With its decision on the state police law in Baden-Württemberg, announced yesterday, the Bundesverfassungsgericht, the German federal constitutional court, has set new limits to the use of so-called state Trojans and emphasised the state’s duty to protect citizens and businesses. This justification must be taken into account immediately in all future activities concerning the use of state Trojans, demands eco – Association of the Internet Industry.
Klaus Landefeld, Vice-Chair of the board at the eco Association, says:
“Even though the judges in Karlsruhe have declared the constitutional complaint inadmissible, it remains an important success for IT security and the protection of civil rights. From now on, the state and security authorities must create regulations before each Trojan use and also assess how high the risk is for citizens, the economy and the state itself if security vulnerabilities in IT systems are kept secret. The German Federal Constitutional Court thus sets limits to state spying software and at the same time emphasises the state’s duty to protect – and it is precisely this that must now be consistently demanded.”
In the wake of the Pegasus scandal, Landefeld also points out the risks of purchased spy software. Landefeld: “Since the authorities have not used their own software so far, not only gaps that they have found themselves are left open but also gaps that are used by the purchased software and are thus also known to third services. Protection is not possible; the German state and its services currently cannot sufficiently control the use of the system. In concrete terms, the spying on citizens by third parties is accepted in full awareness – although it would be possible to close this loophole or have it closed.”
So-called state Trojan laws, such as the constitutional protection amendment, must now be adapted to meet current requirements, Landefeld continued. eco – Association of the Internet Industry sharply criticises the corresponding legal provisions at federal and state levels and the legal powers they provide for the use of state Trojans. In the run-up, eco has already warned several times that IT security, data protection and the trustworthiness of digital communication will be weakened in the long term.
Without these constitutionally necessary adjustments, a number of state and federal laws are likely to be objected to by the specialised courts, especially the administrative courts, because they have not taken IT security sufficiently into account so far. By keeping so-called zero-day-exploits secret and by not reporting them to the manufacturer, serious IT vulnerabilities are created. From the association’s point of view, this poses a particular risk of third parties accessing information technology systems.