Schneier on Security
A blog covering security and security technology.
« Searching for Terrorists in World of Warcraft |
| Hacking Medical Devices »
March 12, 2008
German Courts Rule on Spying in Cyberspace
The Federal Constitutional Court in Karlsruhe said cyber spying violated individuals' right to privacy and could be used only in exceptional cases.
Germany's Federal Constitutional Court has rejected provisions adopted by the State of North Rhine-Westphalia that allowed investigators to covertly search PCs online. In its ruling, the court creates a new right to confidentiality and integrity of personal data stored on IT systems; the ruling expands the current protection provided by the country's constitutional rights for telecommunications privacy and the personal right to control private information under the German constitution.
In line with an earlier ruling on censuses, the judges found that the modern digital world requires a new right, but not one which is absolute exceptions can be made if there is just cause. The judges did not feel that the blanket covert online searches that North Rhine-Westphalia's (NRW) provisions allowed fell under that category; rather, these searches were found to be a severe violation of privacy.
The court explained that strict legal provisions apply for covert online searches of PCs, as with exceptional cases of telephone tapping or other exceptions to the right to privacy. Specifically, the judges say that private PCs can only be covertly searched "if there is evidence that an important overriding right would otherwise be violated."
More articles. Commentary. And here's the ruling -- in German, of course.
Posted on March 12, 2008 at 6:18 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Finally we have a government stepping up to stop the wholesale erosion of our rights to use our own computers without being watched.
It seems this stopped a law that basically had made it legal for the government to hack your machine.
Will anyone in other countries pay attention?
Ach du lieber! I may just have to move to Deutschland. Besides, nothing beats a good Nahe spatelese.
@ Professor Katzmeow
I hate to disappoint you, but the german government went completely nuts.
The only thing protecting us from their 'anti-terror' laws is the Bundesverfassungsgericht -- the Federal Constitutional Court.
Best regards from the sunny Bavaria
Katzmeow: Don't move to here. Our politicians are getting worse with every day and lately lots of bills had to be scraped by the constitutional court. Also notice that they haven't ban the "federal trojaner" (as it is called over here) completely but left loopholes which our crooky politicians are surely about to exploit. The post-9/11, terrorism and muslim paranoia over here is not as bad as in the US but its going in the same direction. In fact lots of germans are considering emigration due to the situation getting bad and better every day.
@jessetrucks: It is not the government, it is the "Bundesverfassungsgericht", the court that decides if a law conforms to the constitution (a bit like the Supreme Court in the US). The government itself badly wants to spy on "terrorist's" computers.
And the hits just keep on coming. Two days ago the Federal Constitutional Court ruled on complaints against the automatic license plate recognition on German streets as defined in police laws of the states of Hessen and Schleswig-Holstein - and declared them unconstitutional in there current form and therefore void.
The next item on the court's menu will probably be "Vorratsdatenspeicherung", the pre-emptive storing of communication data enforced on internet providers by January 2008. On this a little over 34,000 (!!!) complaints were filed a few weeks ago.
The article says: "... the court creates a new right to confidentiality ..."
I am not familiar with the German constitution. Are the courts empowered to create new rights?
@ Jonny & Hans,
Thanks for letting me know the rest of the story, but very little is worse than the paranoia I see every time I ride the trains in NYC. It's like being in pre-1989 Berlin, it's just retarded. Cops and uniformed National Guardsmen and guns and dogs and even portable guard towers at the political demonstrations.
I remember your country very fondly, I lived there for 6 years. At least one thing can be said - your country learned the hard lessons of why fascism is wrong and your memories are better than many Americans in that regard.
Have a nice cold spatelese for me, gentlemen. Best wishes.
@Andy: No, it cannot create new rights. The court only interpreted the existing rights in a new way. It did this once in 1983 when interpreting the right to "Menschenwürde" (human dignity) and the "allgemeines Persönlichkeitsrecht" (the right to privacy, among others) into a "Grundrecht auf informationelle Selbstbestimmung" (right to informational self-determination).
@Katzmeow: "your country learned the hard lessons of why fascism is wrong".
Well, it learned it because the old Nazis simply died of old age. The "Entnazifizierung" (de-nazification) was not performed thoroughly, and it was easy for Nazis to get whitewashed. Most were not punished in any way.
Also, even though post-war germany was not fascist, it was not free, either: I.e. communists and gays were persecuted (the latter according to §175 of the penal code, which the Bundesverfassungsgericht upheld in 1957).
