State Trojan ruling: IT security remains the open flank

Contents

Civil rights activists have reacted largely positively to the ruling by the Federal Constitutional Court, which has put a stop to the use of state Trojans in the fight against "everyday crime". The judges in Karlsruhe have thus ensured "that IT systems will only be hijacked by state investigators if there is suspicion of really serious crimes", welcomed Frank Braun, one of the legal representatives of the complaint against the state Trojan initiated by the data protection association Digitalcourage.

The restrictions imposed by the Constitutional Court are "correct and important", says the second litigant, Jan Dirk Roggenkamp, also recognizing a partial success. David Werdermann, lawyer at the Gesellschaft für Freiheitsrechte (GFF), praises the fact that the highest German court is breaking with previous case law: "It makes it clear for the first time that the use of state Trojans always means a particularly serious encroachment on fundamental IT rights – even if the police 'only' want to access communication data."

According to Werdermann, the Constitutional Court points out in a subordinate clause that the potential threat posed by the measure is particularly pronounced when authorities use the services of private third parties to infiltrate end devices. "This can be understood as an invitation to the state authorities: Cooperation with shady companies like the NSO Group, which also sells its Pegasus Trojan to dictatorships, must come to an end."

What could change?

According to the latest statistics, law enforcement agencies will once again be using more state Trojans in 2023, for example to intercept conversations on WhatsApp & Co. before encryption or after decryption. According to Werdermann, it remains to be seen whether the current practice will be restricted by the ruling. It is not even publicly known which offenses are the basis for such source telecommunications surveillance (TKÜ) in practice. The only thing that is clear is that the suspicion of a criminal offense under the Narcotics Act (BtMG) was the main reason for the measures.

The relevant section 100a of the German Code of Criminal Procedure (StPO) refers to certain commercial offenses, explains the GFF lawyer. The penalty range is up to five years. The Federal Constitutional Court has left open whether this is a particularly serious offense that justifies the interception of sources. Other particularly serious offenses against the BtMG clearly allow for such a measure. A distinction must be made when referring to the formation of a criminal organization: Anyone who founds such an organization or is actively involved in it faces a maximum sentence of five years. Mere support is not a serious offense.

In general, Werdermann believes that the ruling prevents a "potential expansion of source tapping". The court has made it clear that such an intrusion is to be assessed differently from classic wiretapping without a Trojan. So far, the requirements for both measures have been identical, even if source tapping is technically more demanding and is therefore carried out less frequently.

Serious conflict of objectives remains

For Rena Tangens from Digitalcourage, one central point of criticism remains: "The court has not addressed the fundamental problem of state Trojans." To use these computer bugs, security vulnerabilities would have to be exploited. However, vulnerabilities put everyone's IT security at risk. Instead of reporting and closing them, the state keeps them open or buys them in "to use them themselves".

This aspect is also a source of irritation for the industry associations Bitkom and eco. The latter now sees the legislator as being called upon not only to make formal improvements, but also to fundamentally resolve this conflict of objectives. Binding requirements for vulnerability management and a comprehensive understanding of IT security are needed. Bitkom is also calling for a reliable legal framework so that companies can make their contribution to internal security without violating customer rights.

Konstantin von Notz, deputy leader of the Green parliamentary group, would have liked to see even more far-reaching requirements. He demands: "To rule out mass surveillance that is incompatible with our liberal constitutional state, the powers of the security authorities for targeted defense must be strictly limited by the rule of law and effectively controlled by parliament." Those responsible in the responsible houses must finally raise the thresholds for intervention and regulate the handling of IT vulnerabilities. Donata Vogtschmidt from the left-wing parliamentary group postulates: "The state Trojan is a disproportionate tool and should be abolished."

Ban on encryption?

The Federal Ministry of Justice sees the legal requirements for state Trojans "essentially confirmed". However, more stringent requirements for the offenses are necessary. The ministry went on to say: "We will now carefully evaluate the reasons for the decision and comply with the identified need for action." The Federal Ministry of the Interior did not respond to a request for comment from heise online on Thursday. It even wants to allow the federal police to use Trojans as a preventative measure, which is unlikely to be compatible with the ruling. The SPD and CDU/CSU parties responsible are also remaining silent on the issue.

The German Police Union (GdP) is pleased that the court has confirmed the "constitutionality and necessity" of the TKÜ source search and the even more extensive secret online search "as indispensable instruments for effective law enforcement and averting danger". At the very least, the decision ensures that investigators "will also be able to effectively combat the most serious criminal offenses in the future". Lawless communication spaces should not be accepted. Markus Hartmann, senior public prosecutor in North Rhine-Westphalia, pointed out that if the hurdles for accessing encrypted data in individual cases were to increase, this would "inevitably fuel the dangerous debates about a general ban on encryption or the establishment of state backdoors".

(mma)