How do secret deals between politicians work?

Secret sessionGovernment refuses to give the Bundestag any information about state Trojan companies

The state Trojan is the biggest invasion of privacy so far and should actually be the most intensively controlled. However, the federal government is reluctant to provide information, explains a lot of information about secrets and completely refuses to answer some questions.

Before the summer break, the Bundestag Interior Committee invited the Federal Ministry of the Interior and the Federal Criminal Police Office to report to parliament on the use and legal basis of the state Trojans. As with so much about the Trojan, these sessions were classified as "For business use only" and are therefore not yet publicly known. We have now received the minutes of the two meetings and are publishing them in full text as usual.

The MPs are dissatisfied because the federal government refuses to disclose how often the state Trojan has been used since the legal expansion a year ago. The Ministry of the Interior does not want to provide any information about “the number of ongoing cases” because “conclusions could possibly be drawn about which cases are involved”. The FDP calls this "nonsense" and is examining a lawsuit.

"Burned when the names become public"

The main point of contention, however, was commercial manufacturers of state Trojans. After the DigiTask software "bursts open", the BKA programmed its own state trojan: "Remote Communication Interception Software" (RCIS). Two versions of this are currently approved for use, but only as a “small state Trojan” (source telecommunication monitoring), in which the communication of IT devices is diverted and tapped after infection.

In the case of the “large state trojan” (online search), all data on the IT devices are searched and evaluated after the infection. The BKA is currently programming software for this, "this development is still in progress" and "should be completed next year". Currently, the BKA can use the state trojan FinFisher / Finspy, which is notorious for its use in “unjust states”, for online searches.

We were able to make our cooperation with FinFisher public through leaks and a lawsuit. This public is uncomfortable for the surveillance companies, they want to keep their business secret. Stephan Mayer, Parliamentary State Secretary in the Ministry of the Interior, says:

The companies do not want it to be revealed that they are cooperating with the federal government or with federal security agencies. If so, then terminate your business relationship with us.

I say it here quite openly, they are burned when the names circulate and become public.

FinFisher has no problem if their software is used against activists and journalists in Egypt, Ethiopia, Bahrain, Uganda and Turkey, but if the cooperation with German authorities becomes known, you are "burned".

We have contacted the company from Munich repeatedly and asked for a comment, unfortunately without an answer.

From Rohde & Schwarz to the ZITiS hacking agency

Other state Trojan companies are Hacking Team from Italy and NSO Group from Israel. The German authorities - BKA and ZITiS - seem to concentrate on German companies.

According to the BKA, “the development there has escalated dramatically in recent times,” and “a corresponding process of concentration is under way again in the economy”. This could mean that the Hessian state Trojan company DigiTask was taken over by the Leipzig company ipoque, which in turn belongs to Rohde & Schwarz. Two weeks ago we already suspected “that ipoque wanted to develop its own state Trojan”.

A spokesman from ipoque or Rohde & Schwarz informed us on request:

As a matter of principle, we do not provide any detailed information on any transactions or customers in the security-relevant area. Of course, solutions developed for this purpose are only sold to appropriately authorized agencies.

It is explosive that the hacking authority ZITiS (Central Office for Information Technology in the Security Sector) is setting up its own department for state Trojans. As Florian Flade reports, ZITiS has now been able to hire a manager for the telecommunications surveillance department. He was previously at Rhode & Schwarz.

"Government is ashamed of suppliers and customers"

Linus Neumann, spokesman for the Chaos Computer Club, comments on netzpolitik.org:

Heckler and Koch, Krauss-Maffei Wegmann, Rheinmetall - these companies do reprehensible things, but are forced to appear under their own names. Now we're being told that the federal government is working with companies that have to keep their own names secret? It seems more likely to me that the federal government is ashamed of its suppliers and their customer base - and rightly so!

Konstantin von Notz, member of the Interior Committee for the Greens in the Bundestag, told us two weeks ago:

The previous argument of the federal government that naming suppliers - even in classified form - would endanger the state's welfare, is simply absurd and leaves the parliament's control rights completely ineffective. We will certainly not put up with that, but will continue to push hard and with all means at our disposal to answer our questions.

