In 2018, the Bundesverband IT-Sicherheit e.V. (TeleTrusT) filed a constitutional complaint against the use of “state Trojans”, which was legalised by law. By decision of 17 April 2023, the Federal Constitutional Court did not accept the constitutional complaint for decision. TeleTrusT criticises the non-acceptance in a statement.

In accordance with the resolution of the TeleTrusT general meeting 2017, the Bundesverband IT-Sicherheit e.V. (TeleTrusT), represented here by Prof. Dr. Norbert Pohlmann, RA Karsten U. Bartels LL.M. and Dr. Holger Mühlbauer as formal complainants, filed a constitutional complaint on 19 April 2018. 2018 against the “Act on the More Effective and Practicable Organisation of Criminal Proceedings”, which was passed by the German Bundestag and came into force, insofar as the legislature expanded the legal basis for source telecommunication surveillance (source TKÜ) and online searches and restricted fundamental rights with regard to the secrecy of telecommunications, and against the use of so-called “state Trojans”, which was legalised by the Act.

After several years of processing, the Federal Constitutional Court did not accept the constitutional complaint for decision by decision of 17.04.2023 (AZ 176/23 or 178/23). The Federal Association for IT Security comments on and criticises the non-acceptance.

With the introduction of the measures objected to in the constitutional complaint, which are found not only in the Code of Criminal Procedure but also in a large number of police and intelligence service laws, a fundamental conflict of objectives has been initiated between the state’s interest in keeping these dangerous security gaps open and the general public’s interest in the greatest possible IT security, which the government and state agencies have committed to guaranteeing in many cases.

The constitutional complaint filed by TeleTrusT in 2018 therefore complained, among other points, in particular that the introduction of such powers would be accompanied by an unjustifiable weakening of general IT security. The argumentation was primarily based on the fundamental right to guarantee the confidentiality and integrity of information technology systems (“IT fundamental right”), which the Federal Constitutional Court had developed in its decision of 27 February 2008 (BVerfGE 120, 274 – unconstitutionality of online searches in the North Rhine-Westphalia Constitutional Protection Act) in one of its first arguments on the subject of online searches. TeleTrusT’s constitutional complaint made two core statements in this regard:

Firstly, this fundamental right is not exhausted in offering individual affected persons a defensive shield against disproportionate encroachments on their digital privacy, but also includes an active duty of the state to protect and guarantee the IT security of the population. This question was the subject of legal debates at the time and had not yet been answered by case law.

Secondly, the legislator violates this duty to protect if it provides its authorities with surveillance powers that make it necessary to exploit protection gaps, keep them open and possibly even buy them on the black or grey market instead of making them known as quickly as possible to the manufacturers so that they close the gaps. In this way, efforts for IT security are thwarted.

In its decision of 17.04.2023, the Federal Constitutional Court, through the 2nd Chamber of the First Senate, did not accept the constitutional complaint filed by TeleTrusT in 2018 for decision. In view of the developments described above, this cannot come as a complete surprise, but is nevertheless disappointing for several reasons. In its succinct reasoning, the decision makes observations on two points that are often found in the rejection of complaints against surveillance powers:

Firstly, the complainants could not claim that their fundamental rights were affected by the laws themselves. This concerns a fundamental problem of legal protection against surveillance powers. Citizens are first required to defend themselves against the concrete encroachment, in this case, for example, an online search affecting them. However, since the measure takes place secretly, those affected are initially unaware of how they are actually affected. For this to happen, however, it must be shown that one will be affected by such a measure in the future with some probability. Here, the complainant must argue why he or she believes that he or she could be targeted by the measure, although this decision lies solely with the authorities authorised to do so (and in the future). This makes it fundamentally difficult to successfully challenge such surveillance powers.

Secondly, the decision refers to the aforementioned decisions from the last two years, according to which there is an active duty to protect, but it is not the court’s responsibility to determine the extent to which the previous legal framework satisfies this – also with reference to the question of whether the state’s duty to protect could possibly be satisfied within the framework of a data protection impact assessment. As in the previous decisions, this reference shows an improper confusion of legal obligations and their areas of application. A data protection impact assessment does not constitute a sufficient protection mechanism in the sense of an IT protection obligation against the exploitation of security vulnerabilities.

Admittedly, the current decision is also partly a consequence of the developments since 2018 and the discursive and legal success of the argumentation presented. At the same time, it should be noted: The confrontation with the obviously inadequate state vulnerability management and the fact that powers to use “state Trojans” were introduced without taking into account the dangers for general IT security created by this must no longer be postponed.

RA Karsten U. Bartels LL.M., HK2 RAe and TeleTrusT Vice-Chairman comments: “Not accepting the constitutional complaint for decision is disappointing in several ways. The Federal Constitutional Court does not only deal with the complainants’ concerns in too abbreviated a manner. It also avoids the overdue question of how the state is to protect IT security in concrete terms – or at least not to undermine it. The effects of state Trojans seem not to be realised and the legal role of data protection is misjudged. It is indefensible to let five years go by for this decision.”

Detailed text of the TeleTrusT statement: https://www.teletrust.de/publikationen/stellungnahmen/