Last week, the German Federal Constitutional Court published its guiding principles on key regulations concerning Lawful Interception at the Source (Quellen-TKÜ) and online state searches, clarifying their constitutional boundaries. In the source of Lawful Interception at the Source, the communication is not intercepted via traditional network surveillance, but communications are read directly at the source – i.e. on the end device – before they can be encrypted.
eco Board member Klaus Landefeld commented: “Today’s decision brings some long-overdue legal certainty to the debate around state surveillance tools, but also raises new questions, particularly with regard to the impact of interference with modern means of communication. The declaration that Lawful Interception at the Source is disproportionate when used for minor offences is an important signal. The Court’s finding that online state searches without invoking telecommunications secrecy are unconstitutional further confirms the necessity of careful consideration when infringing on fundamental rights.”
Legally, this ruling has clarified some issues – but technically, the risk remains. According to Landefeld, the use of State Trojans continues to be based on a fundamental conflict of interest: “In order to enable investigations, the state intentionally keeps security vulnerabilities open or purchases them. In doing so, it deliberately exposes all IT systems – and not just those of the alleged perpetrators – to increased vulnerability. However, the state itself must not become a threat to digital security.”
Legislators are now called upon not only to make formal improvements, but to fundamentally resolve this conflict of objectives. “A future-proof security strategy needs binding rules for vulnerability management, clear transparency obligations for powers of intervention and an understanding of IT security that prioritises the fundamental protection of the population over access in a few individual cases,” argues Landefeld. “Just take a look at the figures published last week on the use of various State Trojans: for a handful of cases per year, the cybersecurity of around 90 million citizens and companies is being put at risk. How can that be proportionate?”
