GFF and its partners challenge anti-whistleblowing provision on handling “stolen” data

New anti-whistleblowing provision violates freedom of the press

With an alliance of civil rights organizations and journalists, GFF is challenging the new Criminal Code provision on handling “stolen” data. Passed by the grand coalition in 2015, this provision (s. 202d of the Criminal Code) criminalizes handling leaked data without providing for an adequate protection of the press. It thereby threatens an important part of the work of investigative journalists as well as their informants and supporting experts.

The facial challenge brought by GFF and its partners (PDF, in German) claims that the provision violates the freedom of the press and broadcasters, the equality clause, professional freedom and the clarity principle.

Press coverage (in German):

• beck-aktuell, January 13, 2017
• Deutsche Welle, January 13, 2017
• Deutschlandfunk.de, January 13, 2017
• Deutschlandradio Kultur, January 13, 2017 (Audio)
• Frankfurter Allgemeine Zeitung, January 14, 2017
• Frankfurter Rundschau, January 14, 2017
• Golem.de, January 13, 2017
• Heise online, January 13, 2017
• heute+, January 13, 2017 (Video)
• lto.de, January 13, 2017
• Neues Deutschland, January 14, 2017
• rbb|24, January 13, 2017
• Spiegel Online, January 13, 2017
• Süddeutsche Zeitung, January 14, 2017
• Tagesschau.de, January 13, 2017 (Video)
• Tagesschau.de Schwerpunkt, January 13, 2017 (Video)
• Tagesspiegel, January 12, 2017
• WDR 5, January 13, 2017 (Audio)

GFF partnering with civil rights organizations and journalists

GFF coordinated the constitutional complaint and submitted it in the name of the digital news agency netzpolitik.org, the German section of Reporters without Borders (Reporter ohne Grenzen, ROG) as well as several journalists, bloggers and their auxiliaries.

Among the journalist plaintiffs and bloggers are netzpolitik.org editors Markus Beckedahl and Andre Meister, investigative journalists Peter Hornung (NDR, Panama Papers) and Hajo Seppelt (ARD, Olympia-Doping), as well as the IT journalists Holger Bleich, Jürgen Schmidt (both of the magazine c’t) and Matthias Spielkamp. Further plantiffs are the criminal judge and GFF director Ulf Buermeyer, an attorney and an IT expert, all of whom regularly advise investigative media.

The constitutional complaint was drafted by Prof. Dr. Katharina de la Durantaye (Humboldt University Berlin), defense attorney Dr. Nikolaos Gazeas of Cologne, and Dr. Sebastian J. Golla (Johannes Gutenberg University, Mainz), supported by Sebastian Thess (Humboldt University Berlin). Students of the Humboldt Law Clinic Internet Law (HLCI) provided research assistance.

GFF submitted the complaint on December 16, 2016 to the Federal Constitutional Court in Karlsruhe. The litigation is funded by Netzpolitik.org, Reporter ohne Grenzen and GFF.

Support our litigation for the freedom of the press and whistleblowers by a donation or a sustaining membership!

What does “handling stolen data” mean?

The new criminal provision entered into force on December 18, 2015. The German Bundestag had passed it  two months earlier as § 202d Strafgesetzbuch (StGB) without further debate, after the federal government had hid it in the legislative package on the Data Retention Framework, such that few noticed the constitutional law problems with this provision.

The new provision criminalizes handling data which someone else had obtained illegally; the sentence is up to three years in prison or a fine (translation by Sebastian Golla):

(1) Whoever procures for himself or for another, supplies another, disseminates or makes otherwise available data (s. 202a(2)) that is not publicly accessible and that another has acquired through an unlawful act, with the intent of enriching himself or another or of harming another, shall be liable to imprisonment not exceeding three years or a fine.

In the legislator’s intention, the provision addresses the trade in stolen credit card and user data. Due to careless drafting, however, it also covers the procurement, transfer and dissemination of electronic data which were obtained by journalists from whistleblowers.

Working with information such as that revealed to the public by Edward Snowden in violation of US secrecy laws would therefore be illegal under German law.

By criminalizing the handling of whistleblower files, this new provision constitutes a disproportionate interference with the freedom of journalistic research, protected by Article 5 of the German Basic Law. Investigative journalists and bloggers are criminalized by this law only for doing their job, working with leaks and revealing abuse of power or threats to civil rights. This also constitutes a violation of the freedom of profession, protected by Article 12 of the German Constitution.

