Hesse: State Office for Protection of Constitution may use state trojan
Karlsruhe partially overturned the Hessian State Office for the Protection of the Constitution Act. The parliament passed a reform giving the service new powers
(Image: photobyphotoboy/Shutterstock.com)
This legislative process was closely watched after the Federal Constitutional Court forced the Hessian legislature to make extensive amendments in 2024. Last week, the Hessian state parliament in Wiesbaden passed the amendment to the State Office for the Protection of the Constitution Act (HVSG) with the majority of the black-red coalition. The initiative, which Interior Minister Roman Poseck (CDU) described as a "milestone," grants the State Office for the Protection of the Constitution (LfV) far-reaching digital powers.
Foremost among these is the ability to conduct covert online searches and source telecommunications surveillance using state trojans. The core of the technical upgrade is the newly worded Paragraph 7a. It allows the intelligence service to gain covert access to IT systems such as computers, smartphones, and tablets. Poseck justified this by stating that extremists use the possibilities of the digital space for networking and that authorities must meet them "on equal footing."
More conditions for access rights
Technically, the new regulation means that the LfV may exploit security vulnerabilities to install malware on the devices of targeted individuals. The law explicitly permits not only the collection of access data but also the exfiltration of already processed information. To comply with the constitutional requirements from Karlsruhe, the legislature has linked this measure to conditions.
According to Poseck, the Hessian trojan should only be used as an "ultima ratio" when the clarification of facts is not possible otherwise, for example, through the police with their controversial relevant powers. Furthermore, there must be a "concrete danger" to high-value legal interests such as the existence of the federal republic or a person's life.
Videos by heise
This deep intrusion is accompanied by procedural regulations in Paragraph 8. The use of the spyware is subject to judicial approval. The order is limited to a maximum of one month but can be extended. The changes made to the target system must be limited to what is indispensable and should be "automatically reversed as far as technically possible" upon termination of the measure.
Movement profiles and financial flows
The legislature has also tightened up classic surveillance to satisfy the Karlsruhe judges. Paragraph 9 newly regulates the location tracking of mobile devices. Here, the law now differentiates more finely: If technical means such as silent SMS or IMSI catchers are used so frequently that a movement profile is created and agents can draw conclusions about habits or preferences, the hurdles increase. Such an intrusion is only permissible if it is essential for the investigation of an "endeavor that requires significant observation." Here too, judicial approval is required, with the order being limited to six months.
Furthermore, the representatives have expanded options for financial scrutiny. According to Paragraph 10, the Office for the Protection of the Constitution may request information from banks and financial service providers about accounts, money movements, and account balances. This primarily aims at drying up the financing of terrorism. The prerequisite is that the observed endeavors are likely to significantly impair the free democratic basic order.
Data of minors and transmission blocks
A particularly politically controversial point is the handling of data of minors. The coalition justifies the necessity of longer storage with increasing radicalization of young people, for example, via platforms like TikTok. Poseck referred to the dismantling of a suspected right-wing extremist group in which even a 14-year-old had been active.
In Paragraph 16, the reform stipulates that data about persons under 14 years of age may be stored if there are factual indications of serious criminal offenses. Paragraph 24 regulates the protection of minors in data transmission. As long as the strict storage requirements are met, this information may also be passed on to third parties. If the suspicion is no longer valid, onward transmission is only permissible to avert significant dangers. Furthermore, data of minors may not be transmitted to foreign authorities in principle.
At the same time, with Paragraph 23, the legislature attempts to maintain a balance between information flow and data protection. Transmission bans apply here if the protected interests of the affected person outweigh the general interest or if reasons of source protection oppose it. With this, the deputies are reacting to the criticism of the Federal Constitutional Court regarding the previously too unhindered transfer of intelligence information to law enforcement agencies.
Fierce criticism from the opposition
Despite the incorporated safeguards, the resolution was met with rejection from the opposition. The FDP abstained, while the Greens and AfD voted against it. Liberal Moritz Promny criticized that whoever uses the "sharpest tools of the state" must also demonstrably limit them. He believes that the limits are not drawn narrowly enough, especially with mobile phone tracking, as this concerns "intimate traces of our everyday lives." The catalog of offenses that can trigger surveillance measures is also too broad and vague – for example, with interventions in road traffic.
(dmk)
