22.02.2021

eco Association on the German BND Act: State Hacking Would Endanger IT Security and Undermine the Trustworthiness of the Internet

Statement by eco Board Member Klaus Landefeld on the occasion of the public expert hearing of the Bundestag on 22 February 2021.

The current draft of the BND Act by the German Federal Chancellery is set to give the German Federal Intelligence Service (known in German as the Bundesnachrichtendienst ‚Äď BND) permission to access inventory, traffic and content data without the knowledge of the operator in question. In principle, this would make all service providers of telecommunications, cloud services and other telemedia services abroad ‚Äď including platform operators such as Google, Facebook, Amazon or Apple ‚Äď potential targets of state hacking. eco ‚Äď Association of the Internet Industry warns of the consequences of such a regulation for general IT security and judges the draft as being unconstitutional.

‚ÄúThe fact is that the specifications of the Federal Constitutional Court from last year are not all being observed; nor can all of the new regulations be deemed to be constitutional. Every last citizen using the Internet is likely to be affected,‚ÄĚ says eco‚Äôs Vice Chair Klaus Landefeld. ‚ÄúIf the Act comes into force, in future each and every one of us will have to reckon with personal data not just being read by the state, but also potentially being retained and processed.‚ÄĚ Essentially, the BND would be subjected to practically no effective limits or restrictions on the collection, retention and further processing of traffic data of domestic residents and foreign nationals. ‚ÄúThis doesn‚Äôt only include access to personal data in online banking and hotel bookings, but also all-round mobility profiles on the basis of GPS and mobility data from mobile phones or navigation devices ‚Äď because according to the new Act, for the BND this data should no longer be ascribed as personal,‚ÄĚ Landefeld continues.

The regulation would inevitably lead to a massive loss of trust in digital communication and services, especially since state actors would be incentivised to keep software vulnerabilities secret in order to obtain further information. ‚ÄúThis would create gateways for cyber criminals and thus a barely calculable security risk. The IT security and integrity of digital infrastructures must not be negotiable,‚ÄĚ says Landefeld.

Furthermore, the Internet Association contends that the draft law does not comply with the requirements of the German Federal Constitutional Court.

Among other factors, this concerns the planned regulation of automatic filter systems, which, according to the constitutional judges, must correspond to the current status of science and technology. The draft Act, however, views filter systems that correspond to the current status of technology as sufficient. ‚ÄúThe Federal Constitutional Court deliberately specified the highest requirement for the use of filter systems, as also provided for and regulated in the Atomic Energy Act, for example. Cutting back to the ‚Äėcurrent status of technology‚Äô would have the practical consequence that the BND would not be obliged by law to use self-learning filters based on artificial intelligence as already used today in the industrial environment,‚ÄĚ states Klaus Landefeld.

Landefeld will speak at a Bundestag hearing as an expert on the planned amendments to the BND Act and other surveillance-related topics. The public session of the Interior Committee will be broadcast live on bundestag.de from 10 a.m. on Monday, 22 February.

Background:

eco has repeatedly warned against a major expansion of the espionage practices of the German Federal Intelligence Service (BND). After the Federal Chancellery presented a new draft in December 2020, eco published a detailed (German-language) statement. With its draft Act, the federal government’s supposed intention is to implement the specifications of the Federal Constitutional Court and the Federal Administrative Court.

In May this year, the German Federal Constitutional Court declared the Internet surveillance by the Federal Intelligence Service of non-German nationals when not in Germany to be unconstitutional. In their ruling, the judges in Karlsruhe made it clear that the BND Act violates the fundamental rights of telecommunications secrecy (Article 10 (1) of the constitution) and freedom of the press (Article 5 (1) sentence 2 of the constitution) in all essential norms. This concerns both the collection and processing of data as well as its transfer within the realm of cooperation with other foreign intelligence services.

 

 

eco Association on the German BND Act: State Hacking Would Endanger IT Security and Undermine the Trustworthiness of the Internet