Here are the minutes in full text:




Classified Information - For official use only

German Bundestag

Committee on Home Affairs and Home Affairs

Short / verbal minutes of the 13th meeting

Berlin, June 6, 2018, 10:00 a.m.

Agenda item 8

Motion of the parliamentary groups FDP and BÜNDNIS 90 / DIE GRÜNEN

Federal government report on the use and legal basis of source telecommunications surveillance and online searches

Chairman Andrea Lindholz (CDU / CSU): Then we do Item 8 with the report and then come up to the debate next time. May I help you.

PSt Dr. Günter Krings (BMI): Thank you very much. I have Holger Ziemek from Division CI 8 Cybersecurity at the Federal Ministry of the Interior and Helmut Ujen from the BKA with me. You can also have a seat in front of both. I would also point out that the document I am submitting is headed Classified Information - For Official Use Only (VS-NfD). I can certainly say a few sentences openly, but from a certain point we have to come to a classification, at least VS-NfD.

I would start briefly. It's about the issues of source TKÜ (telecommunications surveillance) and online searches. Special regulations on source TKÜ and online searches are not entirely new, have been anchored in the Federal Criminal Police Act (BKAG) as preventive measures to avert danger at the federal level since 2008, at that time § 20k and § 20l BKAG. Not only because we threatened to run out of letters in the alphabet, but because there is also a decision by the Federal Constitutional Court (BVerfG) and a new version of the BKAG was already being considered, there is now a new version - you know that - together with the General Data Protection Regulation (GDPR) , also not coincidentally together with the GDPR, which came into force on May 25, 2018. These are now sections 51 and 49 BKAG. The introduction of TKÜ sources and online searches also took place in the preliminary investigation, in 2017 through the amendment to the Code of Criminal Procedure (StPO). Here, too, the case law of the BVerfG is of course taken into account both in the new version in the BKAG and in the StPO. The source TKÜ for repressive purposes is regulated in Section 100a and the online search in Section 100b of the Code of Criminal Procedure.

The difference between source TKÜ and online searches is significant. It is of course a question of very different levels of government access. The point is that the source TKÜ naturally only records certain communication data. With an online search, on the other hand, there is access to the entire stored database of a certain target system, so really like a house search, so you can probably compare it. The depth of intervention of the source TKÜ is therefore significantly less than the depth of intervention of the online search. Therefore, we should always pay attention to the differentiation in the legal and political evaluation.

In terms of interference, the source TKÜ does not go beyond classic telephone communication monitoring. The technical design of the TKÜ, which does justice to modern communication behavior, is precisely this source TKÜ, because some communication processes that would classically be intercepted or observed with TKÜ can only be accessed with the source TKÜ due to other technical forms of use.

The online search naturally has a high level of intervention and is therefore logically only possible under stricter conditions, which in turn are based on the well-known living space surveillance, i.e. only for particularly serious crimes and only in exceptional individual cases. But I also want to make it clear that the source TKÜ, i.e. the lower-threshold intervention, is of course not considered for petty offenses. As far as this is insinuated from time to time, it is absurd from our point of view, you can also look it up in the catalog. In the StPO, too, the catalog only provides for the fight against serious crimes. The security authorities use different software products, depending on the needs. Of course, we cannot make any statements about the individual specific range of functions even in the classification. Before use, of course, a test for conformity with the legal situation is carried out and only then is an operation approved.

If we should now provide a little more detail, not even down to the last detail, but a little more detailed information - if that is desired, I assume - about the questions of how to proceed or which instruments are used, we can only do that do in a classified form. I cannot propose that, I can only suggest that the committee then classify it.

Chairman Andrea Lindholz (CDU / CSU): Mrs. Polat, please.

Outg. Filiz Polat (ALLIANCE 90 / THE GREENS): Yes, we will apply for this if Dr. Krings presenting in the classified form would be good.

PSt Dr. Günter Krings (BMI): I'm done with things then. When we have classified, the further details - I would say - would then be presented by the specialists at the BKA. But first we have to make the classification.

