German BND Act: eco Warns About Major Expansion of Espionage Practices

The German Chancellery has presented a draft of what is termed as the BND Act. According to the draft, the German Federal Intelligence Service (known in German as the Bundesnachrichtendienst – BND) is to be given permission to hack providers abroad in order to obtain inventory, traffic and content data. eco – Association of the Internet Industry sharply criticises this initiative and has delivered a (German-language) statement on the draft act.

“This approach provides a huge incentive for state actors and services to keep software vulnerabilities in widely-used applications and systems secret,” says Vice Chair of the eco Board, Klaus Landefeld. “This won’t only weaken IT security and the integrity of digital infrastructures; it will also considerably undermine general confidence in digital services.” This is also regrettable in view of the fact that digital applications and infrastructures have done a lot in recent months to keep society and the economy up and running during the Covid-19 pandemic, Landefeld goes on to say.

eco finds it remarkable that this approach is apparently being consciously accepted and that the planned authorisation to exploit security vulnerabilities is aimed at the most popular services and applications on the Internet and their providers. This means that the majority of German citizens would also be affected by such an authorisation.

“Such action also places the Federal Republic of Germany in conflict with other states, not to mention the fundamental rights of citizens.” The latter includes the right to informational self-determination and the constitutional right to guarantee the confidentiality and integrity of information technology systems.

Landefeld: “What’s particularly precarious is that the regulation strongly resembles those of other countries which, last year, were criticised by German security politicians as being incompatible with German security interests.”

Gathering of IoT data in Germany and abroad

The provisions of Section 26 (Para 3, Sentence 2) also authorise the BND to gather personal data at any time in Germany and abroad. This applies to personal data of German citizens, domestic legal entities, and persons staying in the territory of the Federal Republic of Germany in all cases in which this data is not classified as “human communication”.  As the BND sees it, such data is therefore not subject to the protection of Article 10 of the German Basic Law (aka the German Constitution).

“The BND will be authorised as a matter of course to monitor the communication activities as well as the GPS and mobility data of any person in Germany and abroad,” says Landefeld. “In addition to the general procurement of information on the Internet, this also includes data transmitted during online banking, hotel bookings, as well as via mobile phones and navigation systems.”

Traffic data: Lack of designation of personal information

The Internet Industry Association also criticises the fact that the current draft provides for the blanket retention of traffic data without any designation of the source or the basis for a court order. As such, all automated processing operations such as filtering against specific search criteria, the creation of profiles and relationship networks, or the transfer of traffic data will be able to take place – without consideration of the basis for gathering data or a specific court order.

“The Act thus practically removes existing limits and restrictions on the gathering, retention and further processing of traffic data,” says Landefeld.

Federal Constitutional Court declared BND Act in May 2020 as unconstitutional

Background: In May this year, the German Federal Constitutional Court declared the Internet surveillance by the Federal Intelligence Service of non-German nationals when not in Germany to be unconstitutional. Several investigative journalists and the organisation “Reporters without Borders” had filed a complaint against the practice. In addition, other journalistic organisations coordinated the lawsuit, including the Society for Civil Liberties and the German Journalists’ Association.

In their ruling, the Karlsruhe judges made it clear that the BND Act in all its essential articles violated the fundamental right to telecommunications secrecy (Article 10.1 of the German Basic Law) and the freedom of the press (Article 5.1, Sentence 2 of the German Basic Law). This concerns both the collection and processing of data and its transmission within the framework of cooperation with other foreign intelligence services. On behalf of the eco Association, Klaus Landefeld participated as an expert witness in the oral hearing of the Federal Constitutional Court in January 2020.

eco Welcomes the German Federal Network Agency’s Security Catalogue: Transparent 5G Network Roll-out Without Discrimination