Posteo Transparency report

In 2014, Posteo was the first German telecommunications provider to publish a transparency report about requests made by law enforcement agencies. Back then, we had first asked for a legal opinion to clarify the legal possibility of reports of that kind in Germany. Hans-Christian Ströbele, member of the German Parliament, additionally submitted a parliamentary question to the federal government about this topic.
Read more about our proposal here.

Our goal: To establish transparency reports in Germany.
Almost four years later we are now taking stock: Since then, some providers have started to publish their own reports. Many German companies, however, still do not publish numbers of requests by authorities. Several telecommunication services did not continue to publish their numbers after the year 2015. Furthermore, the information provided in the available reports often does not create transparency: Transparency is achieved when providers state the number of requests regarding different types of data. And: How often data was subsequently released to authorities. Unfortunately, only one number is mentioned in most reports: Either the number of requests or the number of releases. This is not transparent. In this way, users do not get to know how a company handles these requests. Nor how many requests were illegal. If the number of releases is missing, users cannot identify which information about them actually exists at the provider.

We therefore think that transparency needs an obligatory agreement: We wish for transparency reports and their specific form to become mandatory by law for German telecommunications providers. Transparency is only achieved if the reports supply informative statements.

Support by former Minister for Consumer Protection Renate Künast

Also Renate Künast (MdB), former Minister for Consumer Protection and up to now chairwoman of the Parliamentary Committee on Legal Affairs and Consumer Protection, regards informative transparency reports as an undeniable right of every consumer: "Transparency reports are a manifestation of the consumers' informational self-determination. We are entitled to meaningful transparency reports!" (transl.)

Our claims for such a regulation, from our experience, are:

For each type of data (e.g. for traffic data, user information, content data), at least two values should have to be provided:

• How often and in which context (for example requests for traffic data, manual and automatic requests for user data, seizures or TKÜ) authorities have requested data.
• How often the respective data types have actually been released subsequently. (e.g. traffic data, user information, content data in the context of seizures or TKÜ)

Further proposals by Posteo for obligatory transparency regulations:

• Telecommunications providers should also be obliged to transparently document all requests from intelligence services in their reports.
• The rate of requests that were formally incorrect should be listed as well. This statistical feedback would be valuable for the legislators, the privacy officers and other protagonists in society. At Posteo, the rate of illegal requests is at around 50 per cent, which is why we see an urgent need for action in this matter.
• To ensure ideal comparability, the companies' reports should also be published in an open data format so that they can be statistically processed.

In the previous years, surveillance laws in Germany have been gradually extended. In our view, instruments are missing that would in return strengthen the democratic control of these laws. Mandatory transparency reports can contribute to that. After having observed the development for four years, we now put forward this proposal.

1. Massive security problems in the practice of requests for information under § 113 TKG

In the practice of requests for information under § 113 TKG there are serious security problems. Requests for user information under § 113 TKG contain sensitive personal information. From police authorities, we mostly receive email addresses or names that are specified in connection with a concrete criminal charge. Sometimes the requests even contain a person’s complete bank or payment details. Posteo frequently receives such requests for user information.

Investigative authorities are legally required by the BDSG (among other things) [translation] to ensure that personal data can not be read, copied, changed or deleted in an unauthorised manner under electronic transfer, during its transport or saving to a data storage medium. (BDSG, Addendum, sentence 4)

Illegal, insecure transfer of sensitive data

Many requests under § 113 TKG reach us via email and were transmitted to us insecurely or unencrypted. This procedure violates valid privacy provisions and is illegal. (See BDSG § 9, Anlage, sentences 4 and 8 as well as the respective rules on “technisch-organisatorischen Maßnahmen” of the Landesdatenschutzgesetze, among others). If requests are transferred unencrypted, they can easily end up in the hands of data thieves on their way over the internet.

Many requests under § 113 TKG exhibit additional deficiencies that also violate privacy provisions or other laws. Some examples include:

• Sending police requests to our customer support rather than the people responsible (anti-abuse team)
• Use of non-work email accounts to transfer requests, providing such accounts as a reply address
• Requests for information and data, the release of which is not permitted under § 113 TKG, e.g. traffic data such as IP addresses
• Failure to provide a secure method to reply
• Failure to provide a legal basis for the enquiry (required by law)

Gallery 1: Examples of insecurely transferred requests from authorities

• 
• 
• 
• 
• 
• 
• 
• 

The problem is known to privacy officers

A large proportion of requests under § 113 TKG reach us in this way (by unencrypted email). Fax is seldom used by authorities (2013-2016), and only one single request has reached us so far by post. Occasionally, we also receive requests by email with an unencrypted document attached that is incorrectly marked "Telefax-Nachricht" (Telefax message). In January 2015, we first made complaints with the responsible privacy officers for the respective German federal states about the insecure transfer of sensitive data by police authorities. The responses from the privacy groups were unambiguous: the problem of insecure transfer of sensitive data by police authorities is known and remains an occasion for conversations and controls. The replies prove that insecure sending of sensitive information by police authorities is a topic requiring urgent action.
Here is what the privacy officer for North Rhine-Westphalia wrote to us:

[translation] Regarding the MIK NRW we have repeatedly advised that requests in investigative processes should in principle occur by post or in justified cases by fax. If a request by email is required in an exceptional case, either the message itself must be encrypted or as a minimum the transfer of personal information must occur in an encrypted attachment. I will treat your request as an occasion to raise this topic again with the MIK NRW to work towards a privacy-legitimate configuration of police investigations.