Chairman Andrea Lindholz (CDU / CSU): Well, I'll put it to the vote now. If you agree to the classification in VS-NfD, I ask for a show of hands. Votes against? Abstentions? Then we would have classified and then I may ask everyone to leave the hall upstairs in the stands who are not allowed to be present in these cases. That means everyone who is not involved in it officially, for example interns.

Well, then the ranks will have thinned and I can then hand it over to Mr. Ujen.

Helmut Ujen (BKA): Yes, thank you very much, Dr. Krings, ladies and gentlemen. I am very grateful to be able to speak to you here. I would like to introduce myself very briefly to you. Helmut Ujen, detective at the BKA. I am the head of a group, elsewhere called a sub-department, which deals with communication monitoring, with technical development as well as with implementation, but also with some other things that are not up for discussion here today. We are a service unit for the investigations, first of all by the BKA and, of course, secondly for the German police, some of which use our services. We received the order from the Federal Minister of the Interior in 2012 to develop our own software for these measures of the sources TKÜ at that time and subsequently also the online search. This as a result of an event that most of you should be aware of, namely the bursting of a piece of software from a commercial manufacturer that we used earlier. The point was to say that we should bring more transparency into these highly intervention-intensive measures. That is why the BKA was commissioned to develop such software itself, not only in accordance with all legal requirements, but also with criteria of maximum transparency. I could now go on to say that in what we then basically used as the basis for our in-house development, nine points, namely the first nine, concerned IT security and data protection and only the tenth concerned the protection of this instrument , but I don't want to press on the tear glands here.

I also know that the time, not only my speaking time, but also the discussion time is limited and that is why I would like to offer you right now, and if necessary implement it in coordination with the Federal Ministry of the Interior, at a time to be chosen by you We are very happy to hold an information event where a little more time and effort can be spent on these measures, because they require a lot of explanation. According to your ideas, for all interested MPs or parliamentary groups and, as I said, in coordination with the Federal Ministry of the Interior, we can then gladly do that for all the questions that remain open after today's event and I suspect that there will be a few more.

Regarding the measures themselves: I cannot - and do not want to - give a full lecture on what we are doing now. I can only describe to you, from my many years of experience as a detective, that we are actually doing nothing other than telecommunication surveillance with the Quellen-TKÜ. That's what we've been doing since phones have been around. All investigations, especially all in the BKA, require TKÜ at a very early stage of the investigation. That is essential and, of course, we have observed over the last ten or fifteen years that these measures, which we carry out by default using communication providers, have massively lost in function, in value and ultimately in benefit for law enforcement . I don't want to conjure up the big scenario of going dark here, it has many other facets. But it is a fact that in telecommunications we have of course been dealing mainly with encrypted communication for at least five, more likely ten years. There are also other phenomena, such as what we call nomadic behavior. That means that people go online wherever they want, and of course that is also beyond TKÜ. That means that the technical need for new ways - and we then just called it compensatory measures, like this source TKÜ - is given and I also assume that it is initially undisputed per se. At the same time, it is of course a question of weighing up. It is also the case that we have learned a lot in recent years, I have to tell you. So we have also learned a lot of things that we did not imagine at the time about the difficulty, both in the development of such software and in the implementation of such measures. These are even bigger than expected. This difficulty alone has already led - and perhaps as positive news to any critics of this measure - that we are dealing with exceptions here, with an extremely small number of such cases compared to the TKÜ, which is already used rather sparingly. We have an average of around 1,100 TKÜ in the BKA in recent years. If you extrapolate that to a number of criminal offenses, it's not very much. The number of source TKÜ that I cannot communicate to you now due to the fact that we only have past and no current closed cases is much lower. It is so small that you might come to the conclusion that the question arises as to whether this is such a big problem at all, as is often presented in critical comments, which are then often used with catchphrases such as surveillance state and the like , area-wide monitoring, handle. It's the opposite of that. It is so complex and so difficult to carry out that it can actually only be used in exceptional cases due to the technical complexity alone, which, as I said, I can do a little more in another event.

