Status: 09/14/2022 07:05 a.m
Data retention and state hacking: Interior Minister Faeser wants to give the security authorities more powers and tools. Little consideration is given to the Greens and the FDP.
The next dispute within the traffic light coalition could arise in just a few days: This time it is not about arms deliveries or the Infection Protection Act, but about fighting crime in the digital age. Should telecommunications providers be obliged to store customer data without a specific reason so that law enforcement authorities can later identify suspects more easily during investigations? It is about the so-called data retention (VDS).
Faeser wants a minimum storage period
Federal Interior Minister Nancy Faeser (SPD) wants to reintroduce the minimum storage period. It has been on hold since 2017 due to a decision by the Federal Constitutional Court. According to the Federal Ministry of the Interior, such a regulation is urgently needed to more effectively combat depictions of child abuse or hate crime. In many cases, suspects can no longer be identified because their IP addresses – the individual house number on the Internet, so to speak – have since been deleted.
On September 20, the European Court of Justice (ECJ) wants to announce its decision on data retention. The government then intends to draw up a new regulation that conforms to the Basic Law. And it is precisely here that the coalition is heading straight for a dispute: Because Faeser’s idea of storing data without cause is largely rejected by the FDP and the Greens.
Federal Minister of Justice Marco Buschmann (FDP) only wants to allow a so-called quick freeze. Internet providers are only asked to store the data of individual suspects for a certain period of time if there is a concrete initial suspicion. This procedure should also only be possible if there are indications of serious crimes. This is a clear rejection of the interior minister’s plans.
The traffic light is bubbling. Data retention is according to information from WDR and NDR just one of several points of contention when it comes to the work of security authorities in the digital world. It’s also about government hacking. Faeser would like more powers for the security authorities, while the Greens and FDP demand more control and a clear legal framework. So far, however, Faeser’s house has presented few concrete proposals, according to coalition circles. Some projects are also not compatible with the coalition agreement.
“Hackback” or “active defense”?
The dispute escalated once: The Central Office for Information Technology in the Security Sector (ZITiS) is to develop or buy tools such as “Trojans” for the security authorities. So far, however, ZITiS has acted without its own law. Greens and FDP therefore pushed through a blocking notice against the SPD during the budget negotiations: New money for the “hacker authority” only flows if there is a legislative proposal. This should actually come soon, according to coalition circles.
The question of whether the state should actively fight back in the event of a cyber attack is also controversial. Such countermeasures are also called “hackback” – which according to the coalition agreement should not exist. The interior minister doesn’t use this word publicly either, preferring to speak of “active security in cyberspace.”
According to information from WDR and NDR the considerations on this in the Ministry of the Interior are already quite mature. The minister does not want to ignite the most aggressive level: Servers abroad that are being attacked by hackers should apparently not be destroyed. Rather, it should be about fending off attacks by actively redirecting them, for example.
It has not yet been clarified which authority could take on the task of digital security. An amendment to the Basic Law would probably be necessary, because security in cyberspace is still a matter for the federal states.
For years, the federal police have been campaigning behind the scenes for the protection of the German networks to be taken over. And in fact, the officials have a lot of experience with breaking into encrypted data, investigating hackers or investigating agent radio signals. The federal police are said to have even helped the CIA to crack encrypted devices belonging to al-Qaeda terrorists.
“If we could, we could”
However, the Federal Intelligence Service (BND) should also have sufficient competence for a hackback. “If we could, we could,” said BND President Bruno Kahl a few years ago. And finally, there is the Federal Criminal Police Office (BKA), which is often involved in averting danger and has a lot of experience in investigating cybercriminals.
The list of controversial topics in the cyber area goes even further: the question arises as to whether the police and secret services should use so-called state Trojans in order to be able to secretly monitor communications on mobile phones. The Greens and the FDP take a very critical view of this – even if this tool has so far only been used very seldom. It has been used for criminal prosecution since the summer of 2017.
The Federal Office of Justice has just published the 2020 statistics on telecommunications surveillance. In fact, the “state trojan” was used nationwide only 14 times in 2020. So the German police are hacking, albeit on the back burner. And with an unclear future. The coalition agreement is more of a rejection of state hacking.
The federal police should therefore not be allowed to use “Trojans”; According to information from WDR and NDR, however, this power is again included in the current deliberations from the Ministry of the Interior on a new federal police law. The ministry declined to comment on this. According to a spokeswoman, voting on the content has not yet been completed.
Mandatory vulnerability management
The coalition agreement is also clear elsewhere: when it comes to exploiting IT security vulnerabilities. They are not only used by criminals to penetrate third-party IT systems. Investigators also try again and again to use such security gaps. The conflict here: If such gaps in systems affect many people, then the state could probably avert far-reaching damage by closing them.
The Federal Constitutional Court in Karlsruhe made it clear last year with a decision on the Baden-Württemberg police law: The state is obliged to introduce “vulnerability management”, a process in which it is decided which vulnerabilities should be closed and which during hacking can be exploited.
What such a “vulnerability management” should look like is currently unclear. There is a working group in the Ministry of the Interior that is supposed to make suggestions. A consideration will probably be made: investigators should be allowed to use gaps if they only affect a small number of people. However, it is questionable how this can be ensured.
Because the authorities have long since not only developed their own Trojans, but also buy the appropriate tools. And, as expected, the manufacturers are reluctant to reveal the security gaps exploited by a commercial product such as the powerful “Pegasus” spyware from Israel. After all, they are the secret door openers and are traded for a lot of money.