(Complete response in German: see gallery 2, below)

The Bavarian privacy officer informed us:

[translation] Since the transfer of personal information in unencrypted emails by the police continues to be an occasion for checks in terms of data-protection law, I have already concerned myself with this topic within my professional duties on multiple occasions. (…) I can assure you that I also regularly debate this topic independently of my concrete controls of the responsible police positions. I am currently in contact with the Bavarian State Office of Criminal Investigation to check the configuration of the retrieval process used there with telecommunications services.

(Complete response in German: see gallery 2, below)

The Mecklenburg privacy officers were also active:

[translation] I have contacted the affected service post and referred to their implementation of privacy measures, so that in future requests under § 113 TKG arrive by secure means and the rights of the party involved are not violated. I have also made the Ministry for Internal Affairs and Sport of Mecklenburg-Vorpommern aware of this grievance. The Ministry (…) assured me that it would again sensitise the officers to the correct handling of personal data and surveillance (TKÜ) requests under § 113 TKG.

(Complete response in German: see gallery 2, below)

The Saxon privacy officers even set the police president an ultimatum:

[translation] We absolutely support your concern. I therefore today sent a letter to the Saxon police president with a request to redress this, and asked him to tell us by the 15th of April 2015 which remedies he has put in place.

Complete response in German: see gallery 2, below)

The privacy officers’ responses prove that unencrypted requests are a known problem to them. If it is common practice for police authorities to send sensitive information unencrypted via the internet (for example regarding requests under § 113 TKG), then it is not only a problem in terms of privacy: it is also illegal and possibly endangers current investigations. Data thieves can thereby easily access the requests or the authorities’ communication.

In some cases, we have experienced the bureaucracy as being very cumbersome. In response to one case, the Berlin privacy officer replied to us five months later, as follows: [translation] Unfortunately, the matter can not yet be conclusively resolved.

Some months earlier, he had notified us in writing that he had asked the police for information on current guidelines for requests for information and the sending of personal information.

In conclusion: we assume that total, nationwide security problems exist in the practice of manual requests for user information (under § 113 TKG). At Posteo, in any case, not a single request was received from police authorities by email that was encrypted and thereby conformed to the legal requirements for secure transfer.

Responses from the privacy officers have confirmed to us that we are not the only ones affected.

Gallery 2: Responses from the federal state privacy officers (in German)

• 
• 
• 
• 
• 
• 

Complaints do not lead to remedies

Unfortunately, our complaints have not yet led to any remedies. During 2015 and 2016, all requests that arrived with us via email were transferred insecurely, including from German federal states where the federal state privacy officer appeared particularly engaged. We are therefore asking ourselves how remedies can be achieved. If officers are not sufficiently schooled in secure ways of dealing with data and IT engineering, this constitutes a fundamental security problem in the police’s work.

We will continue to give the privacy officers regular practical feedback and inform them of every unencrypted transfer of a request that reaches us.

As we see it, the security of the process in practice is currently not guaranteed. We therefore engaged politics. Ultimately, however, it is not the provider’s task to check if the dealings of authorities are legal or to work towards this. The state itself needs to achieve and ensure that. In July 2015 at an appointment in the Posteo lab we gave Thomas Oppermann, chairman of the SPD fraction, a statement on this. Oppermann then wrote to Federal Minister of the Interior, Thomas de Maiziere. In his reply to Thomas Oppermann, the minister admitted to braches of the law in the practice. He explained, however, that the BKA would only desire user information in plain text if no encryption was possible for the email communication with a provider or if it did not support the methods used by the police authority. These statements by the minister are remarkable. He clearly considers breaches of the law to be justified in some circumstances. In addition, his statements do not apply: we provide the keys required for secure communication on our website, for example. Encrypted communication with us is unquestionably possible. Nonetheless we have received multiple requests from the BKA that were all transferred unencrypted. Every insecure transfer is a breach of the Federal Data Protection Act (BDSG). Criminal investigators must ensure that personal data can not be read, copied, changed or removed in an unauthorised manner during its electronic transfer, transport or saving to data storage. If a provider does not offer any possibility for encrypted communication, then fax or the post is to be used. The security of authorities’ communication must urgently be improved – otherwise, data thieves and hackers can easily obtain it.