I would like to interrupt my introductory statement at this point and give you the opportunity to perhaps ask and tell me which aspects are particularly important to you that I should present to you.

Submission Manuel Höferlin (FDP): You'd better go through another five minutes in detail.

Chairman Andrea Lindholz (CDU / CSU): So that's the point, we now have five minutes. It is no longer enough for questions. However, I understood your offer to the political groups to organize another event in which other Members could also take part. This could be a substitute for another session. But you still have four minutes if you have any more things to tell us about which you say we might still be interested.

SubmissionKonstantin Kuhle (FDP): Madam Chairperson, I understood Mr Ujen to mean that this is not a substitute, but an addition.

Chairman Andrea Lindholz (CDU / CSU): It was an idea, I'm taking this idea back immediately. We'll do both, or if you want to accept the offer, you do. I'll pick it up next time.

Helmut Ujen (BKA): Yes, very much, thank you very much. I will tell you about our in-house development. We started it in 2012 and ended it in 2016 with the first version of our software. At the time, we developed software that reflected the status at the beginning of development. That was, quite simply, our mission. For you, that alone may be a sign that, of course, in 2016 we were no longer able to cover the level of 2016 with this software. Communication behavior has changed, namely mobile platforms, smartphones, etc. have become so prevalent that of course when we started this in-house development we knew that if we ended it, and we had to add some initial effort, we would probably end up behind the technical development are. This is also the case now, so we started our second development in 2016, which then extended to mobile platforms, and we finished with the first version last year. This applies to the Quellen-TKÜ, mind you, because that was just our job at the time.

We already had online search software from before 2012. This is also something that is often mixed up in public presentations. So this is old software, so to speak, simply because these differentiated legal norms did not exist before 2008. We only got them at the BKAG and of course in the meantime we had no time or resources to develop both in parallel . That is why we are currently in the process of creating a new software for online searches that will then also meet all new requirements, not only the technical, but also the legal requirements that have now been formulated very strongly and differentiated by the BVerfG. The subject of core area treatment should be mentioned by name. We are currently in the process of developing a process that corresponds to this newer Federal Constitutional Court ruling. This means that this development is still in progress, should be completed next year and so you can roughly see from it what the status of our in-house development is.

We also use commercial products. We started, and this is already public, with the procurement of a commercial product - at that time it was called 2012 again - which at the time had the intention of being a transitional product. Of course, this transitional product had to meet the same, very strict, legal and, moreover, the requirements of our standardized service description. This posed insurmountable problems for this commercial product at the beginning, which is why it was not a quick purchase of this interim solution, but a time-consuming adaptation of this product by the manufacturer according to our specifications. This process, which actually took longer, surprisingly longer, than our own development, has led to the fact that last year we finally have a revised version of this commercial product that meets all requirements. So since last year. For both products, i.e. the in-house development of the BKA and this third-party product, we have had software tests carried out by different institutes certified by BSI. This involves a great deal of effort, not only financially but also in terms of time. The software test for the commercial product alone extended over several stages, ultimately over three years due to the necessary adjustments. We learned a lot from this process alone. Our in-house development, which was naturally developed according to these specifications - unlike the commercial product, it was not developed according to the specifications, that already existed before - has also shown us how difficult it is to meet all these requirements. As I said, all of these things have nothing to do with functionality, i.e. with the benefit for our law enforcement, but all of these things have to do with data protection, IT security and the requirements, the very high and - as far as I know and I am a lot in contact with international partners - globally unique high standards, in order to do justice to this, we have made this effort. I think that was the four minutes.

Chairman Andrea Lindholz (CDU / CSU): Precision landing. Many many thanks. We will continue this agenda item in the next meeting. The classification VS-NfD is hereby canceled.


Classified Information - For official use only

German Bundestag

Committee on Home Affairs and Home Affairs

Short / verbal minutes of the 18th meeting

Berlin, June 13, 2018, 10:00 a.m.

