Can the state play hackers? If necessary already. But it needs rules. Citizens need to be protected from cyber criminals. With a decision of the highest court, the plaintiff and the country can live.
The Federal Constitutional Court holds the state responsible for IT security.
In a decision published on Wednesday, the Karlsruhe judges rejected a constitutional complaint against the use of so-called state Trojans by the Baden-Württemberg police as inadmissible. At the same time, however, the Karlsruhe judges emphasized the state’s duty to protect against IT security gaps. Authorities need rules if they use as yet unknown security gaps in surveillance software to avert danger, and they have to carefully weigh the use (AZ: 1 BvR 2771/18).
With the support of the Society for Freedom Rights (GFF), seven complainants, including the Chaos Computer Club Stuttgart, sued the Baden-Württemberg Police Act. From their point of view, the law creates incentives for the police to keep security gaps secret instead of reporting them to the manufacturers. In this way, lawmakers are willing to accept cyber attacks with which criminals could gain access to confidential data. The complaint was unsuccessful. The plaintiffs had inadequately explained whether the law violated the state’s duty to protect. They could also have taken the normal legal process first.
GFF boss Ulf Buermeyer nevertheless welcomed the judge’s verdict: “The decision is a great success for IT security.” Politicians must take precautions so that cyber criminals and foreign secret services do not benefit from security gaps that German authorities deliberately do not allow to close. The current revelations about the Pegasus software from the Israeli manufacturer NSO underline how important this is to protect journalists and human rights activists worldwide.
The Baden-Württemberg Ministry of the Interior also expressed its satisfaction. “The Baden-Württemberg police use the legal possibilities of the police law to ward off dangers and prevent criminal offenses,” emphasized a spokesman. The so-called source telecommunications surveillance (TKÜ) is an important component in the fight against terrorist threats and the most serious crimes. They are used “with a great deal of judgment and after careful consideration based on the individual case”.
The 19-page court ruling states: The TKÜ is “not constitutionally inadmissible from the outset”, and an authority does not have to report every undetected IT security gap to the manufacturer immediately. But, according to the constitutional judges: «It must be ensured that the authority determines, on the one hand, the risk of further dissemination of knowledge of this security hole, and on the other hand, quantitatively and qualitatively determines the benefit of possible official infiltrations by means of this hole, whenever a decision is made to keep an undetected security gap open. puts both in relation to each other and reports the security gap to the manufacturer if the interest in keeping the gap open does not prevail. ”
From the GFF’s point of view, the legal situation in Baden-Württemberg does not meet these requirements. The ministry sees it differently, but wants to intensively examine the reasons for the decision.
The GFF has lodged constitutional complaints against seven other laws that allow the use of state Trojans and is also planning lawsuits against their use by the constitutional protection agencies and the Federal Intelligence Service.
David William is a talented author who has made a name for himself in the world of writing. He is a professional author who writes on a wide range of topics, from general interest to opinion news. David is currently working as a writer at 24 hours worlds where he brings his unique perspective and in-depth research to his articles, making them both informative and engaging.