2. Prohibited requests for dynamic IP addresses

In introducing the next problem area that we see in the practice of requests under § 113 TKG, we remain in political territory. In January 2013, SPD representative Burkhard Lischka directed a written enquiry to the German government. He asked whether it was known to the government,

[translation] that in practice, countless requests for the release of information under § 113 TKG have as their object the release of data that is not user information (e.g. log files, dynamic IP addresses, (…).

Questions to the government, from p7, q12, 13, 14 (in German)

He added: [translation] If so, which authorities conduct this illegal practice and what is the government doing to stop it?

The background to his question is that a few months earlier, BITKOM made the German parliament’s judiciary committee aware of grievances in requests for user information, in a statement:

[translation] In practice, countless requests for information under § 113 TKG are known that involve the release of data that does not constitute user information (e.g. log files, IP addresses, date and time of the last access to an account, addresses with other providers of the individual concerned, the identity of authorities that had already requested the same user information, etc). It therefore follows that providers already have to deal with countless requests that serve investigations and go far beyond the regularly content of the norm.

BITKOM statement from 17th October 2012 (in German)

To summarise, BITKOM objected that authorities making requests for user information (under § 113 TKG) frequently request information whose release in response to such requests is absolutely not lawful. For requests under § 113 TKG for which no judicial ruling exists, authorities can only request user information – approximately only names and addresses, and not dynamic IP addresses or log files. These highly-sensitive traffic data are governed by secrecy of telecommunications (Fernmeldegeheimnis) and can only be released at the directive of a judge.

In its reply on the 28th of January 2013, the German government dismissed BITKOM’s statements as “allegations”:

[translation] The government is – aside from the allegations quoted in the question of the BITKOM statement – not aware of any such cases.

Response from the German government (in German, from p7, q12, 13, 14)

The government nonetheless took the BITKOM accusations as an occasion to question various investigative authorities. And they stated:

[translation] The results of the interrogation did not provide any evidence of illegal requests.

Authorities illegally request dynamic IP addresses

We hereby confirm the BITKOM “allegations”: in about 30% of all requests from police authorities that reached us in the years 2014 to 2016 concerning requests for user information under § 113 TKG, police officers illegally asked for dynamic IP addresses or the IP address of the most recent login.

To prove this, we continue to publish examples of such illegal requests (blacked out): the originals are located in writing at Posteo. In these, it is also clear that officers do not only attempt the illegal release of IP addresses, but also occasionally succeed to obtain and save these for their investigations. This is also not permissible.

Gallery 3: Examples of prohibited requests for IP addresses by authorities

• 
• 
• 
• 
• 

We find it astounding that in January 2013 the government obviously did not via BITKOM turn to the organisation where such illegal requests exist. The government would, in our view, have informed itself with the organisations and needed to reach suitable remedy measures. That it refrained from doing this, even though it was informed by a large German industry association of illegal practices by authorities, is completely incomprehensible to us. Instead, clearly only the authorities were asked and the statements from the high-tech industry association were labelled allegations. In a constitutional state, when advice of illegal practices of the executive authority exist, these should be more seriously pursued.

Government again questioned in 2015

In the summer of 2015, member of parliament Dieter Janecek (speaker on economics from the Greens fraction) again asked the government about this topic, wanting to know if they remain faithful to their assessment. In his question, the representative referred to the BITKOM statement as well as the Posteo transparency report.

The Federal Ministry of the Interior explained in its response:

[translation] The government still has no indication of any illegal requests. (…) Usually, the responsible entities for privacy controls educate senior authorities about offences against privacy regulations that have been identified. In the government’s view, proceedings beyond this are not required.

Response from the German government from 19th August 2015

Privacy officers do not respond to complaints regarding the IP address problem

Perhaps there is a communication problem between the privacy officers and the government, because in all cases in which police authorities illegally requested IP addresses, we made complaints to the respective federal state privacy officers. In their replies, none of the privacy officers responded to our complaints on this matter. Our complaints were clearly not passed on to the highest federal authorities, as is otherwise customary according to the BMI statement. Illegitimate requests for IP addresses do not constitute mere violations of privacy guidelines; requesting an IP address within a request for user information is illegal under the TKG law (Telekommunikationsgesetz). Those involved are not only federal state police authorities. We have also received such illegal requests requests from state investigative authorities.

Our conclusion: The government is clearly completely uninterested in whether illegal practices exist in requests for user information. The Federal Ministry of the Interior has remained idle for years. As such requests frequently infringe on citizens’ rights, this is irresponsible, in our view.

Contention due to the IP address problem

In cases of enquiries under § 113 TKG made to Posteo which illegally requested traffic data, situations subsequently often arose in which we were put under pressure and threatened. We always refer officials back to the valid law. We advise that we would make ourselves liable for prosecution by releasing traffic data in response to a request under § 113 TKG (see § 206 StGB) and that for the release of traffic data, a judicial ruling must exist. We explain to the officers that in a request under § 113 TKG, they can only request user information if they have an IP address on hand that is already known to them. The fact that the reverse disclosure is not allowed is often not known to officers.