Germany still is not free, i.e. concerning drugs. But then again, western drug policy is completely incompatible with freedom.
 Referring in its ruling to the "insatiable sexual need of the homosexual man"
And to to a double strike, the german Federal Constitutional Court banned ubiquitous automated car plate scanning (and crosschecking with the police databases).
Third strike will follow suit when the EU-initiated telecommunications data retention for six month
- your IP-adresses when connecting to the provider
- all server IPs you connect to
- all e-mail sender and adressee info
- all phone numbers you call
- your position when usind a cellphone
will be smashed too.
Only problem: the politician don't care, they just say: "oh, the law we just made complies to the judgement" whether this is true or not
Replace: And to to a double strike
with: And to do a double strike
Yes, interesting rulings.
It will get massively more interesting, however, as soon as German Federal Constitutional Court rulings begin to clash with a newly established European Union post-ratification of the Lisbon Treaty. Among other things that treaty expressly states that EU laws are superior to national laws and the highest legal authority in the lands will be the European Court of Justice, which just so happens to be affiliated with the EU and staffed with pro-federalists.
What, then, about rulings by a German court that run counter to EU policy?
So, beware of planning to move to Germany. The Lisbon Treaty is coming, like it or not, no one is being asked and those who are (the Irish) won't be allowed to derail the process. The European Parliament already declared it won't respect the outcome of the Irish referendum (Mendez de Vigo/Corbett Report, Amendment 32, voted down on 20th February, 2008).
Europe isn't for the fainthearted and certainly not for democrats, nevermind privacy advocates. There is already talk of an EU-wide DNA database.
as is, the new ruling can easily be amended and subverted by the government in germany.
My personal guesstimate is two to three years tops, and internet surveillance, the "bundestrojaner" will be commonplace over here.
Kudos to the state that wants you to register with local police before you sleep in their town.
What banana republic promotion forum is this?
@CL: I once read a comment of a judge at the german constitutional court in the sense that the german constitution ranks higher than EU rulings.
Reason - in my personal understanding : the "EU government" (which equals basically a round table of the head of governments of the EU countries) has no democratic legitimisation. Simply because the EU government as a whole is not elected by the people(s) which are subject to the ruling.
In short: German federal court will be happy to decide over and if necessary stop Lisbon treaty as soon as someone files a lawsuit about it ...
Residues of the nazi times.
That would be the GAU (grösster anzunehmender Unfall) for the EU reputation in germany.
Always remeber: the EU is driven by the local governments, the german government is one of the most powerfull and german politians still fear the people.
So ruling contrary to the german federal court which has topmost reputation would be seppuku.
@Andy: "I am not familiar with the German constitution. Are the courts empowered to create new rights?"
No, not as such. The court ruled that the existing basic rights imply a right for the confidentiality of your computer.
Therefore, the right is not really "new", is has always been there.
The law was not declared unconstitutional because it violates the newly created right, but rather it violates the basic right to "human dignity" (Article 1 of the german constitution).
@triglidae: I think from a legal perspective right now it is not entirely clear which court ranks higher. After Lisbon, however, the legal situation will be in favour of the EU. What might that mean? I don't know.
Remember that women have been allowed into the Bundeswehr after a European Court of Justice ruling that contradicted and overruled a ruling of the Federal Constitutional Court a few years ago. So at least one precedence has been set and even without Lisbon provisions.
As for your reasoning, yes, the EU has hardly any democratic legitimisation. Whatever it may have had it will lose after ratification of Lisbon and its effective refounding. However, you seem to think of the EU as some kind of "intergovernmental" institution. That is not even true today and certainly after Lisbon it will have a legal personality of its own defined as superior to that of nation states. The rules of the game will fundamentally change. It IS a constitutional treaty after all, as Merkel and Giscard d'Estaing have said themselves. Expect the legal landscape to reflect that change and what else can lawyers do except use the legal framework they are given?
@TheDoctor: Yes, once the realisation that loss of sovereignty actually means loss of control hits the German public, there will be a tremendous outcry. It is long overdue. Will it change anything? I doubt that is possible, unless it makes Germany withdraw from the EU, which won't happen. Anything less will require acquiescence sooner or later to the majority decisions of countries that are less keen on privacy protection than German judges.
Remember that it was Germany that revived and pushed the EU Constitution during its presidency. German politicians are not going to sabotage their greatest EU "achievement" to date, especially not for something like "privacy laws.
