National elections in September 2017. All things come to a halt; political attention is directed towards campaigning. Not so in Germany these days. In a flurry of decisions, Germany has been busy shaping a comprehensive digital agenda — with an increasing number of global implications.
So what happened?
A. Shaping debates, internationally
In 2017, Germany held the presidency of the G20 and decided to place particular emphasis on digitisation, including hosting the first ever meeting of G20 Digital Ministers in April this year. With the adoption of a roadmap for the digital economy and the acknowledgement of recommendations to increase consumer protection, the government has managed to earmark political commitments to shape our digital futures. While the continuation of this path within the G20 will depend on the upcoming Argentine presidency, the German government moved on to put yet another marker in place: On July 19, it carried the motion to apply for hosting the Internet Governance Forum 2019 in Berlin. Mandated by the UN, this annual gathering of the digital rights and net governance community offers host countries the opportunity to showcase progress and display global leadership on digital topics. A successful application would require significant investments from the German government — a clear commitment to keep digital issues high on the agenda regardless of which party wins the upcoming election.
B. Making decisions, domestically
Aside from such deliberate global aspirations, the governing coalition (Christian Democrats, CDU/CSU, and Social Democrats, SPD) has stepped up domestic regulatory efforts — receiving widespread criticism on the one hand and inspiring copycat regulation on the other.
The first controversial bill, which was immediately copied and adopted by the Russian Duma and also very likely influenced the guidelines published by the Kenyan Communications Authority, deals with fighting hate speech on social media: The NetzDG.
The NetzDG (Netzwerkdurchsetzungsgesetz, i.e. network enforcement law) was adopted by the German parliament (Bundestag) on June 30 in a surprisingly fast procedure — and no doubt in an effort to display political will and enforcement power (elections…). It will enter into force on October 1, 2017.
The main stipulations are:
- Social media platforms with more than 2 million registered users are required to delete “evidently unlawful” content within 24 hours of being flagged. (NB: it is not clear, whether users have to be German or based in Germany; and social media platforms have been specified as arenas for [public] communication and deliberation, excluding web hosting services, information portals or sales platforms.)
- Where the decision is not “evident”, operators have up to seven days to assess the content.
- They can take longer if users are asked to weigh in, or if they pass the decision onto a joint industry body (“regulated self-regulatory body”).
- Platforms that receive more than 100 complaints (incl. flagged content) must publish a bi-annual report in German on how they deal with such complaints.
- Platforms meeting the threshold criteria must establish a point of contact within Germany to facilitate contact with government authorities [incl. for law enforcement purposes] and illicit content has to be stored within EU territory for 10 weeks to allow for investigation.
- If platforms consistently fail to comply with these requirements, they face fines of up to €50 million.
The law has been widely criticised as misguided, including from UN Special Rapporteur David Kaye, the Research Services of the Bundestag, and unconventional coalitions such as the Alliance on the Freedom of Expression, which brings together the Chaos Communication Club and a range of NGOs with leading business players and the industry association Bitkom. In most commentaries, the main concerns relate to the privatisation of enforcement of existing laws on hate speech, defamation and incitement to violence as well as to the threat of over-blocking content (and hence disproportionately censoring) to avoid penalties.
The second controversial bill addresses the issue of government hacking. The law that extends the use of “state trojans” (Staatstrojaner) consists of two main authorities: online search and source tapping.
The German Criminal Code (StPO) that includes the authorities for online search and source tapping (Online-Durchsuchung und Quellen-TKÜ) was amended on June 22. The governing coalition added the amendment to a regular review within the Legal Committee with only minimal notice (2 days) to the Bundestag. Since this is an amendment, the changes automatically enter into force two days after their official publication.
Both authorities were adopted in 2009, however until now, they were strictly limited to the prevention of terrorist attacks. What is more, the online search authority has been under scrutiny from the German Constitutional Court that set strict boundaries for its use, thereby establishing the basic right to the integrity and confidentiality of IT systems (2008, reasoning cf. 170ff — this is absolutely worth a read with a view to the right to privacy in the digital age). On the basis of that, it has been deployed less than 10 times so far.