Some react to this information with amazement or anger. Officers have repeatedly asserted to us that with other parties, they easily obtained IP addresses in requests under § 113 TKG. Whether this is true or was only intended to unsettle us, we don’t know. What we can prove is that police officers frequently and with great self-assurance make written requests for traffic data under § 113 TKG (see image gallery with examples). We therefore think that it is absolutely possible that the legislation on information practices is also not always observed by the obligated parties (e.g. companies).

One possible reason for this could be that the circle of parties regarding information under § 113 TKG is very large, and not restricted to telecommunications providers. Many of the obligated parties do not necessarily possess the required legal knowledge to be able to correctly identify illegal enquiries as such.

Consequence: high legal costs

Due to escalated, illegitimate demands for IP addresses, we have already incurred enormous legal costs and financial damage of a mid-range, five-figure sum, for example, to lodge protective texts with the courts, for correspondence with investigating officers, legal advice, etc. In one case, we reported investigating officers who personally sought us out in our office. The public prosecutor’s office gave our notification no weight – as our lawyers had in advance predicted would happen. The prosecution told us that our document was plainly false and ceased any proceedings against the officers without any further investigations into them. Instead, they required us to pay a fine due to “false suspicion”, which the court also approved. Posteo company director Patrik Löhr was required to pay a fine. High legal costs are accompanied by the fact that we could theoretically receive 18 EUR back from the state for the effort involved in each request for user information under § 113 TKG. We do not make use of this facility. As a privacy-oriented company we do not accept any money from authorities for requests for user information.

Requests under § 113 TKG will gain meaning with the reintroduction of data retention laws

We have shown that the security of the process is currently not guaranteed and that authorities frequently make illegal requests under § 113 TKG to Posteo for traffic data such as dynamic IP addresses. In addition, we have shown that the problem of insecure transfer is known to the respective German federal state privacy officers. Further, we indicated that the industry organisation BITKOM had in 2012 already made the government aware of countless illegal requests made under § 113 TKG.

Given the lack of process we would like to advise that the process under § 113 TKG with data retention ("Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten") will gain importance. The law will effect a large increase in the amount of data available for requests for user data.

Coveted information: internet users will be identified by requests under § 113 TKG

Via the process, authorised parties will in future far more often be able to receive information about which person a dynamic IP address was assigned to at a particular point in time. An example: an officer approaches a provider with an IP address and would like to know which person is behind the address. The provider compares the IP address with the IP data that are held in their database for data retention. This is allowed for the provider without a judicial ruling. The provider must then tell the officer which person is behind the IP address (again: not the other way around). This is very coveted information for which no judicial reservation is intended and can already be used in cases of minor breaches of the law.

We therefore assume that the number of requests under § 113 TKG and thereby also the number of insecure and illegal requests will sharply increase with the introduction of the new law. There is an additional reason for this assumption: checking IP data and the resulting release of user information can only occur via the manual disclosure process under § 113 TKG. This is not possible via the automated process under § 112 TKG.

The number of illegal requests will markedly increase

It is our view that the process under § 113 TKG with its current patent flaws in practice is in no way suitable. Today a large amount of citizens’ sensitive data is already insecurely transferred due to this process and there are countless illegal enquiries from authorities.

In addition, there are insufficient controls of the process: to our knowledge, there is no requirement in existence to keep statistics for enquiries under § 113 TKG. Thus the effect of the introduction of the law on data retention – how it concretely affects the number of requests – can not be evaluated, and the number of requests by state authorities will remain unknown to the public.

The government must act: the reintroduction of data retention must be abandoned

It is in no way acceptable that citizens’ sensitive data continue to be sent or requested insecurely over the internet by authorities, or that dynamic IP addresses governed by the secrecy of telecommunications are given out in response to simple enquiries under § 113 TKG without a judicial ruling. In our view, no new laws or guidelines can therefore be introduced that would further increase the number of illegal and insecure requests made.

We therefore demand that the government introduces measures as soon as possible that are intended to ensure that the request and transfer of sensitive citizens’ information by authorities under § 113 TKG occurs fundamentally by secure means (no proprietary solutions) and also corresponding to the legal regulations – and when it occurs by email, then exclusively by encrypted email. In addition, we demand that the government introduces measures as soon as possible that ensure that for requests for user information, no more illegal requests for traffic data or any other information that goes far beyond the norm occur.

We are of the view that there is a glaring need for processes to be adjusted in an organisational respect, so that a privacy-equitable and constitutional state conforming configuration of the disclosure process can be secured in future. For this, we suggest the introduction of reporting requirements (among other things, see the section on controls of the information process).

