FECL 44 (June 1996):
Last year, the parties of the German coalition government and the opposition Social Democrat Party agreed on a draft Telecommunication Law. Negotiations took place within a small circle of initiates and, as yet, their is little awareness among the general public about the extent of the planned interception activities.
The draft's paragraph 87 is particularly problematic. It provides that law enforcement authorities and secret services shall have access at any time to the customers registers of telecommunication services. Today, they certainly no longer comprise German Telekom and the various providers of wireless communication networks only. In recent years, other service providers, such as on-line services, e-mailboxes and Internet providers have emerged in great number. Should the draft Bill become law, they would all have to see to it that "competent" authorities always have access to their data. They would even have to provide for interception to be carried out without their own or their users' knowledge. The system shall be "technically organised in such a way that retrievals [of data by the authorities] can not be recognised by the [system] provider", the provision says. Moreover, service providers must set up the necessary technical devices and computer software at their own expense.
The law enforcement and security authorities justify their claim with the particular difficulties of criminal search in the new era of computer networks and digital communication. At one time, it sufficed to obtain a court order and to find out the phone number of a suspect, in order to tap his phone conversations. Nowadays, a number of additional possibilities must be taken into account: A telephone connection at home, another one at the place of work, a separate number for the mobile phone and one for the fax machine, as well as one or several e-mail addresses. All these various means of telecommunication of one and the same user might be scattered among different service providers. All these providers offer far more than just telephone communications. They comprise electronic mail, on-line chats via computer keyboards and sending data files outside a particular network. In the digital age telecommunication means exchange of data of all kinds in every imaginable ways.
Now, the authorities want to make sure that they have at their disposal all the connection data relating to every single user in the event of a need for interception. The various authorised authorities will not have the wearisome task of compiling the data themselves. This task is to be accomplished by a particular "regulation authority" (RA). Upon request, the RA shall search the data bases of all the providers which it is connected with. In doing so, it is merely an executive agency. The RA is not authorised to verify the lawfulness of a request. In fact, the draft bill contains no provision whatsoever restricting the retrieval of data for example to the mere purpose of surveillance of suspects.
Nonetheless, the concept seems complicated and fairly harmless at first sight: after all, the data in question are spread among a multitude of small and large user registers. However, since the RA would have on-line access at any time and within seconds to all registers at once, it would (just as all law enforcement an security agencies) have at its disposal a veritable super-data base.
This database would be far more than a particularly up-to-date residents register with addresses and phone numbers. As a rule, telecommunication-service providers store not only the general data of their customers but also detailed information on the types of services they have used - simply for accountancy purposes. Thus, they keep records of which commercial data banks a user has accessed and which discussion groups he has subscribed to. Taken together, such data reveal much more about the interests and activities of a person than e.g. lending lists of libraries whose seizure requires a lengthy procedure. Authorities shall now have access to their electronic equivalents at any time. Nowhere in the draft does it say that retrieval will be limited to, for example, addresses and phone numbers.
With the multitude of services offered today, even non-suspects are likely to be registered in the course of a criminal investigation. All that is necessary is for a suspect to arrange to have his calls temporarily forwarded to the number of, for example, a completely unsuspecting business friend, who has invited him to a party. The police will merely have to retrieve the data of his telecommunication service providers and the number of the harmless business friend will end up in the list of phone numbers under surveillance.
Despite such problems the Federal Council of the Länder, which is dominated by the SPD, has called for additional tough measures: service providers must supply the authorities not only with their current customers lists, but also with old lists, and while the draft bill regulates how long at most data may be stored, the Länder demand that only the minimum storing time be regulated. Moreover, the obligation for service providers to cooperate with the law enforcement and security agencies shall be extended from commercial service providers to "business-like network operators", i.e. firms using own electronic networks for their internal data exchange. Operators of short-range radio networks, as used for example at airports, are concerned too, and if the Länder-governments have their way, even mailbox operators are likely to be liable to enable the authorities' access to their data.
The authorities' growing appetite for data on the mere grounds that telephones must occasionally be tapped, is not just accidental. Indeed the rules regarding telecommunications surveillance were thoroughly toughened already a year ago with the entry into force of an Ordinance on Telecommunications Interception (Fernmelde-Überwachungsverordnung: FÜV; see FECL No.36: "ORDINANCE PROVIDES FOR UNLIMITED SURVEILLANCE OF TELECOMMUNICATIONS"). The ordinance obliges service providers to have a so-called "interception interface" at disposal for the purpose of surveillance measures ordered by a court. Here too, the necessary additional equipment and software is at the expense of the provider. Providers who failed to meet this requirement until 31 May are facing severe fines.
