Police Act Baden-Württemberg
GFF and partners file constitutional complaint against the police law of Baden-Württemberg
GFF, with the support of the Chaos Computer Club Stuttgart e.V. (CCCS), filed a constitutional complaint against the Baden-Württemberg police law. The complaint is directed against the amendment to the law of November 28, 2017, which allows the police in Baden-Württemberg to monitor the electronic communication of persons through so-called statetrojans. The law allows police to use these statetrojans to exploit security flaws in the hardware or software (the very same flaws that, if uncorrected, enable criminals to carry out cyber attacks) instead of working to close these security gaps. The law thus creates fundamentally perverse incentives for police in carrying out their law enforcement duties and endangers IT security in Germany and worldwide.
In addition to the CCCS itself, the complainants include the lawyers Dr. Udo Kauß and Michael Moos, the journalists Peter Welchering and Hinnerk Feldwisch-Drentrup, the Freiburg online mail order company for ecologically sustainable and “fair” produced inflammable fashion, and ISP Service eG, a purchasing company for Internet service providers. They all see themselves as particularly at risk of becoming targets for cyber attacks. They likewise fear that police access as a consequence of the amendment will have consequences for third parties whose data they have a responsibility to protect and secure, namely, the data of clients, sources, and customers. The lawyer and criminologist Prof. Dr. Tobias Singelnstein of the Ruhr-Universität Bochum is the authorised representative and author of the complaint.
New powers of the Baden-Württemberg police force
The amendment of the Baden-Württemberg Police Act has created a legal basis for “source telecommunications surveillance” (Quellen-TKÜ) for suspects. Since its passage, the monitoring of ongoing electronic communications has been allowed through the installation of state spy software – the so-called statetrojans.
IT security vulnerabilities are necessary to infiltrate statetrojans into particular individual mobile phones or computers. These are flaws in hardware or software that make it possible to access the data of the particular individual users. Manufacturers try to close such gateways if they become aware of them. The Baden-Württemberg police, however, now have an interest in letting the IT security gaps of which they have become aware persist, so that they exploit them for surveillance purposes. The police take into account and accept that these security gaps remain for all users of the same systems, and that those users are liable to be victims of hacker attacks as a result. Accordingly, the Baden-Württemberg Police Act violates the duty to protect and guarantee the fundamental right to the integrity and confidentiality of information technology systems (so-called “IT fundamental right”).
GFF’s action against excessive powers of the security services nationwide
Actions whereby the state maintains the secrecy of IT security gaps is incompatible with fundamental IT law. Nevertheless, legislative amendments are still being adopted to encourage such actions by the federal and state authorities. GFF has therefore already lodged constitutional complaints against comparable regulations in the national Code of Criminal Procedure and in the Bavarian Police Act. GFF will also review all pending changes to the police laws of other federal states for compliance with constitutional law and will, if necessary, take action against them.
Related proceedings
In August 2018, GFF already filed a constitutional complaint against an amendment to the Code of Criminal Procedure that would allow the expanded use of state spyware.
Together with the #noPAG alliance, GFF also filed a constitutional complaint against the Bavarian Police Task Act (BayPAG) in October 2018.