Anti-whistleblowing Act "handling stolen data"

Jointly with an alliance of civil rights organizations and journalists, GFF is challenging the new Criminal Code provision on "handling stolen data". Passed by the grand coalition in 2015, this provision (s. 202d of the Criminal Code) criminalizes handling leaked data without providing for an adequate protection of the press. It thereby threatens an important part of the work of investigative journalists and bloggers as well as their informants and experts.

The constitutional complaint brought by the GFF and its partners claims that the provision violates the freedom of the press and broadcasters, the equality clause, professional freedom and the principle of legal certainty.

Press coverage (in German)

• beck-aktuell, January 13, 2017
• Deutsche Welle, January 13, 2017
• Deutschlandfunk.de, January 13, 2017
• Deutschlandradio Kultur, January 13, 2017 (Audio)
• Frankfurter Allgemeine Zeitung, January 14, 2017
• Frankfurter Rundschau, January 14, 2017
• Golem.de, January 13, 2017
• Heise online, January 13, 2017
• heute+, January 13, 2017 (Video)
• lto.de, January 13, 2017
• Neues Deutschland, January 14, 2017
• rbb|24, January 13, 2017
• Spiegel Online, January 13, 2017
• Süddeutsche Zeitung, January 14, 2017
• Tagesschau.de, January 13, 2017 (Video)
• Tagesschau.de Schwerpunkt, January 13, 2017 (Video)
• Tagesspiegel, January 12, 2017
• WDR 5, January 13, 2017 (Audio)

The GFF partners with civil rights organizations and journalists

The GFF coordinated the constitutional complaint and submitted it in the name of the digital news agency netzpolitik.org, the German section of Reporters without Borders (Reporter ohne Grenzen, ROG) as well as several journalists, bloggers and their aides.

Among the journalist plaintiffs and bloggers are netzpolitik.org editors Markus Beckedahl and Andre Meister, investigative journalists Peter Hornung (NDR, Panama Papers) and Hajo Seppelt (ARD, Olympia-Doping), as well as IT journalists Holger Bleich, Jürgen Schmidt (both of the magazine c’t) and Matthias Spielkamp. Further plantiffs are the criminal judge and GFF president Ulf Buermeyer, as well as an attorney and IT expert, all of whom regularly advise investigative media.

The constitutional complaint was drafted by Prof. Dr. Katharina de la Durantaye (Humboldt University Berlin), defense attorney Dr. Nikolaos Gazeas of Cologne, and Dr. Sebastian J. Golla (Johannes Gutenberg University, Mainz), supported by Sebastian Thess (Humboldt University Berlin). Students of the Humboldt Law Clinic Internet Law (HLCI) provided research assistance.

GFF submitted the complaint on December 16, 2016 to the Federal Constitutional Court in Karlsruhe. The litigation is funded by Netzpolitik.org, Reporter ohne Grenzen and GFF.

What does “handling stolen data” mean?

The new criminal provision entered into force on December 18, 2015. The German Bundestag had passed it two months earlier as § 202d Strafgesetzbuch (StGB) without further debate, after the federal government had concealed it in the legislative package on the Data Retention Framework, such that few noticed the constitutional law problems with this provision.

The new provision criminalizes handling data which someone else obtained illegally; the sentence is up to three years in prison or a fine (translation by GFF):

"(1) Whoever procures for themselves or for another, supplies to another, disseminates or otherwise makes available data (s. 202a(2)) that is not publicly accessible and that another has acquired through an unlawful act, with the intent of enriching themselves or another or of harming another, shall be liable to imprisonment not exceeding three years or a fine."

The legislative intent of the provision is to address the trade in stolen credit card and user data. Due to careless drafting, however, it also covers the procurement, transfer and dissemination of electronic data which were obtained by journalists from whistleblowers.

Working with information such as that revealed to the public by Edward Snowden in violation of US secrecy laws would therefore be illegal under German law.

By criminalizing the handling of whistleblower files, this new provision constitutes a disproportionate interference with the freedom of journalistic research, protected by Article 5 of the German Basic Law. Investigative journalists and bloggers are criminalized by this law for merely doing their job, working with leaks and revealing abuse of power or threats to civil rights. This also constitutes a violation of the freedom of profession, protected by Article 12 of the German Constitution.

