The draft Harmonization Act for the Protection of the German Constitution, passed by the Federal Government today, obliges Internet providers and telecommunications companies to cooperate with the German Federal Intelligence Service (BND) and the authorities for the protection of the constitution: In future, companies will be obliged, upon receiving official orders, to set up a rerouting system in order to route “suspicious” data packets to the authorities, who will then subsequently send them on to the actual recipient.
The Association of the Internet Industry is critical of this extension to obligations for participation and collaboration, particularly with regard to data protection and IT security requirements on the Internet. In practice, this would not only result in disproportionate detrimental effects for the business models companies, but also in the threat of a considerable reduction in the confidentiality and integrity of digital communication.
eco Member of the Board Klaus Landefeld states:
“We take a clear position against anti-constitutional ambitions, and reject any form of extremism. But the planned law for the protection of the constitution has the potential to counteract the trust in the security and integrity of digital communication. Despite recognition for the tasks and concerns of the German intelligence services: This law will lead to a threat to IT security on the Internet, if not to a loss of trust and a clear set-back for all digitalisation processes in society and the economy!”
This is especially true when the state uses so-called Zero-Day Exploits for the placement of State Trojans, the association said: “Exploitation of such vulnerabilities poses a major risk, both for businesses and citizens. It must not become common practice in intelligence work. Users will face a significant reduction in the confidentiality and integrity of their digital communications as a result of providers’ extended participation and collaboration obligations!”
On the supposed foregoing of online State searches
Even a time limit would not change the fact that the now-adopted regulation on the State Trojan, the “Lawful Interception at the Source Plus”, represents an online State search of the affected devices, with access to the stored user data. This is because all technically necessary modules and methods for comprehensive data access would already be installed on the devices concerned. The only constitutional barrier is a ban on the use of any data found that is older than the date of the order: “This is highly inadequate both in terms of the rule of law and the constitution. Whether or not this change in the law – in which fundamental rights are to be restricted in the extreme, Lawful Interception at the Source is to be embedded, and now also the search of stored data via State Trojans is to be introduced – is in any way constitutional will unfortunately once again have to be decided by the courts,” says Landefeld.
In addition, the Association of the Internet Industry emphasizes that the forthcoming extension of the definition of telecommunications services to include messenger services, as defined in the forthcoming amendment to the new Telecommunications Act, represents an additional source of uncertainty. Here too, eco points out that the intended measures run the risk of missing the mark and rather leading to competitive disadvantages for the providers. Here, legal certainty is of fundamental importance for the providers concerned.