Article 10 Act: The constitution also applies to the Office for the Protection of the Constitution
Together with ten plaintiffs we have filed a constitutional complaint against the Article 10 Act and other laws.
Photos, videos, private messages and stored contacts. With the spying software known as the state trojan, secret services can read out the data of end devices such as smartphones or computers without being noticed. The amendment of the Federal Constitutional Protection Act and the Article 10 Act has been allowing all 19 secret services to use this measure since mid-2021 – without sufficient control and low-threshold.
The access to the end devices takes place secretly and is usually not disclosed afterwards, so that those affected cannot defend themselves against it. This clearly endangers the protection of the secrecy of telecommunications under Article 10 of the Basic Law. Since not only current communication is intercepted, but state trojans can also read out stored communication files, the so-called fundamental right of guaranteeing the confidentiality and integrity of information technology systems is also violated (Art. 2 para. 1 in conjunction with Art. 1 para. 1 GG).
However, not only the use of state trojans is problematic. The procurement and prerequisite for the use of state trojans in the first place also forces the government into a fundamental rights dilemma.
The government leaves security gaps open and risks cyber attacks
State trojans infiltrate end devices such as smartphones or computers through security vulnerabilities. These vulnerabilities exist due to flaws in the devices' software. In order to prevent foreign interference, the gaps would have to be reported to the manufacturers and then fixed. However, the government does not do this. Instead, it buys information about security vulnerabilities on the black market and uses it for its own surveillance purposes.
The Federal Constitutional Court has made it clear that the government has a duty to protect IT security. This means that the government is obliged to actively contribute to the protection of information technology systems, e.g. in the form of a statutory vulnerability management in dealing with known IT security gaps. If the government exploits these gaps, it endangers the integrity of these systems and does not fulfil its duty to protect IT security.
WannaCry – security vulnerabilities endanger society as a whole
The impact of security vulnerabilities that are abused by third parties is shown by the case of "WannaCry": The malware caused damage worldwide in May 2017 by crippling the information technology systems of public authorities and companies, in particular also of British hospitals. The hackers only released the systems again in exchange for a ransom payment. The security vulnerabilities through which the "WannaCry" hackers gained access to the systems had previously been captured by the American intelligence service NSA.
In April, the GFF won a major victory against the escalating surveillance practices of the intelligence services with the landmark ruling on the Bavarian Constitutional Protection Act. The constitutional complaint on G10 now follows on from this success. The requirements set by the Federal Constitutional Court must also be extended to the rest of the intelligence services law.
