Trojans for the Office for the Protection of the Constitution, Big Data Tools for the Police
We took legal action against the Hamburg Police and Protection of the Constitution Act. With success: In February 2023, the Federal Constitutional Court declared the Hamburg regulation on automated data analysis to be null and void.
Our case is related to federal policy: In the summer of 2021, the Article 10 Act was amended in such a way that, after the police, all secret services in Germany are now also allowed to use the most severe surveillance tool available to the state: trojans. The reform of the Article 10 Act suffers from the same shortcomings as the Hamburg Act on the Protection of the Constitution. Our complaint against the Hamburg law is hence a model case for reform at the federal level.
HEARING BEFORE THE FEDERAL CONSTITUTIONAL COURT: TRANSPARENT HUMAN BEING THROUGH AUTOMATED DATA ANALYSIS
The oral hearing before the Federal Constitutional Court focused on section 49 of Hamburg's new law on police data processing. This provision allows the police to create automated personal profiles from an unspecified amount of data, including in any case the data from police databases and, if necessary, publicly available data such as from social media. It is unclear who can be profiled and what the consequences of any "by-catch" are for those affected, i.e. the inclusion of persons who are not considered dangerous. It is also unclear exactly for what purposes software can be used and how long the profiles will be stored.
Such Big Data solutions, which the controversial US company Palantir has already successfully offered to the Hessian police, should be much better contained and controlled by the rule of law than by the completely undefined current regulation. In Hamburg, the power is not yet used.
JUDGES ASKED CRITICAL QUESTIONS
The legal basis for the use of the Gotham software is extremely vague and leaves many questions unanswered - this also became clear in the hearing, in which both the Hamburg and the Hesse laws were negotiated: Is - as according to the respective government representatives - the Automated Data Analysis only the continuation of classical police work with "more power"? Or does the possibility of pulling together huge pools of data, generating connections and patterns, justify a completely new quality of intervention that also needs correspondingly strict limits?
Many detailed questions from the court showed that the judges were also critical of the vague standards on automated data evaluation. In particular, the question was raised at many points whether compliance with the legal limits is technically feasible at all. For example, the court asked about the keyword "purpose limitation": once data has been collected, it may not be used for another purpose without further ado. Currently, however, the origin of the data is not marked at all - how is compliance with the purpose limitation supposed to work when the data is further processed? In our view, these questions have not been answered sufficiently.
FEDERAL CONSTITUTIONAL COURT LIMITS AUTOMATED DATA MINING BY THE POLICE
In February 2023, the judges in Karlsruhe made it clear in a landmark ruling that the police may, in principle, use software to create information and cross-references to individuals at the push of a button in order to prevent criminal offences (data mining). However, the law must clearly stipulate the conditions under which this is permissible. Otherwise, the regulations violate the right to control one's own data. Among other things, we had challenged the fact that the legal basis in Hamburg leaves it completely unclear from which sources, with which amount of data and for which purpose the police may use the power of data mining. Our constitutional complaint has significantly reduced the risk of innocent citizens being targeted by the police. The ruling has a nationwide impact: many other federal states and the federal government are working towards being able to use comparable technical possibilities - or are already doing so, such as North Rhine-Westphalia.
STATE TROJANS FOR THE OFFICE OF THE PROTECTION OF THE CONSTITUTION
After an amendment to the law in April 2020, the Hamburg Office for the Protection of the Constitution is allowed to hack into the devices of certain individuals without a court order or similar prior control (§ 8 para. 12 of the Hamburg Law on the Protection of the Constitution). This endangers the confidential communication of professional secrets such as lawyers and journalists and thus the freedom of the press, the secrecy of telecommunications and the so-called IT fundamental right (right to a guarantee of the integrity and confidentiality of information technology systems).
Trojans in the hands of secret services are unconstitutional if their use is not strictly limited, if it does not have to be approved by a court and where is not guaranteed that the state does not deliberately leave open security loopholes in IT systems that can become extremely dangerous even for completely innocent people (see our constitutional complaint against the use of state trojans under the Code of Criminal Procedure).
JOURNALISTS, LAWYER AND ACTIVIST FILE SUIT
The plaintiffs in the case are an activist, the defence lawyer Britta Eder and several journalists, including Sebastian Friedrich (freelance journalist, e.g. NDR) and Katharina Schipkowski (taz). The complaint was written by Jun.-Prof. Dr. Sebastian Golla (Ruhr-Universität Bochum).