State trojans for criminal prosecution

On August 22, 2018, the GFF lodged a constitutional complaint in Karlsruhe against the use of so-called state trojans and the government's irresponsible handling of IT security gaps. It is directed against the amendment to the Code of Criminal Procedure (StPO) introduced on August, 24 2017. Among the five complainants are the Turkish journalist Can Dündar, who lives in exile in Germany, the ARD doping expert and investigative journalist Hajo Seppelt, and the Green politician Konstantin von Notz. In connection with their professional activities, they have been victims of hacker attacks on several occasions.

With the amendment of the StPO 2017, the German Bundestag created a legal basis for the widespread use of stat trojans. The police may be allowed to use trojans in over 30,000 cases per year. The president of the GFF, Dr. Ulf Buermeyer, has previously provided a statement to the Legal Committee of the Bundestag in which he concluded that the planned regulations are unconstitutional for several reasons. The GFF is coordinating the constitutional complaint against the amendment. The Humanist Union is also lending its support. The Hamburg defense counsel, Dr. h.c. Gerhard State, is the authorized representative and is the author of the notice of appeal.

The amendments to the Code of Criminal Procedure allow investigating authorities to place government spyware (trojans) on the computers of suspects or, under certain conditions, of uninvolved third parties. These state trojans enable online searches that go well beyond the acoustic monitoring of living space that has been permitted to date. By means of this newly authorized technique, current and previous communication of suspects can be evaluated (source-TKÜ), the contents stored on the devices can be viewed, and cameras can be accessed. SInce computers and smartphones today contain a wealth of information, some of which is extremely private or intimate in nature, these newly authorized online searches will interfere with the privacy of those affected in ways that go beyond all other methods of investigation.

The expanded use of so-called state trojans, however, contravenes the requirements of the Federal Constitutional Court for the use of such spyware. Among other things, the catalogue of offences for which an online search or source-TKÜ can be used is excessively broad. The intrusions that are allowed clearly go beyond situations in which the Federal Constitutional Court has found the use of Trojans to be justified. Proper justification for such use requires that there be a concrete risk to a legal interest of paramount importance. Such potential justification exists for very few of the offences listed in Sections 100a and 100b of the Code of Criminal Procedure. In addition, professional secrets and confidential information, in particular those of journalists and lawyers, will be insufficiently protected. Moreover, the technical requirements for surveillance software will not be subject to independent validation. The amendment thus violates in several respects the fundamental right to the confidentiality and integrity of information technology systems that the Federal Constitutional Court set forth in a ruling in 2008.

This right, also referred to as the fundamental IT right, is also under threat from the perverse incentives that are created for the investigating authorities. In order to apply trojans to the target devices, federal authorities are permitted to selectively exploit existing security gaps in software and hardware that are as yet unknown to the manufacturers. This gives rise to an interest in building an “arsenal” of security vulnerabilities. Every specific individual gap in such an electronic armory can be exploited not only by the authorities for hacking into mobile phones and computers, but also by criminals. Such a system of perverse incentives violates the government's fundamental obligation to protect computer rights under the Federal Constitution Court’s 2008 ruling, which mandates that the state report security gaps to manufacturers so that they can be closed.

These serious consequences for IT security also endanger the relationship of trust between defense lawyers and their clients. The Berlin defense lawyer Stefan Conen, a member of the German Bar Association (DAV), and his colleague Sina Mika, are therefore also complainants. The DAV underscores that the introduction of the Source-TKÜ and the online search constitutes a particularly serious impairment of the fundamental rights of those citizens who are affected. This also infringes the right to the protection of the core areas of private life and the inviolability of the home.

The extended use of trojans therefore violates not only fundamental IT rights, but also the fundamental rights of others. Online searches afford deep insight into a person’s knowledge and emotions. This makes the use of trojans in accordance with constitutional requirements a matter of extreme and unparalleled sensitivity. The amendments to the Code of Criminal Procedure in no way do justice to this fundamental standard. Rather, they expand the possibilities for government monitoring contrary to the requirements of the Federal Constitutional Court and disregard the interests of both the complainants and the general public in the highest possible level of IT security. With its constitutional complaint, the GFF takes a clear stand in opposition to this illegal action by the legislature.

Background information

• Article in the constitutional blog by Bijan Moini and Ulf Buermeyer: Good gaps, bad gaps? The objective-legal dimension of the IT fundamental right (8.9.2018) (in German).