret online searches in the area of criminal prosecution to be unconstitutional on formal grounds.
Interference too strong
In their recently published ruling from June 24 (case reference: 1 BvR 2466/19), the judges in Karlsruhe argue that the intrusion into privacy in this type of surveillance is very severe. To justify this, the offense to be prosecuted must also be particularly serious. The intrusion is disproportionate for minor offenses. The responsible First Senate has therefore declared the relevant legal bases null and void.
In the case of online searches, the court criticized a purely formal error: the so-called citation requirement. According to Article 19 of the Basic Law, the legislator must specify exactly which fundamental right it is restricting. In the case of online searches, however, it only referred to the so-called IT fundamental right, but not to the separate secrecy of telecommunications under Article 10 of the Basic Law, which is also affected. According to the ruling, the current regulation will remain in force for now so that the authorities can continue their investigations. However, the legislator must revise it promptly and make it fundamentally constitutional.
StPO reform of the grand coalition
In principle, law enforcement agencies such as the federal and state police forces are allowed to monitor encrypted internet calls and chats as part of their day-to-day work. In 2017, the Bundestag created a corresponding basis for source tapping (telecommunications surveillance) via an amendment to the Code of Criminal Procedure (StPO) with the votes of the grand coalition at the time. The broad list of offenses in Section 100a of the Code of Criminal Procedure, which also regulates the interception of traditional telephone calls or access to emails, is a prerequisite for this.
Videos by heise
The list starts with murder and manslaughter but ranges from tax offenses, computer fraud, and receiving stolen goods to inducing refugees to submit abusive asylum applications. The Constitutional Court has now emphasized that this catalog is too long and undifferentiated and has restricted it. According to the court, the state must maintain proportionality. It may not strike with the “big hammer” to combat “minor offenses”. Regarding the scope of a criminal provision, the court ruled that an offense is particularly serious if it is punishable by a maximum prison sentence of more than five years.
The reform of the Code of Criminal Procedure also gave investigators the power to secretly spy on hard drives and computers if they suspect such “particularly serious crimes”. This clause for online searches is linked to the stricter section 100c of the German Code of Criminal Procedure, which regulates eavesdropping. It remains unclear how the fundamental right to confidentiality and integrity of IT systems, developed by the Federal Constitutional Court in the 2008 dispute over computer bugs, is to be safeguarded in practice. The opposition spoke of one of the “most invasive surveillance laws of recent years”.
Numerous constitutional complaints
Numerous organizations and individuals have lodged constitutional complaints against the StPO reform. The Gesellschaft für Freiheitsrechte (GFF) and the Deutscher Anwaltverein (DAV) complained in 2018, for example, that the legislator had not defined how a state Trojan may be placed on devices. In particular, the possible infection of a target computer by exploiting security vulnerabilities is dangerous, as the authorities could “hoard” corresponding vulnerabilities. Ultimately, millions of users of IT systems worldwide who are affected by a vulnerability known to the federal government would be “exposed to a continuing risk of cyber attacks.”
FDP politicians and the data protection association Digitalcourage had previously referred the matter to the Federal Constitutional Court. With such laws, the Black-Red government is paving the way “to an authoritarian surveillance state,” the activists justified their now decided complaint. Everyone who communicates digitally is impacted and can support the complaint in Karlsruhe.
The first senate justified its decision by stating that the monitoring of sources constitutes a very serious interference with both Article 10 and the fundamental right to an IT system. The nature and scope of the data collected secretly and by deliberately circumventing security mechanisms already had an intrusive effect in itself, as the measure enables access to a database “that can far exceed the scope and diversity of conventional sources of information.”
Tapping the “raw data stream” is dangerous
According to the judges, the “entire raw data stream” can be accessed. This has an “extraordinary scope,” especially under the current conditions of information technology and its importance for communication relationships. The data streams collected are not only used to transport and analyze an immense number of forms of electronic communication. Considering the ubiquitous and diverse use of IT systems, every type of individual action and interpersonal communication is now increasingly reflected in electronic signals and is thus captured by state Trojans in particular. In addition, the integrity of an IT system is being compromised and its confidentiality jeopardized.
In contrast, Digitalcourage was unsuccessful with its 2019 constitutional complaint against the license to use state Trojans created in 2018 in the North Rhine-Westphalia (NRW) Police Act. The data protectionists criticized the fact that it was not technically possible to limit the function of the instrument to the monitoring of ongoing communication. In addition, security loopholes would inevitably be exploited to install the surveillance software on the target device in the first place. The requirements for such measures are also too broad.
NRW police may continue to use source-based TKÜ
The Federal Constitutional Court also ruled on June 24 (case reference: 1 BvR 180/23): The police in NRW may use state Trojans to prevent serious crimes such as terrorism where there is a concrete danger to particularly important legal interests such as life and limb. In this case, the judges consider proportionality to be ensured, as the power is linked to a minimum prison sentence of ten years or the offense has a terrorist background. The protection of the public from such threats outweighs the intrusion into the privacy of those affected.
According to the latest statistics, law enforcement officers once again used more state Trojans in 2023. Courts permitted the hacking of IT devices 116 times – In 2022, there were 109 orders. Federal Minister of the Interior Alexander Dobrindt (CSU) also wants to allow the federal police to use the federal Trojan.
(kbe)