Dangerous back door in the Code of Criminal Procedure

The Criminal Code provision is supplemented by an addition to section 97 of the Criminal Procedure Code. Probable cause of “handling stolen data” now constitutes an exception to the prohibition of search and seizure. This opens a dangerous back door to searching editorial rooms and seizing papers found there.

Just like doctors and attorneys, journalists enjoy privileges under section 53(1) of the Criminal Procedure Code: they can refuse to give evidence in order to protect their sources. Links to the press can be dangerous; important sources will often only talk to journalists if they are guaranteed anonymity. This of course is also the case for whistleblowers who reveal explosive secret information to the public in order to draw attention to serious grievances in public agencies or private companies.

The protection from search and seizure in section  97(1) of the Criminal Procedure Code serves the same goal. According to this provision, editorial rooms cannot be searched. This too serves to protect journalistic sources and thereby the freedom of the press and of broadcasting, protected by Article 5(1) of the Basic Law.

However, section 97(2) of the Code contains a number of exceptions. This is where the legislator introduced the exception for handling stolen data (our translation):

The restrictions on search and seizure do not apply where there is proable cause to assume that the privileged person was involved in the act or in handling stolen data, was an accessory after the fact, obstructed punishment or was receiving and disposing of stolen goods […].

This means that if a journalist is using materials that another person – for example, a whistleblower – had acquired illegally, the source can be revealed by a seizure of these materials; this, too, a severe interference with the freedom of the press and of broadcasting.

Sloppily drafted exceptions: Insufficient protection of informants and auxiliaries

The legislator did notice the dangerous potential of the new provision, but the exceptions for journalists are much to narrow, and were sloppily drafted.

Section 202d(3) of the Criminal Code provides for exceptions only for actions that “exclusively” serve the fulfilment of lawful offical or professional duties. This includes the actions of “professional” journalists (translation by Sebastian Golla):

(3) Subsection (1) does not apply to actions which exclusively aim at fulfilling lawful  offical or professional duties. These particularly include […]

2.    those professional actions by a person listed under section 53(1) 1st sentence no. 5 of the Code of Criminal Procedure by means of which data is received, processed or published.

These exceptions are already insufficient for journalists, as they do not include part-time journalists or journalists who also act on private motivation, i.e., not “exclusively” to fulfil their professional duties. Moreover, “citizen journalists,” as they are often present in the blogosphere, are not sufficiently covered.

The protection is even less satisfactory for external experts, which journalists often rely on for advice. This is especially necessary in viewing and assessing leaked data; here, the press often relies on lawyers or IT experts to properly gauge the material. Such auxiliaries aren’t covered by the exception in s. 202d(3) either, and therefore risk criminal prosecution for handling “stolen” data.

A chilling effect on the freedom of the press

Through its sloppy drafting, the law therefore creates a minefield for investigative journalists and their auxiliaries.

What is even more serious than the threat of an actual conviction of journalists for receiving or passing on leaked data is the risk of criminal investigation and searches: They would destroy the relationship of trust between journalists and their sources and thereby significantly weaken journalistic research.

This chilling effect already applies without concrete investigations; even the possibility of search and seizure means that sources of information for journalists dry up and that working with leaked data becomes more difficult. Already, informants are reluctant to pass on leaked materials and thereby make them available for an independent assessment. IT experts have also become harder to convince to assist in analyzing leaked data, for fear of criminal prosecution.

Examples for working with leaks: Research on secret services, Panama Papers, Olympic Doping

GFF’s plaintiffs often work with leaks illegally obtained by whistleblowers to reveal large-scale problems; they now fear risking prosecution in future, similar cases:

• Netzpolitik.org editors Markus Beckedahl and Andre Meister regularly write about and publish documents on the work of German and international secret services, including secret documents on the work of the German foreign intelligence service.
• NDR journalist Peter Hornung was involved in analyzing the so-called Panama Papers; these leaked documents contain explosive information on offshore companies of politicians and celebrities in Panama. With two colleagues, Hornung coordinated the radio reporting in the entire ARD (Germany’s national broadcasting service). Today, he regularly works with leaks on the Volkswagen emissions scandal.
• Investigative sports reporter Hajo Seppelt’s crucial research and reports for ARD revealed the systematic Russian doping.
• Jürgen Schmidt, editor of the IT magazine c’t and of the online platform heise Security, revealed grave security issues in online banking and credit card payments; for his research, he has to rely on a network of external IT experts.
• Attorney Ansgar Koreng and IT expert Mike Kuketz are regularly asked to support reporters with their expertise as auxiliaries.