Agenda item 17

Continuation of the Federal Government's report on the use and legal basis of source telecommunications surveillance and online searches

Chairman Andrea Lindholz (CDU / CSU): We would then continue with item 17 and continue the report directly with the group round. As a reminder, it is about the use and the legal basis of source telecommunications surveillance (TKÜ) and online searches.

PSt Stephan Mayer (BMI): The TOP should be classified again in classified information - only for official use (VS-NfD).

Chairman Andrea Lindholz (CDU / CSU): Thank you for the hint, it is again - we had also classified the last time - VS-NfD classification requested by the federal government. Like last time, I will put a vote on it and ask for a show of hands who will agree to this application for classification. These are the coalition groups, the FDP and DIE LINKE groups. and BÜNDNIS 90 / DIE GRÜNEN, votes against: none, abstentions: the faction of the AfD.

I then ask everyone who is not officially involved in the matter, e.g. interns, to leave the stands. So, everyone has now cleared the stands who are not allowed to sit upstairs. Then we come to the question and answer session now. I look at the Union and look for the speaker, please, Mr. Schuster.

Submission Armin Schuster (CDU / CSU): Thank you, Madam Chairperson. I'm referring to - - Now I'm stuttering. So, Mr. Ujen has presented and Mr. Andreas Könen is there as legal advisor?

PSt Stephan Mayer (BMI): Exactly.

Submission Armin Schuster (CDU / CSU): Okay I got it. What would be of interest to me, Mr. Ujen, is: In which crime groups do you see limitations, where there is either a lack of legislation in the federal government or where the federal states do not assign powers to their investigative authorities at the same level? I assume that in the areas of crime you are talking about, we are generally not talking about country-specific, but about federal republican-specific types of crime. It is well known that we have a problem when it comes to child pornography. One example was prominently mentioned by your President two weeks ago - I believe - or a week ago, also in connection with data retention (VDS). I would have liked to know where it got stuck - as the prime example, VDS and child pornography, also with Quellen-TKÜ, also with online searches - and how does the German patchwork affect the different legal options of the federal states?

Chairman Andrea Lindholz (CDU / CSU): So now we come to Mr. Herrmann.

Submission Lars Herrmann (AfD): Thank you, Madam Chairperson. I can make it very brief. We have already heard that this is nothing more than an online version, like a normal TKÜ. No information is obtained that would not also be obtained through these conventional TKÜ measures. To put it in the words of the FDP, which I very much like to fall back on: the rule of law must be better organized than crime. This is exactly what these measures are for. The catalog of criminal offenses for which such measures can be taken into consideration is narrowly drawn. This is not about petty offenses, but about serious and very serious crimes. The legal application requirements are correspondingly proportionate. Not least because of the judge's reservation, which is responsible for issuing orders, an appropriate hurdle was set. We have no doubts about the necessity and necessity of these constitutional tools for solving serious and very serious crimes and also organized crime. The same goes for online searches. At the last meeting, the representative of the Federal Criminal Police Office (BKA) made it clear again in which minor cases or which minimal applications come into play, and so we are completely happy. Many Thanks.

Chairman Andrea Lindholz (CDU / CSU): So, Mr. Grötsch had signed up for the SPD.

Submission Uli Grötsch (SPD): I only have the question of how far you can assess the legally secure application of the regulations that have been made by courts, public prosecutors and also your authority? And how do you personally assess, or how does your authority, of course, also assess an interim assessment of this set of instruments?

Chairman Andrea Lindholz (CDU / CSU): Then we come to Mr. Kuhle, please.

Submission Konstantin Kuhle (FDP): Yes, thank you very much. Dear Mr. Herrmann, the functionality and trust in the rule of law also depends to a large extent on the legitimation for state measures and this legitimation is always related to technical and legal transparency about the measures. I don't even know if I have any doubts. I don't even know what the Free Democrats' legal opinions are on this issue because all the information is simply not yet available. That is why it is right that the legislature demands, controls and inquires of the executive as to whether the investigative authorities only act to the extent that the legislature provides.

