Q&A: The use of court-ordered Trojans in Germany
The German Parliament passed amendments to the German Criminal Procedure Code ('GCPC') on 7 July 2017 in an effort to improve criminal prosecution in light of the use of technology. 'The Act for more effective and practicable design of criminal procedure' contains amendments to the GCPC to simplify and accelerate criminal procedures, which includes new powers for the public prosecutor, based on a court order, to introduce inquisitive software tools (so-called 'government Trojans') for telecommunications surveillance (Section 100a GCPC) and new powers to carry out online searches including on mobile devices (Section 100b GCPC) without informing the suspect. In such a context, the public prosecutor may if necessary circumvent encryption technologies embedded in the telecommunication technology and/or related devices of the suspects. Cyber Security Practitioner spoke to Dr Alexander Duisberg, Partner at Bird & Bird, about the amendments and the possible implications for cyber security.
Are you surprised by the passing of the amendment to the GCPC?
No, not really. The issue has been long debated. The German Government included a chapter on telecommunications surveillance in its coalition agreement from 2013, and the terrorist assaults as well as the human trafficking incidents reported in 2015 and 2016 have spurred the debate. The concrete draft was part of a joint effort between the political parties to "get it done" before the summer break and before entering into the Federal elections at the end of September. The measures have been taken in order to enable our enforcement agencies to be more effective, and to identify and combat illegal activities "at the source of communication in our technology-enabled world.”"
What are the implications of the amendments for cyber security?
Experts fear that the use of Trojan software may jeopardise cyber security. Prosecutors must take advantage of security flaws in operating systems or other components on devices in order to deploy the necessary software on the devices. By doing so, rather than giving the developer a chance to fix the vulnerabilities, incidents such as the recent WannaCry ransomware attack may happen more often. The Act provides certain safeguards to prevent harmful use: prosecutors must protect the malware they utilise against unauthorised use and they must undo all changes to the system after completing the interception and to technically protect any extracted data against modification, unauthorised deletion and unauthorised perusal.
Are there likely to be legal challenges to the amendments?
Yes, that’s not unlikely. Criminal suspects and other affected individuals will easily be able to submit a complaint with our Constitutional Court, which is our custodian of human rights, and which is vigilant in striking the balance between constitutional rights and Government intervention. In particular, it remains to be seen whether the Court will define additional boundaries in regard to the 'computer constitutional right,' i.e. the 'individual right on the integrity of information technology systems' (derived from Article 2 of the Law for the Federal Republic of Germany) and the rules on telecommunications secrecy (Article 10 of the Law for the Federal Republic of Germany). Critics have claimed that certain crimes listed in the catalogues of Sections 100a and 100ab may not be severe enough to justify the level of intrusion.
Are we likely to see other governments introduce similar measures?
Several governments have already allowed the use of Trojans in criminal investigations. Prominent examples include the UK with its 'Snooper’s Charter,' France with its 'loi relative au renseignement,' and the US with its amendments to Rule 41 of the Federal Rules of Criminal Procedure. The Italian Parliament is also discussing a similar proposal. By and large, it is inevitable that a suitable framework is established that allows prosecutors and enforcement agencies to operate efficiently in the cyber environment on the one hand - noting that it remains a delicate balance to protect human rights - and the need to protect the intimacy of human communication on the other.
Will this have an impact on the use of encrypted messaging services in Germany?
Nearly 70% of all internet users in Germany currently use messaging services, most of which are now encrypted at least at a base layer. WhatsApp and similar services have replaced text messages especially among the younger population and have become the preferred choice of communication. The way the amendments to the GCPC are drafted, it is unlikely that particular modes of messaging or communication will remain exempt from surveillance and Trojan software deployment - if and when a court has ordered the use of a specific measure in respect of a particular suspect. In other words, it will turn out to be a risk that the general public accepts.
Do you have anything further to add?
Germany has made an important step forward, in order to have the tools at hand for combating cyber crime, terrorist acts and criminal organisations, which more and more avail themselves of the internet, the 'dark net' and remote communication. Obviously, judicial control is key in order to safeguard fundamental constitutional rights for each affected individual. Germany has set the conditions in the proper manner - even if judicial challenges are likely to come up in the near to mid term.
This article first appeared in Cyber Security Practitioner July 2017.
