The Federal Constitutional Court has dismissed a constitutional complaint directed against paragraph 54 on “preventive police” source telecommunications monitoring (Quellen-TKÜ) in the Baden-Württemberg police law. The First Senate decided that the action was inadmissible. He justified this mainly with the fact that the complainants had not sufficiently demonstrated that they were affected by the clause and the associated option to use state Trojans.
The complaint against the amendment to the law from 2017 was filed by the Society for Freedom Rights (GFF) together with supporters from the Chaos Computer Club Stuttgart, two lawyers and journalists, an online retailer and a purchasing company for Internet providers at the end of 2018. The plaintiffs complained that for the permitted source TKÜ to intercept encrypted communication via WhatsApp, Signal and Threema, IT security gaps might have to be exploited through zero-day exploits.
“Obligation to protect fundamental rights”
The investigators have no interest in the manufacturers closing the vulnerabilities, the complaint said. Cyber criminals could also access it. This is incompatible with the state’s mandate to protect citizens and the basic right to the confidentiality and integrity of IT systems established by the Federal Constitutional Court itself.
According to that on Wednesday published decision of the Federal Constitutional Court of June 8, 2021 (Ref .: 1 BvR 2771/18) there is a “fundamental right to protection obligation”. Telecommunications secrecy and the so-called basic computer right are affected. In principle, the informational self-determination of users is threatened because access to their data allows “extensive knowledge of personal information to be gained”. In addition, security gaps have “a potential for damage that goes far beyond the disclosure of personal information”: Third parties could penetrate systems, manipulate them and disrupt processes to the detriment of those affected.
“The risk of infiltration by third parties is associated with a particular risk of blackmail,” emphasized the Karlsruhe judges. The state duty to protect therefore includes a requirement for the legislature to “regulate the handling of the police authorities with such IT security gaps”, for example via weak point management, even if the instrument of the source TKÜ is not “constitutionally inadmissible from the outset” be. Every gap does not have to be reported “immediately and absolutely to the manufacturer”, but the “conflict of objectives” has to be resolved in accordance with fundamental rights.
According to the Senate, however, the complainants did not give the necessary reasons that the established protection mandate could actually have been violated by them. They said that they had neither presented nor executed the relevant legal rules for the protection of IT systems “in their basic features, for which specific reasons the provisions” lagged significantly behind the protection goal, even when viewed as a whole “. In addition, the plaintiffs would have been required to first turn to the administrative courts in order to have them interpret various provisions of “police, data protection, cybersecurity and IT security law”.
“Great success for IT security” – despite the failure
Despite the legal failure, the GFF chairman Ulf Buermeyer sees the decision as a “great success for IT security”. In the reasoning, the judges had given the plaintiffs and the legal representative Tobias Singelnstein “largely right”. In the future, the police must determine the associated dangers “with every decision to keep an undetected security gap open”, determine the “quantitative and qualitative benefits of possible official infiltration by means of this gap” and put the two in relation to one another. The weak point should be reported to the manufacturer if the interest in keeping it open does not prevail.
Numerous other constitutional complaints against state Trojans are still pending. The GFF alone took action against seven other corresponding laws in Karlsruhe. She is planning further lawsuits, for example against the new authority for all secret services, where the FDP has already advanced.