The German Government passed amendments to the German Criminal Procedure Code (‘GCPC’) on 7 July 2017 which provide new powers for the public prosecutor, based on a court order, to install so-called ‘State Trojans’ on electronic devices for the purpose of telecommunications surveillance and to carry out online searches including on mobile devices without notifying the suspect. Dr Hendrik Schöttle, Partner at Osborne Clarke, spoke to Digital Business Lawyer about the possible implications of the amendments for encrypted messaging service providers in Germany.
What powers have the amendments granted to the German Government?
The German Government has empowered law enforcement agencies to carry out online investigations of suspects without their knowledge by means of the installation of software on their devices, known as the ‘State Trojan.’ The Trojan would be installed on the device and would be able to read communication prior to its encryption on services such as WhatsApp and otherwise garner information about a suspect. Until now, Section 100a and 100b of the GCPC have only permitted the surveillance of telecommunications networks via network providers, but the amendment goes much further in that it enables the installation of the ‘State Trojan’ on a device without the knowledge of the owner, permitting the surveillance of their communications at source. This surveillance has been made permissible for a broad catalogue of almost 30 criminal acts including receiving stolen goods and drugs related offences. This goes far beyond what the Federal Constitutional Court had ruled to be permissible in a 2008 decision which permitted surveillance where there was a “concrete danger to an especially important legal right, such as life, limb, and personal freedom, as well as general public goods which, if threatened, would affect the basis or continued existence of the state or the basis of human existence1.”
Are you surprised by the passing of the amendments?
Given the speed of the introduction of the measure, many have been caught off guard with respect to the changes. It was introduced with little public debate and scrutiny. The State had, however, been criticised for a lack of legal basis for the State Trojan program. Given the strong, mounting criticism and the potential illegality of the State’s actions in using the Trojan without a legal basis, it is not surprising that they acted swiftly to provide themselves with a legal ground upon which the project could rest.
What are the implications of the amendments for cyber security?
In order for the State Trojan to be of any use to the German Government, it needs to be installed on the relevant device without the knowledge of the user. Physical installation is usually impossible without alerting the user, so the deployment of the Trojan requires the use of software vulnerabilities to function. As with every unpatched software vulnerability, it may also be exploited by other third parties for nefarious purposes. The clear implication of the amendment is that German law enforcement agencies will be incentivised to retain information on vulnerabilities for their own use, leaving software developers on their own in the fight to keep their software protected from hacking. Cyber security thus becomes simultaneously more important and more challenging than ever, as the assistance of law enforcement in closing known vulnerabilities can no longer be relied upon.
Of more concern, though, is the possibility of governments obliging software companies to open up vulnerabilities and backdoors in their software in order to allow the installation of a Trojan - just as happened in America in the recent case between Apple and the FBI. However, the German amendments do not oblige software companies to proactively implement backdoors or vulnerabilities.
Are there likely to be legal challenges to the amendments?
Legal challenges to the amendments are almost certain. There have already been a series of legal challenges to the State Trojan even before the passing of these particular amendments - including by a former Home Secretary and the President of the Berlin section of the German Bar Association. The German Bar Association has already issued a statement criticising both the substance of the amendments and the method of their introduction, indicating strong opposition. It seems very likely that the amendments will be challenged, especially given the manner in which they were introduced.
Are we likely to see other governments introduce similar measures?
Within Europe, it may be that other governments will look to the results of any legal challenges before introducing such measures. Amidst growing concerns over terrorism and security, and a desire to provide law enforcement bodies with more effective investigative tools, there could be a rise in these types of laws. In the UK, for example, the Government was contemplating an unpopular ban on encrypted messaging services as late as 2015. A law mirroring the German amendment would enable security services to read messages prior to their encryption, thus avoiding the need to ban such encrypted messaging.
Will this have an impact on the use of encrypted messaging services in Germany?
The effect on encrypted messaging services in Germany is both minimal and, paradoxically, enormous. It is minimal in that encrypted messaging services will be able to function normally and should remain unaffected by the law. On the other hand, the effect on these services cannot be understated: on devices infected with the Trojan, the encryption is rendered futile - messages are readable on the device prior to their encryption. Should the Trojan be used frequently by the State, or be used by a non-State actor, encrypted messaging services will remain available but their encryption would be completely circumvented. They will be simultaneously usable and useless.
One fundamental risk will be the quality of the tools used by the German authorities. Every tool which is not updated and secured with the latest security measures will be vulnerable not only to the authorities but also to any third party. In 2011, the then existing State Trojan was examined by IT professionals who discovered a huge number of security gaps in the software, including unencrypted transfer of data via servers in the US without any additional safeguards. While this would already have constituted an infringement of data protection law under normal circumstances, its consequences are even worse where sensitive and confidential information is transferred. Time will only tell whether the quality of such software will increase.
Dr Hendrik Schöttle Partner
Osborne Clarke, Germany
Take a 7 day free trial: click here
For more detailed infromation on our subscription options please contact Conor Molloy on +44 (0) 20 70 121 387 or email email@example.com