Until this remedy is achieved, data retention (Einführung des Gesetzes zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten) is in our view unreasonable for this reason alone, as it will in practice further increase the amount of insecure and illegitimate data transfer and the legal cracks in the disclosure process under § 113 TKG.

Independent of this, we completely and with great emphasis reject the reintroduction of data retention for countless further reasons, e.g. for privacy reasons and data security as well as due to its accompanying blanket restrictions of fundamental rights, that we do not deem reasonable. On this topic, please also read our text on the control instrument of judicial reservation, which we also criticise in this report. The law will nonetheless confront providers like Posteo with even more illegal requests and accompanying bureaucracy and legal costs in connection with requests under § 113 TKG.

In addition, we demand that the Federal Office for Information Security become liberated as an independent state authority from the business branch of the Federal Ministry of the Interior so that the BSI can be an independent contact for security questions.

Erstellt am 17. Januar 2018 11:00 Uhr

Also in 2017 we again received many requests with formal shortcomings. In total, their rate was at 42 per cent. For requests of user information, the rate of illegal requests was at 44 per cent.

From the police authorities of Saxony, Hesse, North Rhine-Westphalia, Rhineland-Palatinate, Lower Saxony, Thuringia, Berlin and Brandenburg we invariably received requests with formal deficiencies in the year 2017.

Positive development in Bavaria

One state stood out positively in 2017: In previous years, many illegal requests reached us from Bavaria. In 2017, 7 out of 8 requests were formally correct.
This might be due to the commitment of the Bavarian privacy officer who repeatedly responded to our complaints that a solution was under way.
Also from Baden-Württemberg we received more correct requests.

Unencrypted police requests keep parliament and authorities busy in Rhineland-Palatinate

Following our last transparency report for the year 2016, the SWR ("Southwest Broadcasting", a public broadcasting corporation) has taken up the topic in February of 2017 and reported on infringement by the police authority in Rhineland-Palatinate (in German). The editors had first requested evidence for infringement of the data protection act from us - and received it, too. Subsequently, the matter was dealt with by the parliament of the federated state and by the responsible ministry of internal affairs in Mainz. The opposition demanded the employment of encryption technology by the police. The ministry of internal affairs claimed that the problems originated from the use of different encryption techniques by the police and from the multitude of email providers. Furthermore, these were problems that police authorities all over Germany were confronted with. Back then, a spokesman of the ministry of internal affairs declared that new technical standards for a unified procedure for encrypted data requests was being developed in cooperation with the Federal Network Agency.

There are, in fact, already two standardised encryption methods that have been available for decades. Police stations can use these standard methods nationwide without further ado and irrespective of the provider - thus immediately complying with the guidelines of the privacy law. Three months after the debate in Rhineland-Palatinate, we again received a request for information by the local police authorities. Again through an unencrypted email containing sensitive data.

Investigative authorities are legally obliged by the BDSG(German Federal Data Protection Act), among others, to "ensure that personal data cannot be unauthorisedly copied, altered or removed during electronic transmission or during transportation or storage on storage media." (transl., BDSG, Addendum, Sentence 4)

Illegal insecure transmission of sensitive data

Many requests pursuant to § 113 TKG reach us via email - and are transmitted insecurely or unencrypted. This practice does not comply with the aforementioned current data protection provisions and is therefore illegal. (see, among others, BDSG §9, Addendum, Sentence 4 and 8, as well as the respective regulations on "technical-organisational measures" from the federal states' data protection acts). If requests are transmitted unencrypted, they can easily fall into the hands of data thieves while making their way through the internet.

Many requests pusuant to § 113 TKG show further defects in addition to that. These also constitute infringements of regulations regarding data protection or of other laws. Among them are:

• sending police requests to the customer support - and not to the responsible persons (anti-abuse team)
• the use of non-official email accounts to transmit requests and providing accounts of this kind as reply address
• requesting information and data whose release on requests pursuant to §113 TKG is not permissible, e.g. traffic data such as IP addresses
• missing indication of a safe possibility to reply
• missing indiciation of the legal basis of the request (which is required by law)

Gallery: Examples of illegal requests in the year 2017

• 
• 
• 
• 
• 
• 

Mehr Informationen zu diesem Thema finden Sie in unserem 2015 veröffentlichten Hauptartikel. Dort sind rechtswidrige Ersuchen aus den Vorjahren dokumentiert und wir legen Antworten von Datenschutzbeauftragten zu den Datenschutzverstößen offen.

In a democracy, it is essential for a balanced relationship between security and freedom that controls in the practice of information processes regularly take place. Through these, misuse of the process can be prevented or ascertained in hindsight. Inadmissible practices can be counteracted with controls. We are convinced that the information process under § 113 TKG and § 112 TKG exhibits grave deficiencies – if controls can be spoken of at all, that is.