Together with the ordinance, the Telecommunications Law, if adopted, would imply that the technical equipment of every telecommunications service must consist of at least three lines: one for the customers, one for the unrestricted and unnoticed retrieval of customers' data by the regulation authority, and one to enable interception measures ordered by a court. Actually, the ordinance provides that "more than one surveillance measure per telephone connection" must be possible.
The extensive use of telephone tapping is nothing new in Germany. In proportion to population, surveillance measures are ten times more frequent than in the USA. Moreover, German legislation does not provide for courts to check the efficiency of an ordered interception measure. On the contrary, the draft Telecommunications Law prohibits the disclosure even of surveillance statistics. Thus the draft law is to definitively establish the rigid rules introduced by the ordinance.
The matter is no longer about conversations only. With computers and telecommunications networks steadily developing into a new medium, new forms of their use are constantly arising, e.g. telework, telebanking and telemedicine. Already today fundamental liberties, such as the constitutional freedom of press, are undermined to a large extent. Once connection data may be seized, from which it follows whom an editor has called and who has called him, there can no longer be question of any protection of sources.
The public German TV-channel ZDF made this experience during the search for a criminal real estate operator. From a mobile phone-service provider the prosecution authorities got the connection data of the ZDF journalists working on the case.
The Berlin Data Protection Commissioner, Hansjürgen Garstka, regards the draft law as a step towards drastically increased surveillance and claims that telecommunication networks are being made the "permanent criminal investigation network of the police and the office of public prosecution". Manuel Kiper, a Green Member of the Federal Parliament and his party's expert on post an telecommunication warns against "making the Telecommunication Law a tapping law".
However, apart from the little band of professional data protection people, the draft bill has barely drawn criticism. There is no comparison with the storm of protest in the USA in 1995-96 when the American equivalent to the FÜV-ordinance, the Digital Telephony Bill was presented. Yet the US bill did not provide surveillance to the same extent as envisaged in Germany, nor were the service providers to bear the costs of the necessary technical adaptions. This last point has hitherto been the only aspect of the draft law that has upset some providers in Germany. Already when the ordinance was introduced, the wireless telecommunication providers Mannesmann and E-Plus feared that additional costs for new lines and technical modifications could amount to two digit figures in millions of D-Mark. In a letter to politicians in charge of post and telecommunications, the two companies protested at being burdened with criminal prosecution tasks and threatened with legal proceedings. Nothing has, however, happened so far.
A small service provider in Cologne wondered what benefit the police were expecting to draw from the data of network users, since increased surveillance would merely result in users encoding their data. Indeed the necessary software is widely available. One programme even allows for encoding telephone conversations. Such practices can not even be eliminated by a general ban on encoding programmes. There is actually already software making it possible to "hide" encoded messages before their transmission, e.g. in apparently innocent image files.
Supporters of generalised surveillance do not seem to be discouraged by such prospects.
The Federal Constitutional Court could, however, bring new movement to the debate. A Hamburg professor of criminal law and drug expert, Michael Köhler (see FECL No.36: "CONSTITUTIONAL COURT PARTLY INVALIDATES ANTI-CRIME LAW") has filed a complaint with the Court against the systematic interception of foreign calls by the German Foreign Intelligence Service, the BND. To evaluate this mass of data the BND makes use of electronic "filters" that sift all conversations for suspect words such as "drugs" and "weapons". Köhler holds that he often talks about drugs on the phone for professional reasons and that he is therefore constantly running the risk of getting into the BND's search-by-screening system. This, he says, is a breach of the Constitution. A decision of the Federal Constitutional Court is expected before the end of this year. This is why the advocates of the new Telecommunication Law are showing particular haste: according to the Government's plans, the law is to be adopted before the summer vacation.
If the law actually enters into force, the confidentiality of telecommunications will be seriously weakened. "Without privacy of telecommunications there will no longer be any secrets in the information society", Ute Bernard of FIfF, a German organisation of critical computer scientists contends. That the authors of the draft Telecommunication Law are not particularly concerned with privacy can be deduced from the fact that they simply forgot to state a penalty for offences against the privacy of telecommunications. Thus, if the draft Law is adopted in its present form, anyone unlawfully infringing on privacy will commit an act prohibited by law, but will not be punishable ...
The author is a computer scientist and an assistant of Manfred Kiper, MP in the German Bundestag. He is also member of the board of FIfF. Contact: Ingo Ruhmann, Büro Manuel Kiper MdB, Bundeshaus HT 404, D-53113 Bonn; Tel: +49/228 1681547; Fax: +49/228 1686515; E-mail: email@example.com