Notwithstanding the strict boundaries and already existing concerns, the newly adopted amendments include:
- All law enforcement agencies are now empowered to use both authorities for a much broader set of criminal investigations, including tax evasion, drug trafficking, and fraud (list of cases).
- The online search authority empowers agencies to not only covertly search a suspect’s device remotely (i.e. install a Staatstrojaner) but also to obtain a copy of its hard drive for further examination. (NB: Contrary to a regular search warrant and the confiscation of devices, or wire tapping to monitor presently ongoing communications; online search is designed to happen covertly, over longer periods of time and with access to all sorts of content. It is deemed highly intrusive and must only be used to “prevent imminent danger to subjects of paramount importance.”)
- The source tapping authority, which originally allowed for the monitoring of online phone conversations (i.e. VoIP), now specifically allows agencies to access encrypted content, e.g. on messenger apps like WhatsApp, for investigatory purposes i.a. by monitoring content before it is encrypted. (NB: This has traditionally been considered less invasive and was used around 32k times since 2009, yet, the use and impact of intrusion software on the integrity of IT systems has certainly blurred the lines to online search.)
- The source tapping authority also explicitly grants agencies access to all data on the device, not just its presently ongoing communication (blurring the lines even further).
To no surprise this has been heavily criticised and was also widely covered by mainstream media (cf. Zeit, SZ, Spiegel, Heise) pointing to a range of issues and questioning the constitutionality of the authorities. Among the main concerns is the unreasonable list of possible offenses; the retroactive search of devices that goes way beyond mere ongoing communication (and hence fails the comparison to classical wire tapping); and the lack of a clear vulnerabilities management process. Yet, it has already influenced legislation in Austria.
And what does that mean?
The combination of a genuine effort to insert leadership in global debates and the hasty need to display strength and political will in anticipation of upcoming elections might trigger a lot more unintended — and undesired — consequences than the German government anticipated.
Germany’s aspirations might be laudable with a view to promoting rights-based frameworks globally, but they also increase international attention on its domestic efforts. Hence, if these fail to address the problem adequately, lack sufficient safeguards, or tip the scales disproportionately — this can easily, and very quickly, have severe consequences in other jurisdictions. Notably, if these jurisdictions don’t have equally strong human rights traditions or the political and judicial means to challenge and correct misguided legislation, national laws might well trump global aspirations.
Take hate speech. As of now, we see copycat efforts across the board: Russia and Kenya have already put similar measures in place; hate speech regulations in France and the UK are under discussion; and chances are that, if challenged, countries like the Philippines and Venezuela might simply argue that their regulatory measures were inspired by best practice examples, such as that of (global agenda-setter?) Germany. Neither the privatisation of law enforcement, nor the threat of censorship, nor the potential risk to dissidents, minorities, and other vulnerable entities are addressed under these circumstances.
As for government hacking, let’s just say, the number of countries that share Germany’s support for strong encryption and respect anonymity as an enabler for human rights is small. By extending the use of state-sponsored spyware to a vast array of criminal offenses, we move far away from hacking as a last resort. Not only does this affect the integrity of targeted systems, it undermines security for all.
The lack of a sensible vulnerabilities management process, for example, leaves all systems exploitable — and not just for a “benevolent” government. Germany’s own shortcoming to adequately staff and clarify the roles of a dedicated agency (“Zitis”) to handle “lawful” access can, at this stage, hardly serve as a best case example.
If we match this with the global agenda pursued within the G20, it is not only the current situation in Turkey that raises concerns that the scales might just as well tip towards the very low end of proportionality. Without clear procedures with strict legal safeguards, judiciary oversight and a technically sound vulnerabilities management process, Germany’s global digital agenda might end up undermining rather than promoting a rights-based framework for the digital society.
Germany’s Digital Agenda 2014–2017: https://www.digitale-agenda.de/Webs/DA/DE/Home/home_node.html and its review on progress: https://www.bundesregierung.de/Content/DE/Artikel/2017/04/2017-04-26-digitale-agenda.html
Study on government hacking by the European Parliament: http://www.europarl.europa.eu/RegData/etudes/STUD/2017/583137/IPOL_STU(2017)583137_EN.pdf