The example of § 112 TKG: millions of automated requests and only a handful of controls

Not only in connection with a manual request for user information under § 113 TKG can authorities request user information. There is also the automated process under § 112 TKG, in which about 150 larger telecommunications companies take part (at Posteo, data can only be requested under § 113 TKG). In Germany, many millions of automated requests for user information under § 112 TKG are made each year. In 2014, 6.92 million requests were made to the Federal Network Agency which together led to 34.30 million requests to telecommunications providers. We asked ourselves how many controls these millions of requests made by authorities were actually subject to. We therefore wrote to the parties responsible.

From the privacy officers’ replies, it emerges that last year only a handful of requests by the Federal Network Agency and the state privacy representative (BfDi) were subject to controls, and these were mostly only checked for concrete tips on insider threats that had been reported from within the police authorities themselves.

The state privacy representative wrote to us: [translation] In recent years there were only few requests made under § 112 TKG, mostly from police authorities. These cases were checked together with the Federal Network Agency. Complete response: see gallery 4, further below

The last mention of controls in ten years of old reports of proceedings

To comment more closely on these “few cases” that were subject to controls, the state privacy representative only referred us to very old reports of proceedings from the years 2001–2004, with the addition, that [translation] “these are absolutely still current.”

In the 2003–2004 report, there is concrete talk of three cases:

[translation] During the period of the report, there were only a few requests from police authorities due to suspicion of unauthorised requests by insider threats. In three cases, data could be reported back that led to an investigation process.

See 20. Tätigkeitsbericht des BfDI 2003–2004, p144 ff.

A look at the newer reports shows that controls on requests under § 112 TKG in the procedure reports of 2005–2014 were clearly no longer mentioned. Whether controls were even undertaken at all after 2004 is therefore unclear to the public. For us, this is a very sobering result.

Before we knew of this result, we had sent written enquiries to all the federal state privacy officers, asking for the number of controls from 2013 and 2014. For requests under § 112 TKG, the federal state privacy officers also have control powers, where it concerns requests from public positions in their respective federal states. This was also sobering: all the privacy officers replied that they had not undertaken any controls of requests under § 112 TKG. Some of the privacy officers, however, want to undertake controls in future due to our enquiry.

The Hamburg privacy officer wrote to us:

[translation] Your enquiry will be taken as an occasion to undertake a privacy-legal control of the positions mentioned in § 112 Abs. 2 TKG this year.

Complete response: see gallery 4, further below

From Rhineland-Palatinate we received this commitment:

[translation] Because a competency centre for telecommunications surveillance measures is set up in [Rhineland-Palatinate], I have this area on my check plan for the current year. I will make controls of the process concerning § 112 TKG and successful retrievals made on this basis.

Complete response: see gallery 4, further below

Some privacy officers were of the view that they were not responsible. The privacy officer for Mecklenburg-Vorpommern advised us of a further problem – inadequate facilities for privacy authorities:

[translation] Due to a large number of petitions from various areas regarding privacy and freedom of information it is not possible in terms of either time or personnel for us to undertake controls on our own initiative of requests under § 112 TKG.

Complete response: see gallery 4, further below

As a matter of fact, no controls of the process under § 112 TKG occur. The only positive thing to note is that for the automated request process under § 112 TKG there are still reporting and protocol requirements, so that it can at least be seen in the Federal Network Agency yearly reports how often the process is utilised by authorised parties.

Gallery 4: responses from privacy officers on the controls of requests for information under § 112 TKG

• 
• 
• 
• 
• 
• 
• 
• 

Grey zone in § 113 TKG: no statistical data available

There are no statistical surveys by public positions of the number of requests under § 113 TKG available. Corresponding requirements for statistics are not known to our lawyers. Insofar as numbers are known at all, these originate from German telecommunications providers’ transparency reports that have existed since 2014, after Posteo became the first German provider to publish a transparency report on requests from authorities. In the Deutsche Telekom’s report for 2014, 27,957 requests were made under § 113 TKG. Complaints about security problems and illegal requests from the responsible organs of control have not yet led to a remedy in the requests that reach us, as we presented in part one.

§ 113 TKG: introducing reporting requirements to improve public controls

The process constitutes a grey zone, in a way. This is by no means acceptable, because requesting user information under § 113 TKG generally requires better controls and evaluation (see our section on chaotic circumstances for user information requests).

In our view, reporting requirements for requests under § 113 TKG should be urgently introduced. The numbers should be published yearly, as they are for other kinds of requests for information, e.g. as is common for requests under § 112 TKG (published in the Federal Network Agency's yearly report) and under § 100a StPO, (published on the Bundesamtes für Justiz website).

In addition, similarly to the automated process under § 112 TKG, protocol requirements should ensure that for each request, information should be held on which officer requested what information, to make internal and external controls (for example by privacy officers) easier in retrospect.

It is to be expected that these control possibilities would work against misuse and illegal requests. In this area, remedies are urgently required.