I would like to make a second preliminary remark: Thank you very much, Mr Ujen, for the report you started last time. I found that very impressive and very good. I would like to reiterate that the offer to hold a technical workshop together and to go into the details of these investigative measures even more deeply - source TKÜ on the one hand and online investigation on the other - is very much appreciated by our group is taken. So we want to do that very much.

In connection with your remarks from last week, I would be interested in: You spoke about the specification that was passed on to your authority in 2012 in connection with the commissioning of the development of the software for the Quellen-TKÜ, and I would be interested in whether this specification was adapted in 2017 after the introduction of new authorization bases. So has there been a modification of the obligations, of the technical obligations after the modification of the legal obligations? That would be my first question. My second question is: As of today - since not all software products have been finally developed - are different software products used for the source TKÜ and the online search? And are different software products used for encrypted and non-encrypted communication as part of the Quellen-TKÜ?

Another question. How do you ensure that the software is only allowed to access ongoing communication? Was the Federal Commissioner for Data Protection and Freedom of Information (BfDI) involved in the review of the software products? In how many cases and for which criminal offenses has the Quellen-TKÜ been used since its introduction?

One last question, if you allow: Did the BKA or other federal authorities, before the introduction of the authorization basis in 2017, have these measures, which are now regulated in Section 100a, Paragraph 1, Clause 2 and 3 of the Code of Criminal Procedure (StPO), the encrypted and in the unencrypted version, and § 100b StPO for online searches, and if so, on what legal basis was this done? One final question: How do you actually ensure that the software is deleted from the source TKÜ after it has been installed? Thanks.

Chairman Andrea Lindholz (CDU / CSU): So, then Mrs. Renner had reported.

Submission Martina Renner (DIE LINKE.): I have three questions, the first being divided into four parts. I would like to know: Which manufacturers of software or providers of services for IT surveillance, i.e. source TKÜ and online searches, have, to the knowledge of the Federal Government, been contacted by the BKA since 2005 as part of the usual market inspection for information about their products? Which, and now you can double the resolution again, i.e. which manufacturers of software or providers of services for IT surveillance have presented their products to the BKA or other federal agencies since 2005? Which of these manufacturers or providers have given their products to the BKA or other federal agencies for testing purposes since 2005? And which of these providers or manufacturers have made the source code of their products available to the federal authorities for testing purposes since 2005? That would be the first question.

The second, with regard to all federal authorities or agencies of the federal government and the states outside the BKA - i.e. the Federal Intelligence Service (BND), the Federal Office for the Protection of the Constitution (BfV), the Customs Criminal Police Office or the Central Office for Information Technology in the Security Sector (ZITiS), you can now imagine everything - Which of these agencies or authorities may have developed their own software for online searches, obtained from commercial providers? Or are there plans to develop appropriate software? This is followed by the question of which federal or state authorities or agencies use the corresponding software - whether it was adopted by the BKA, independently developed or purchased - and on what legal basis?

Chairman Andrea Lindholz (CDU / CSU): And finally, Dr. from Notz.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): Madam Chair. I wanted to say again to the statement by Mr. Herrmann, who is not there, with reference to the FDP poster: The rule of law must be better organized than organized crime. That is definitely correct.

Above all, it must be more constitutionally organized than organized crime. That is an important point, yes, one that should not be ignored unless you are close to Assad. But that is why it irritates us, because we, as parliamentarians, are supposed to answer what is actually going on and what about the legal basis, that in our small question we did not receive an answer at all to seven questions referring to the public interest. So not even classified - we can keep it secret or something like that, I think it's blatant, but okay - but not at all, but: The existence of the Federal Republic of Germany is endangered if the Federal Government answers these seven questions. This does indeed cause concern and one wonders what is actually going on here.

There is a whole series of questions, some of which also overlap. I want to ask again explicitly whether the federal government continues to work with companies that also supply this software in unlawful states, which also leads to considerable security problems for the use of the software that you use yourself. That is why we are interested in whether we can continue to work with these companies, which we all - I believe - are familiar with.

