17.12.2020

eco Association: New IT Act of the German Federal Government Undermines Trustworthiness of Digital Communication

  • State surveillance, rather than enhanced IT security
  • Lack of legal and planning security for companies, with little added value for IT security
  • Federal government should postpone deliberations on IT Security Act 2.0 and gain from European regulation

With the drafts for an IT Security Act 2.0, the new Telecommunications Act, and the BND Act, all of which were hastily approved by the German Federal Cabinet yesterday, the German federal government is fundamentally undermining general IT security and damaging the trustworthiness of digital communication in Germany. This is the view of eco ‚Äď Association of the Internet Industry.

‚ÄúRather than the term ‚Äėenhancing IT security‚Äô, the more accurate heading under which to categorize these acts would be ‚Äėexpanding state surveillance‚Äô,‚ÄĚ says eco‚Äôs Vice Chair of the Board Klaus Landefeld. All three drafts contain rules on the surveillance of digital communications, which would lead to a simultaneous undermining of IT security.

In the IT Security Act 2.0, this concerns, for example, the handling of information about security vulnerabilities and data gathered by the German Federal Office for Information Security (BSI) as part of its new powers. Among other things, the act stipulates that the BSI is to withhold information about security vulnerabilities if it is obliged to maintain secrecy in dealings with security authorities. In addition, the BSI can now have data traffic redirected to servers which it itself has designated, and can itself fake attacks on IT systems and also infiltrate these systems in the course of doing so.

The Telecommunications Act (TKG) expands the scope of the definition of telecommunications service providers who will be required to implement surveillance measures in the future and, in contravention of the three ECJ rulings that have meanwhile been issued, continues to adhere to mass blanket retention of data without cause; this can be classified as a violation of EU law.

The German BND Act also enables the German Federal Intelligence Service (the BND) to monitor the communications activities as well as the GPS and mobility data of any person in Germany and abroad. In addition to the general procurement of information on the Internet, this also includes data transmitted during online banking, hotel bookings, as well as via mobile phones and navigation systems

Moreover, for the companies concerned, the regulations in some cases would mean considerable cuts in their legal, planning and investment security.

‚ÄúWhen it comes to the IT security of telecommunications networks and services, excessively stringent and in some cases rather meaningless stipulations are being imposed that, while unlikely to enhance IT security, will pose considerable challenges for the companies concerned and, in the worst case, will curtail their business activities,‚ÄĚ says Klaus Landefeld.

A central problem is the lack of synchronisation with European legislation, which eco has repeatedly called for in the context of the IT Security Act 2.0. This concerns in particular the harmonisation of the IT Security Act with the planned revision of the NIS Directive ‚Äď a directive for the guarantee of a high common level of security and information systems across the Union ‚Äď which was also presented by the EU Commission yesterday: ‚ÄúA premature national regulation carries the risk of legislative action having to be re-opened afterwards, because the IT Security Act and the NIS Directive are pursuing systematically different approaches, not to mention the fact that they are both regulated differently. In light of this, postponing the cabinet decision on the IT Security Act 2.0 and awaiting further developments at the European level would have made more sense,‚ÄĚ says Landefeld. For companies, subsequent amendments are likely to involve additional costs associated with once again having to adapt systems and solutions which have already been introduced in order to align with the additional European regulation.

‚ÄúThe Internet industry does not need a rampant proliferation of security requirements; instead it requires objective, appropriate and reasonable standards that meet Germany‚Äôs and Europe‚Äôs constitutional criteria,‚ÄĚ concludes Klaus Landefeld.

 

eco German-language Position Statements for Download

 

The Fight Against Terrorism Should Not Happen at the Expense of the Security of All