I am not hopeful. Realisation of what exactly is going on and its ramifications, if it happens at all, will come too late to most Germans. The price for a principled stance will likely seem too high.
@CL: The European Court of Justice did not really overrule the German Federal Constitutional Court. The European court of Justice simply ruled that a section in the German constitution violated European law, and therefore, Germany was obliged to change its constitution (which it did). In addition, the German Federal Constitutional Court decided not to check European regulations for a breach of basic rights, as long as the European Community maintained a standard of basic rights similar to the one of the German constitution.
In a way, you could therefore conclude that the European Court of Justice ranks higher. However, I think this is not entirely true.
The German Federal Constitutional Court interprets the German constitution, which is binding for all German legislative bodies, authorities and courts. The European Court of Justice may rule that Germany has to change its constitution. But even then, a 2/3 majority has to be found in parliament for this change of the constitution (this is likely to happen, but still, the court decision would not have an immediate effect). Moreover, there are parts of the German constitution that may not be changed at all - and this includes article 1, on which the privacy-related rulings by the Federal Constitutional Court are based (together with article 2).
@Christoph, thank you for your take on this.
I think you summarised the current legal situation very well (as far as I can tell but I am no lawyer).
What you didn't seem to acknowledge is that the legal framework of all European countries will change fundamentally very soon (2009 probably) when the Lisbon treaty comes into force.
Basically, the EU we know now is not the same as the EU that will be, especially legally.
The new EU will actually be (or be so close as to be almost indistinguishable from) a new state. Note that instead of notional or honourary EU citizenship, we will then move to actual dual citizenship as per Article 8 of the Lisbon Treaty: "Citizenship of the Union shall be additional to national citizenship ...". If the new EU was no state-like legal entity, how could it bestow citizenship? There are many other indications for statehood as well.
This creates a very, very serious legal dilemma that is entirely new: the German Federal Constitutional Court judges will have to take into consideration in the future that Germany is de facto a member state of a new federal state. If they accept this reality, they will also have to accept that EU law truly is/has to be superior "to all forms of national law", including the German constitution. If they don't accept that... I'm sure there will be an extremely serious politico-legal crisis in Germany and the EU that could drag on for a decade at least.
How it would end... who knows.
Fact of the present situation is, however, that ratification of the Lisbon treaty is essentially guaranteed. I would be very happy if it wasn't but it was explicitly designed to avoid the fate of its predecessor and there will be no referenda. Except the referendum in Ireland, I know, but the EU already made clear it will disrespect the outcome if necessary (de Vigo/Corbett Amendment 32 voted down as I mentioned above).
With the Lisbon treaty in force soon-ish, that in turn means that German Federal Constitutional Court rulings are BY FAR not as definitive as their judges and the German people expect or might want them to be. That in turn will almost certainly affect the recent computer privacy rulings. There can be no legal certainty about this for, I would say, at least another 10-15 years or even more.
I do apologise for this long post but, in my defence, the issues are quite complex.
@CL: I agree this is a complex issue. I should tell you that I am not a lawyer, either. I have taken law courses at my university, and I think I am quite well-informed about information law, especially concerning privacy. European law, on the other hand, is very complex, so I only have a superficial idea about how things work in the EU.
However, it is my understanding that when the German constitution explicitly forbids changing principles like those laid down in its articles 1 and 20, they cannot be changed using a (legal) backdoor like the EU - at least not without giving up the nation state itself. In other word: I think signing the treaty would be unconstitutional if it harmed these rights. In addition, I have read some comments stating that the Lisbon Treaty was far from an actual constitution. I have not read the treaty itself, so I cannot judge if this is true. But there are so many countries involved of which I am quite certain that they would not sacrifice their national identities to the European Union.
Just my 2 cents, and honestly: I hope I am right, because my view seems to be the more optimistic one :-) But as I said, I am not an expert in European treaties.
I wish I could share your optimism. A few semesters of studying the EU (not at a German university) prevent me from doing so, however.
Allow me to share three quotes with you:
"The substance of the constitution is preserved. That is a fact." Angela Merkel, European Parliament, 27th June 2007.
"The good thing about not calling it a Constitution is that no one can ask for a referendum on it." Giuliano Amato, former Italian prime minister and vice-chairman of the Convention that drew up the EU Constitution, London School of Economics, 20th February 2007.