Dangerous back door in the Code of Criminal Procedure

The Criminal Code provision is supplemented by an addition to section 97 of the Criminal Procedure Code. Probable cause of “handling stolen data” now constitutes an exception to the prohibition of search and seizure. This opens a dangerous back door to searching editorial rooms and seizing papers found there.

Just like doctors and attorneys, journalists enjoy privileges under section 53(1) of the Criminal Procedure Code: they can refuse to give evidence in order to protect their sources. Links to the press can be dangerous; important sources will often only talk to journalists if they are guaranteed anonymity. This of course is also the case for whistleblowers who reveal explosive secret information to the public in order to draw attention to serious grievances in public agencies or private companies.

The protection from search and seizure in section 97(1) of the Criminal Procedure Code serves the same goal. According to this provision, editorial rooms cannot be searched. This similarly serves to protect journalistic sources and thereby the freedom of the press and of broadcasting, protected by Article 5(1) of the Basic Law.

However, section 97(2) of the Code contains a number of exceptions. This is where the legislature introduced the exception for handling stolen data (translation by GFF):

"The restrictions on search and seizure do not apply where there is probable cause to assume that the privileged person was involved in the act or in handling stolen data, was an accessory after the fact, was party to obstruction of justice or was receiving and disposing of stolen goods […]."

This means that if a journalist is using materials that another person – for example, a whistleblower – had acquired illegally, the source can be revealed by a seizure of these materials; this, too, constitutes a severe interference with the freedom of the press and of broadcasting.

Sloppily drafted exceptions: Insufficient protection of informants and aides

The legislature did notice the dangerous potential of the new provision, however, the exceptions created for journalists are much too narrow and sloppily drafted.

Section 202d(3) of the Criminal Code provides for exceptions only for actions that “exclusively” serve the fulfilment of lawful official or professional duties. This includes the actions of “professional” journalists (translation by Sebastian Golla):

"(3) Subsection (1) does not apply to actions which exclusively aim at fulfilling lawful official or professional duties. These particularly include […]

2. those professional actions by a person listed under section 53(1) 1st sentence no. 5 of the Code of Criminal Procedure by means of which data is received, processed or published."

These exceptions are already insufficient for journalists, as they do not include part-time journalists or journalists who also act on private motivation, i.e., not “exclusively” to fulfil their professional duties. Moreover, “citizen journalists”, as they are often present in the blogosphere, are not sufficiently covered.

The protection is even less satisfactory for external experts, which journalists often rely on for advice. This is especially necessary in viewing and assessing leaked data; here, the press often relies on lawyers or IT experts to properly assess the material. Such aides are not covered by the exception in s. 202d(3) either and therefore risk criminal prosecution for handling “stolen” data.

A chilling effect on the freedom of the press

Through its sloppy drafting, the law therefore creates a minefield for investigative journalists and their aides.

What is even more serious than the threat of an actual conviction of journalists for receiving or passing on leaked data is the risk of criminal investigation and searches: They would destroy the relationship of trust between journalists and their sources and thereby significantly weaken journalistic research.

This chilling effect already occurs in the absence of specific investigations; even the possibility of search and seizure means that sources of information for journalists dry up and that working with leaked data becomes more difficult. Already today informants are reluctant to pass on leaked materials and thereby make them available for an independent assessment. IT experts have also become harder to convince to assist in analyzing leaked data due to fear of criminal prosecution.

Examples for working with leaks: Research on secret services, Panama Papers, Olympic Doping

The GFF’s plaintiffs often work with leaks illegally obtained by whistleblowers to reveal large-scale problems; they now fear risking prosecution in similar cases in the future:

• Netzpolitik.org editors Markus Beckedahl and Andre Meister regularly write about and publish documents on the work of German and international secret services, including secret documents on the work of the German foreign intelligence service.
• NDR journalist Peter Hornung was involved in analyzing the so-called Panama Papers; these leaked documents contain explosive information on offshore companies owned by politicians and celebrities in Panama. With two colleagues, Hornung coordinated the radio reporting in the entire ARD (Germany’s national broadcasting service). Today, he regularly works with leaks on the Volkswagen emissions scandal.
• Investigative sports reporter Hajo Seppelt’s crucial research and reports for ARD revealed the systematic Russian doping.
• Jürgen Schmidt, editor of the IT magazine c’t and of the online platform heise Security, revealed grave security issues in online banking and credit card payments; for his research, he has to rely on a network of external IT experts.
• Attorney Ansgar Koreng and IT expert Mike Kuketz are regularly asked to support reporters with their expertise.

