How Germany jeopardizes its reputation as a country with the strictest privacy laws
Shortly before a conference held in Leipzig between the state ministers of the interior in Germany, reports on the website Redaktionsnetzwerk Deutschland (RND, source in German) emerged which suggested that the minister Thomas de Maizière intends to make a push towards enabling "spying on privately owned vehicles, computers and Smart-TVs”. The reports referenced an initiative of the Department of Justice, which broadened the catalog of surveillance measures available to law enforcement in Germany. It was agreed on on June 22nd. According to this initiative, surveillance measures for “information technology systems” may be put in place against a suspect in a criminal case. This addendum became known and was heavily discussed in Germany as “Quellen TKÜ” (which translates roughly to “surveillance of telecommunications at the source”). The manner in which the measures were added by parliament, however was heavily criticized by the former German Federal Data Protection Officer Peter Schaar as well as other officials. It was also claimed that plans were made for a total mass surveillance of citizens and concerns were expressed about the measures being unconstitutional. The report on RND was interpreted in a way, which could also be understood as "plans that force manufacturers to implement backdoors in their products" in order to enable law enforcement to access certain information.
Johannes Dimroth, spokesman to the German Ministry of the Interior, issued a statement in a video on Twitter, in which he points out that this discussion is based on a misunderstanding. The subject of the conference was neither the access to computers or smartphones, nor a broadening of the range of measures available to law enforcement. He made it clear that the intention of the Ministry of the Interior is not to introduce mandatory backdoors.
For years, G DATA has been standing for a „No Backdoor“ policy – and we have no intention of changing anything about this. On that note, discussions about backdoors for use by the state is by no means new. The information revealed by Edward Snowden as well as the Vault7 documents are an impressive demonstration which makes it clear that in some countries, authorities already have the capabilities to spy and eavesdrop on individuals with little or no serious external control. During the Vault7 leak, some tools were made public, which were promptly adapted by criminals. For instance, the „Eternalblue“ exploit on which Wannacry was built, originates from a tool collection of a US intelligence agency. This example serves to emphasize how dangerous those activities are: the tools cannot be kept secret and under wraps indefinitely. If they fall into the wrong hands, criminals get our most private and sensitive data served on a silver platter. It is only a matter of time before a "federal backdoor" is discovered - and criminals will have no qualms making use of such knowledge.
So far, initiatives from the German Department of Justice as well as the Ministry of the Interior have yet to provide a conclusive set of arguments on how to implement their ideas without compromising the security of the entire ecosystem of IT security and privacy. Declarations of intent are by no means sufficient. Without a set of transparent guidelines, discussions like this will lead to uncertainty and a loss of trust. The potential benefits (even of worthwhile measures) and negative side effects are very disproportionate.
What the discussion at the conference really revolved around is the topic of how to ensure that law enforcement has the technical means to execute a warrant once it was issued by a judge. In practice, warrants often cannot be executed due to the presence of safety systems, both in vehicles as well as residential buildings. Minister de Maizière also denied the allegations about backdoors during a press briefing after the conference. "There never was such a suggestion made by me. […] Law enforcement needs be able to do technically what it is allowed to do legally.” He further stated that suitable measures are currently being evaluated.
There is a lot of tension and controversy between a desire to "maintain the authorities‘ effectiveness and capability to act" and asking the question "to what extent and under which circumstances may privacy be invaded?" (see comment section of the tweet mentioned above).
What is important, though, is not your position on this subject. The important thing is to look at the effects that such a discussion about surveillance and “Federal Trojans” have. The prime concern behind the discussion is that effective security measures are to be weakened by law. With this in mind, the RND report has left many people wondering both inside as well as outside of Germany. This report was not the first of its kind. Discussions in Germany about accessing encrypted data, broadening the use of video surveillance as well as face recognition technologies are followed very closely by people in other countries. The most prominent example would be Edward Snowden, who states that there is a „wave of illiberal thinking” when even places like Germany want to enforce backdoors to enable covert surveillance. Norbert Pohlmann of the „eco“ Association of the Internet Industry also sees the danger of a loss of trust in digital technologies. "The mere discussion of new surveillance measure weakens the users‘ trust in internet-based technologies and inflicts a lot of damage on Germany’s online commerce."
We have received requests for comments on this topic both from concerned customers as well as journalists from Poland, Italy and other European countries. It seems that Germany is starting to lose its image of being a country with the strictest data protection and pricacy laws and standards, which has consequences for G DATA as well as the entire security industry.
Ever since the discussion about a Federal Trojan we have committed ourselves to a „no backdoor guarantee“. Almost from the beginning, G Data has also been involved very heavily in the TeleTrusT-Initiative "IT-Security Made in Germany" (ITSMIG) and agreed to meet their very strict criteria. More than 170 companies have joined the ITSMIG initiative since. The current discussion about softening up security measures have negative consequences on the entire IT security industry and beyond. Who wants to buy a new Smart TV when you have to fear that it might turn into an Orwellian Telescreen? The discussion will also harm the acceptance for connected cars, if drivers and travelers worry about all of their data being transmitted.
We would like to further back our committment with our „My data remains in Europe” campaign. This campaign is to assure all of our customers, that we treat all sensitive data with the utmost care and treat them according to Germany’s strict laws. For G DATA, protecting privacy is at least as important as protecting PCs and networks. However, in light of the discussion about softening up protective measures, the promise that G DATA makes, suddenly takes on a menacing twist in the eyes of some customers. We would like to emphasize that there is no basis in facts to this.
We trust and hope that the new government will work to clear up the misunderstanding also work to uphold Germany’s reputation for having the strictest legislation in the world in terms of privacy and data protection. We also hope that the new government will also reject any efforts to weaken security standards.