"In terms of content, the proposals remain largely unchanged, they are simply presented in a different way. [...] The reason is that the new text could not look too much like a constitutional treaty [so EU governments agreed on] cosmetic changes to the constitution to make it easier to swallow." Valery Giscard d'Estaing, former French President, chairman of the Convention that drew up the EU Constitution, addressing the Constitutional Affairs Committee in the European Parliament in Brussels, 17th July 2007.
It matters little. The German parliament even ratified the thing when it was actually called "EU Constitution". It will undoubtedly do so again.
If you feel ever so slightly uncomfortable when you receive your dual citizenship without anyone ever asking for your input (or giving you a choice) on that... tough. Welcome to 21st century democracy in Europe.
("Citizenship of the Union shall be additional to national citizenship...", Treaty of Lisbon, 2007/C 306/01, p. 14. It used to be notional and "complementary" previously, this is legal.)
Oh, how I could wish I could share your optimism for just a little while. I might even be able to read the news again.
Please allow me a comment from a more formal point of view (driving the discussion still more off topic, sorry for that) regarding the Lisbon Treaty and its potential role as a European Constitution: If that Treaty is to replace the national Constitutions, and thus creating some kind of "European nation", from my point of view it would be simply unconstitutional for a parliament to ratify it, because only we, the people, can ever issue a new Constitution. Neither a parliament can, nor some council of ministers. They simply don't have the legitimation to do so. Additionally, I think that this is true in general, not only if the Treaty harms any of the articles 1 to 20 of the German Constitution. (For those of you who understand German I'd like to refer you to the name of Prof. Schachtschneider concerning this topic, whose lecture on the European Union and its "democratic" legimitation can be found on YouTube and possibly other video platforms on the net.)
But slightly BTT: I'd additionally like to express my serious resentment about those silly German politicians who didn't even refrain from calling this ruling an affirmation (braindead as one can be) of their opinion that online searches of computers were in accordance with the Constitution, just because the Constitutional Court left open a few narrow loopholes where this means of law enforcement might be admissible. However, most commentators consistently say that the opposite was true and that online searching of computers might even be virtually impossible in the future. I still hope that politicians will finally realize this and act accordingly, but I'm not too optimistic here, given the fact that the Constitutional Court has torn a significant number of federal laws to tatters in the last years but the politicians didn't seem to care at all.
I think part one and two of your post are actually connected. First, you accurately observe that the Bundestag has no right to approve a European Constitution. Then you observe that German politicians for no discernible reason whatsoever fail to understand the pretty clear ruling of the German Federal Constitutional Court.
I'd like to point out two things:
a) With a nigh unreadable Lisbon Treaty and far more complex legal issues at stake there, would you honestly be surprised if most politicians have absolutely no understanding of what they are going to ratify whatsoever?
b) Even IF they did (which I am absolutely sure they don't), what exactly makes you think that it would matter? The Bundestag already approved the EU Constitution before the French and Dutch referenda in 2005 derailed the process. No one cried foul then, who would now and based on what argument? The German constitution also has no explicit provision for a mechanism of referenda on anything. The old Basic Law even stipulated that a new, properly named constitution be drawn up if Germany was ever to be reunited. You know that never happened either. Would it actually be "customary law" in Germany to get a referendum on any kind of constitution? Can you think of a single one in which that happened? Why would it now in much more legally obfuscated circumstances?
By the way, the British Parliament ratified the Lisbon Treaty yesterday. Brown even explicitly promised British voters a referendum at the last election, which is something not a single German politician has ever done. But even the British didn't get one.
If telling yourself that very major legal changes cannot really be happening without anyone asking you for your approval comforts you, by all means, keep doing that. If you additionally think that some court somewhere will be willing and able to defend what you believe are your democratic rights, even better. I cannot bring myself to believe any of that anymore.
One question: since politicians and the EU are most obviously happy to ride roughshod over constitutional issues and democratic principles, what chance, do you think, stand privacy laws?
@CL: In general, I share your concern. Nevertheless I HOPE that it will rule out different.
The "Vorratsdatenspeicherung" will be a substantial test on that issue. The demand for it comes clearly from the EU and secretary of justice Zypries follows the opinion that this overules even the federal court (there was a small SPD workshop in Darmstadt, open to the public, where I heard this opinion directly from her mouth).
If the federal court bans it now, things get interesting.
Actually as I understand it, the federal court might take the case of the "Vorratsdatenspeicherung" as a reason to decide if and to which degree EU law is able to override German law, at least to my understanding that was why there was a lengthy discussion about which "chamber" of the court takes this on.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.