Had the provision on handling stolen data been in force at the time of these reportings, the plaintiffs would probably have been liable to prosecution in several of these cases.

The example of “LOVOO”

The “LOVOO” case is a good example of the criminal law problems in working with whistleblower leaks. This online dating agency provides certain basic functions and an app at no cost. Establishing contact with other users through messages requires so-called “credits” which need to be purchased.

In late summer of 2015, an editor of c’t, an IT magazine, received an archive of 50GB of data. This archive contained – so the anonymous tipster claimed – emails from the top management of LOVOO, screenshots and the source code of software used by LOVOO.

Analyzing the archive, c’t journalist Holger Bleich and his colleagues found emails revealing that the LOVOO managers decided to boost sales of credits by motivating male users of the platform to use the profitable premium functions. In order to do so, LOVOO used computer programs (so-called bots) that simulated female users – internally called “do good” and “chat banana.” These bots sent messages to male users that were allegedly written by female users; recipients could only answer if they first bought credits. In the belief that they were flirting with real-world women, thousands of male users purchased such credits – a clear case of aggravated fraud or computer fraud (sections 263 and 263 of the German Criminal Code) in thousands of cases.

Bleich and his c’t colleagues revealed this large-scale scam to the public. When LOVOO – unsuccessfully – took legal steps against the series of articles, the publisher passed the matter on to their attorney. In order to examine to what extent reporting on allegations was lawful, he, too, had to sift through the data from the LOVOO leak.

The c’t reporting led to criminal investigations against LOVOO, including search and seizure and arrest warrants. The prosecution estimated the aggregated sales volume from the scam at a minimum of 1.2m €; c’t estimates much higher amounts. The charges were finally dismissed against payment of millions of Euros – although the Federal Supreme Court provides for prison sentences without probation in cases of damages in the seven figures.

The LOVOO case exemplifies how important press reporting is in revealling scams and other abuses and demonstrates the role of aides such as IT experts or lawyers. Had the case happened after the Criminal Code amendment, those involved would have had to fear criminal prosecution – the journalists for acting also on private motivation, the lawyer because he is not a journalist. Moreover, the whistleblower would have had to fear a search of the c’d editorial rooms and thereby a revelation of their identity. These conditions mean that investigative reporting as in the LOVOO case means playing with fire. The Grand Coalition did not consider all this when it smuggled the "handling stolen data" package with data retention 2.0 through the Bundestag.

Cooperation with the Humboldt Law Clinic

For this constitutional complaint, GFF cooperated with a legal clinic for the first time. The Humboldt Law Clinic Internet Law (HLCI) is headed by the GFF’s representative in the case, Prof. Dr. Katharina de la Durantaye, LL.M. (Yale). Law Clinics are education formats used to train students on real-life cases. The Humboldt Law Clinic was co-founded in 2010 by GFF board member Nora Markard, at first in the area of Fundamental and Human Rights (HLCMR); in 2012/13, the Internet Law Clinic was created.

The HLCI students developed plaintiff profiles, examining what type of person would most clearly represent the legal issues of the complaint. On this basis, the GFF and Reporters without Borders then approached potential plaintiffs. Moreover, the students supplied research.

Through project such as this one, the GFF is seeking to familiarize students with issues of constitutional litigation and the importance of the freedom of the press. Defending civil rights requires well-educated lawyers who care about these rights. The GFF’s US partners, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), have for the same reasons partnered with legal clinics to remarkable success.

Prospects of success

The constitutional complaint aims at declaring the new provisions null and void, in order to protect the plaintiffs and all other journalists from criminal prosecution and search and seizure. The GFF and its partners seek to prevent the new provisions from exerting a chilling effect on informants and journalistic sources and thereby interfering with investigative journalism.

Plaintiffs also hope that the Constitutional Court will declare that the constitutional protection of the freedom of the press also covers bloggers, lay journalists and external aides such as the IT expert and lawyer plaintiffs. A clear judgment in this matter would also have international effects: It would be an important signal against the efforts of dictators and authoritarian governments to advance a narrow interpretation of journalists (including in UN resolutions), excluding citizen journalists and bloggers from the freedom of the press in order to more easily control information.

Further information (in German):

• Handling stolen data – FAQ
• Online petition by Reporter ohne Grenzen to support the case
• More by netzpolitik.org on handling stolen data
• More on the work of Reporters without Borders on freedom of information on the internet