§ 113 TKG: broaden controls and intensify schooling of investigative officers

In our view it is urgently required that the responsible control authorities regularly and comprehensively make controls of compliance to the legal requirements for requests under § 113 TKG until the deficits in the process are eliminated nationwide. Investigative officers must, in addition, become comprehensively schooled in the secure and legally compliant handling of information technology in general and with sensitive data in particular.

Better equip privacy officers

In conclusion, on the topic of deficient controls, we would also like to advise of the current report on the duties of the representative for privacy and freedom of information.

In it is contained a warning with regard to future information processes, that:

[translation] the system of checks and balances in the area of intelligence services is in massive imbalance. Especially since 2001, the tasks and powers of security authorities as well as their personnel and equipment are considerably enlarged. The wide-scope cooperation between police and intelligence agencies has intensified nationally and internationally. Large central databases have been set up and a new security structure established. (...) On the control organs’ side, no corresponding development has occurred, i.e. also insofar as existing, grave lawmaking deficits that must be eliminated as quickly as possible in the interest of the citizens. As a result of this development it is no longer possible, given the negligible personnel and equipment available to me, for me to adequately fulfil my legally-assigned duties to advise and undertake controls. It is also no longer possible for me appropriately ensure the compensation function of my controls of the citizens concerned that the Federal Constitutional Court stressed in its verdict on anti-terror file law, i.e. to check for the party concerned whether their rights under secret interventions by the security authorities are protected."

Source: Tätigkeitsbericht der Bundesdatenschutzbeauftragten 2013 & 2014, p36

This statement is a warning from the federal state privacy officer. We see an urgent need to conform to the demands of the BfDI, such that more personnel and equipment is made available to them, also so that they can urge a secure and legally-conforming practice for information processes, for example, requests under § 113 TKG, and to comprehensively effect this with increased controls. The same applies for the federal state privacy officers’ equipment. The control organs must become altogether better equipped such that existing grievances can be effectively confronted.

When discussions about interventions into the fundamental rights of citizens occur, critics are often calmed by the argument that these can only occur under strict requirements and only with a “judicial reservation”. Referring to the judicial reservation is a common argument: the citizens’ trust in the judiciary is much greater than their trust in the government, according to surveys. At the moment, arguments are again being made using the judicial reservation; this time it’s about the planned reintroduction of data retention.

The control instrument of the judicial reservation has been accused for many years of being less effective in practice. For example, two well-invested studies published by Bielefeld University and the Max Planck Institute for Foreign and International Criminal Law came to this conclusion in 2003. Both studies documented multiple deficiencies in the process at the time. The Max Planck Institute, for example, came to the conclusion that a surveillance measure would fail to be granted only in absolutely exceptional cases.

The Bielefeld University study stated at the time that only a quarter of surveillance measures were arranged according to the process regulations. Moreover, the surveillance measures would mostly consist of orders, which allows the assumption that judges do not reach their decision independently.

A public prosecutor who was surveyed by Max Planck Institut researchers at the time stated the following on the topic of email surveillance, for the record:

[translation] In the area of email surveillance, an update and clarification is required. Chaos rules. There are the most crazy legal concepts and regardless of which application I submit, the judge allows it in these cases.

Source: Studie des Max-Planck-Institutes für ausländisches und internationales Strafrecht, p226

We have also grappled for some time with the question of how the control instrument of the judicial reservation intended by the legislator for surveillance measures has developed in Germany – and how its effectiveness is controlled or evaluated. The occasion for this question was (among other things) telecommunication surveillance (TKÜ) that was ordered for which both we and our lawyers found the offence stated to be insufficient. Incidentally, if you think that a surveillance measure (TKÜ) couldn’t affect you because you haven’t committed any crimes, you are incorrect. In practice, people within the sphere of a suspect also have their communication surveilled or seized, even if there is absolutely no suspicion of a crime committed by that person.

1. Legislators don’t sufficiently evaluate the effectiveness of the control instrument of the judicial reservation

If a suspect is ascertained and police officers with the public prosecutor instigate the seizing or surveillance of an email account, legal protection for the affected party is severely restricted by the secrecy of the measure. It can not be heard before the decision of the determining judge responsible. The judge should compensate for this deficit: the judge checks the case and if convinced that the telecommunication of the suspect should indeed be surveilled or seized, allows the public prosecutor’s application. Information as to how often a judge rejects an application for a surveillance measure is therefore an important indicator of how effective the control instrument of the judicial reservation really is. If, for example, all applications for surveillance were to be approved in a particular state, this would be a strong indication that the state is on the way to becoming a surveillance state.

How often a judge declines an application for surveillance can not be statistically ascertained

How often a judge declines a surveillance measure mostly can not, however, be ascertained in Germany. In the Federal Office of Justice’s yearly report, only the number of rulings passed is specified, in which measures under § 100a Abs. 1 StPO were arranged, as well as the number of surveillance measures undertaken (cf. § 100b Abs. 5, 6 StPO). The German federal states have to supply these numbers to the Federal Office of Justice. Numbers such as how often an application for a surveillance measure is not satisfying to a judge are not included in the statistics, however. The judicial reservation is therefore a control instrument whose efficacy it is actually largely unknown.