Had the provision on handling stolen data been in force at the time of these reportings, the plaintiffs would probably have been liable to prosecution in several of these cases.

The example of “LOVOO”

The “LOVOO” case is a good example of the criminal law problems in working with whistleblower leaks. This online dating agency provides certain basic functions and an app at no cost. Establishing contact with other users through messages requires so-called “credits” which need to be purchased.

In late summer of 2015, an editor of c’t, an IT magazine, received an archive of 50GB of data. This archive contained – so the anonymous tipster claimed – emails from the top management of LOVOO, screenshots and the source code of software used by LOVOO.

Analyzing the archive, c’t journalist Holger Bleich and his colleagues found emails revealing that the LOVOO managers decided to boost sales in credits by motivating male users of the platform to use the profitable premium functions. In order to do so, LOVOO used computer programs (so-called bots) that simulated female users – internally called “do good” and “chat banana.” These bots sent messages to male users that were allegedly written by female users; recipients could only answer if they first bought credits. In the belief that they were flirting with real-world women, thousands of male useds purchased such credits – a clear case of aggravated fraud or computer fraud (sections 263 and 263 of the German Criminal Code) in thousands of cases.

Bleich and his c’t colleagues revealed this large-scale scam to the public. When LOVOO – unsuccessfully – took legal steps against the series of articles, the publisher passed the matter on to its attorney. In order to examine to what extent reporting on allegations was lawful, he, too, had to sift through the data from the LOVOO leak.

The c’t reporting led to criminal investigations against LOVOO, including search and seizure and arrest warrants. The prosecution estimated the aggregated sales volume from the scam at a minimum of 1.2m €; c’t estimates much higher amounts. The charges were finally dismissed against payment of millions of Euros – although the Federal Supreme Court provides for prison sentences without probation in cases of damages in the seven figures.

The LOVOO case exemplifies how important press reporting is for revealing scams and other abuses and demonstrates the role of auxiliaries such as IT experts or lawyers. Had the case happened after the Criminal Code amendment, those involved would have had to fear criminal prosecution – the journalists for acting also on private motivation, the lawyer because he is not a journalist. Moreover, the whistleblower would have had to fear a search of the c’d editorial rooms and thereby a revelation of his or her identiy. These conditions mean that investigative reporting as in the LOVOO case is playing with fire.

Cooperation with a Humboldt Law Clinic

For this constitutional complaint, GFF worked with a legal clinic for the first time. The Humboldt Law Clinic Internet Law (HLCI) is headed by GFF’s representative in the case, Prof. Dr. Katharina de la Durantaye, LL.M. (Yale). Law Clinics are education formats that train students on real-life cases. The Humboldt Law Clinic was co-founded in 2010 by GFF board member Nora Markard, at first in the area of Fundamental and Human Rights (HLCMR); in 2012/13, the Internet Law Clinic joined.

The HLCI students developed plaintiff profiles, examining what type of person would most clearly represent the legal issues of the complaint. On this basis, GFF and Reporters without Borders then approached possible plaintiffs. Moreover, the students supplied research.

Through project such as this one, GFF is seeking to familiarize students with issues of constitutional litigation and the importance of the freedom of the press. Defending civil rights requires well-educated lawyers who care about these rights. GFF’s US partners, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), have therefore partnered with legal clinics to remarkable success.

Prospects of success

The constitutional complaint aims at declaring the new provisions null and void, in order to protect the plaintiffs and all other journalists from criminal prosecution and search and seizure. Thereby, GFF and its partners seek to prevent that the new provisions exert a chilling effect on informants and journalistic sources and thereby interfere with investigative journalism.

Plaintiffs also hope that the Constitutional Court will declare that the constitutional protection of the freedom of the press also covers bloggers, lay journalists and external auxiliaries such as the IT expert and lawyer plaintiffs. A clear judgment in this matter would also have international effects: It would be an important signal against the efforts of dictators and authoritarian governments to advance a narrow interpretation of journalists up to UN resolutions, excluding citizen journalists and bloggers from the freedom of the press in order to more easily control information.

Further information (in German):

• Handling stolen data – FAQ
• Constitutional complaint as a PDF
• Online petition by Reporter ohne Grenzen to support the case
• More by netzpolitik.org on handling stolen data
• More on the work of Reporters without Borders on freedom of information on the internet

Litigation is expensive – get involved by becoming a sustaining member of GFF!