License to hack: domestic internet intelligence powers growing in Germany

The domestic intelligence agency (Verfassungsschutz) in the German state of North-Rhine Westfalia (NRW) will be allowed to hack into the computers of "terrorist" suspects, if a bill currently under discussion in the state parliament is adopted. According to the bill, the agency will get the new competence for

"clandestine observation or other reconnaissance of the Internet, in particular the hidden participation in its communication facilities or the search for them, and clandestine access to information technology systems by technical means" (my translation).

The ruling conservative-liberal coalition is arguing that this is only a clarification of existing competences for communication interception. The social democratic party is opposing the bill. Karsten Rudolph, spokesperson for domestic affairs of the SPD in NRW, called the new regulation "governmentally organized trespassing".

The public justifications for this enlargement of intelligence powers are in fact questionable. Liberal domestic affairs minister Ingo Wolf refers to the fact that the alledged suitcase bombers, who were caught in Germany recently after a futile attempt to blow up two trains, had found the plans for building their bombs on the Internet. But he did not explain how intelligence service hackers could have detected or even prevented this, given the fact that the assassins had not attracted any attention before.

Another change in the NRW intelligence agency act, according to the bill, would be the duty of banks, telcoms and other industries to give information about their customers to intelligence agents if asked by them. This obligation, introduced after the attacks of 11 September 2001, so far only applied if the perceived threat to the constitution and the state were a foreign power or an international terrorist organization. Now, corporations would also have to give information about their customers in cases of

"efforts which are directed against the liberal democratic fundamental order, the existence or the security of the federal republic or a state, or which aim at an illegal interference with the administration of the constitutional powers of the federal republic or its members" (my translation).

Publicly, this is referred to as "terrorism", but in the German past has on various occasions also hit political opposition movements as well as religious groups.

The new bill seems to be part of a conservative campaign to establish extensive domestic surveillance powers for the Internet. Federal domestic affairs minister Wolfgang Schäuble announced further plans for widening intelligence powers on the Internet, and the German government recently decided to raise personell and spending for Internet activities of the federal domestic intelligence agency. In the state of Schleswig-Holstein, the conservative government is planning to establish a mandatory data retention scheme for web anonymizer services, which would go much further than the EU data retention directive envisages. The federal crime agency (BKA) is currently working on a central database for Internet investigations. German law enforcement agencies are already "patrolling" the public parts of the Internet without initial suspicion, and have established a coordination agency for this as early as 1998.

While the Internet gets more and more into the focus of law enforcement and intelligence agencies, other sectors have lost their attractiveness. The new bill in NRW upholds the information duty for companies about their customers only for the financial services sector and for telecommunications providers. The regulations that so far had also established this duty for postal services and airlines will be cancelled. If they don't want airline passenger data anymore, why are the European governments so keen on legalizing the PNR agreement with the USA?

(This article also appeared in EDRi-gram no. 4.17 which was published half an hour ago.)