Posteo surveyed justice ministries in all German federal states

We wanted to know if the corresponding numbers were perhaps available in the German federal states. At the start of the year, we therefore asked the justice ministries for information in writing.

Initially, the responses were disappointing. We received the same responses time and again in which we were told that no statistics were kept as to how often applications for a surveillance measure were denied. The number of cases in which applications for surveillance (TKÜ) were denied was supposedly unknown. The fact that the number of refused applications for surveillance was not collected was supposedly because there was no necessity for reporting in the law.

The Bavarian state justice ministry (among others) explained to us:

[translation] The necessity to report under § 100b Abs. 5, Abs. 6 StPo does not stipulate any requirement to compile denied applications, which is why no statistics on this exist.

The state justice ministry of Hesse told us that this would require an effort of manual analysis [translation] that seems disproportionate to me and criminal investigative authorities can not be overburdened.

We then received the information that we sought: from Berlin, we received a reply that the senate in Berlin had collected the number of denied surveillance measures since 2006.

Gallery 5: some responses from the Ministries of Justice

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

And we were shocked.

Since 2007, not a single application for surveillance was denied

Since 2007, not a single application for telecommunication surveillance has been denied in Berlin. (See the respective yearly reports from the senate on the practice of telephone surveillance under §§ 100 a, 100 b StPO)

In total, between 2008 and 2014 in Berlin, 14,621 applications for surveillance were made – and approved. The number of surveillance measures arranged increased markedly over these years.

We therefore recommend that adapting the reporting requirements for control and evaluation purposes under § 100b Abs. 5, Abs. 6 StPO to that effect, so that not only the number of surveillance (TKÜ) measures arranged can be statistically recorded, but also the number of denied requests for surveillance (TKÜ) in order to check the effectiveness of the judicial reservation.

Lack of time and personnel in the courts

According to studies, a lack of time and personnel in the courts has for years also contributed to the situation. We can see an important starting point to strengthen the control of surveillance processes here. The Max Planck Institute study from 2003 already explains, for example, that the judge for an investigation, with evidence of a heavy workload, only has ten to a maximum of 30 minutes to check a decision for surveillance (TKÜ). Another judge stated then that he was forced to put his “checking priorities” into more serious cases, like bodily attacks or arrest warrants. The study determined, moreover, that police initiation of surveillance (TKÜ) was regularly taken over by federal prosecution and the judge in the investigation. The reasons for the order for surveillance (TKÜ) were, [translation] “according to the records and after self-assessment of criminal investigators surveyed, almost exclusively written by the police”, not by the judges themselves.

With regard to the judges’ workloads there appears to have been no improvement in the last few years:

From a current study, the Roland Rechtsreport 2014, it emerges that nine out of ten judges and federal prosecutors surveyed think it is necessary for additional judges and federal prosecutors to be employed. 85% of those surveyed said they have too little time for their legal cases. A vast majority (72%) of judges and federal prosecutors were of the view that the framework of conditions for jurisdiction in Germany are currently deteriorating. The main reason for this was that there are too few personnel.

We think it is alarming that such conditions have clearly existed for many years, and that there have clearly been no efforts made since the study from 2003 that would have led to an actual improvement in the controls of surveillance processes. This clearly leads in practice to statistics like those from Berlin, which in our judgement are no longer fair in a constitutional state. If the possibilities for surveillance in Germany continue to develop while these deficiencies linger, this is a development that can not be beneficial to democracy.

As the government is currently planning to reintroduce data retention and will authorise these public positions to make attacks on fundamental rights that should be subject to controls by the instrument of the judicial reservation, we summon the German Minister for Justice, Heiko Maas, to stop the draft legislation. If the possibilities for surveillance in Germany continue to be expanded while the deficiencies outlined in our transparency report still exist and clearly every application for surveillance is approved, this is a development that can not be beneficial to democracy. Data retention would allow public positions to make attacks on fundamental rights that are supposed to be subject to control by the instrument of the judicial reservation. According to the numbers we have documented, the instrument has not fairly performed its intended control tasks for many years. Controls of the information process are also deficient. Often there is no requirement to keep statistics or reports. In the practice of requests for user information under § 113 TKG, chaotic circumstances rule: almost all requests that reach us are illegal. We fear that the introduction of the law would lead to a further increase in illegal requests.

Erstellt am 17. Januar 2018, 18:00 Uhr

During the last nine years, each of the 14,476 surveillance orders from the Berlin public prosecutor's office has been approved. The last rejection happened in 2007.
On this topic, Netzpolitik.org provides an article with current statistical details that is worth reading.