The second is: Does the federal government continue to try to code such software itself, so people from the authorities are still doing it? I would also be interested in what the total costs of the State Trojans project are to this day and how that relates to their use? Another question is to what extent, with regard to ZITiS, this mysterious Federal Ministry of the Interior, Mr Mayer, one does not come to the conclusion that a legal basis for this authority would do very well so that all the other security authorities involved in this area also understand what ZITiS should actually do. When you talk to other authorities like that, who also feel that they are responsible, there is irritation. So I would be interested in whether there is a legal basis for this. If that doesn't exist, could you explicitly say in three sentences what exactly ZITiS is allowed to do and what is not? Many Thanks.

Chairman Andrea Lindholz (CDU / CSU): So, Dr. Petry would be the last to speak, no request to speak. Then we come to the answers and who starts?

PSt Stephan Mayer (BMI): Perhaps in principle, Madam Chairwoman. If I immediately answer the questions of my colleague Dr. von Notz may enter into and the proviso as to why seven questions - it is about the specific small question of the Alliance 90 / THE GREENS parliamentary group of March 28th of this year - and seven questions have actually not been answered.

Submission Konstantin Kuhle (FDP): Excuse me, Secretary of State. Before you answer, I just want to expressly adopt the submission as my own for the question on Bundestag printed paper 19/1020 of the FDP parliamentary group. These are essentially the same points.

Submission Martina Renner (DIE LINKE.): I think we have a small question to contribute to that which was not answered completely, that is the answer to printed matter 19/522.

PSt Stephan Mayer (BMI): I have all the small inquiries and the answer also relates to all three small inquiries. It has not been suggested that the continued existence of the Federal Republic of Germany would be endangered. From my point of view, however, it is right, and in response to a request from your colleague Haßelmann, I communicated this again in a letter dated May 17: It is simply a matter of highly sensitive information and I just ask for your understanding that, with all our understanding - and I was seated yes, until recently on the other hand - for the parliamentary right to ask questions and information and also need, which I also want to help promote, but I just ask for your understanding that we cannot name any specific company names that are here with the BKA or work with the BMI. I say it here quite openly, they are burned when the names circulate and become public. I also understand that companies cannot reveal the most sacred of their business interests, the source code. So if you have an answer here - I think there were well over 40 questions that were asked by you, the Greens. If there are seven questions that cannot be answered, then there is no unwillingness, defiance or disregard for Parliament or, in the case now, of the Alliance 90 / The Greens Group, but from my point of view there are really very good, appropriate ones Reasons why we cannot name specific company names in particular. Then pretend: Well, the existence of our country is not in danger now - yes, it is about elementary security interests. And I really ask for your understanding. I would also like to defend this approach again emphatically. It would in no way be justifiable if we were to deposit the names, even with reference to a deposit with the secret protection office of the German Bundestag. I have had to learn this often enough that unfortunately documents or the contents of documents from the secret protection office have found their way into the public. Against the background, this is not a succinct dismissal of the Parliament's right to information and questions, but from my point of view there are really well-founded, solid arguments here.

Submission Manuel Höferlin (FDP): Can we just maybe - - Well, you can't leave it like that.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): No, it doesn't work that way.

Chairman Andrea Lindholz (CDU / CSU): So I would like to first have all questions answered, we have until 1:00 p.m. and then you can devote yourself to this question again. But I think that all questioners have a right to be tried to answer their questions. So, it goes on in the round.

Helmut Ujen (BKA): Yes, thank you very much, Madam Chairperson. My honorable Members, I would also like to thank you for your questions. I'll start with Mr. Schuster and then try in the order in which I am, and you will be kind enough to ask if it is not enough.

Criminal groups, limitations and also the subject of the federal government and the states: So in general, to begin with the last question, the situation has potentially improved insofar as we now have an amendment to the Code of Criminal Procedure, which of course enables the states to do something that was not before Case was. We have the issue of uniform police law, we do not have these legal bases in all federal states according to police regulations, but now we have them for criminal proceedings. However, the legal practice there, as far as our measures are concerned, is of course still very young. To that extent, that begins. We do not yet have any legal facts about whether it will have an impact and to what extent, insofar as the states then implement the appropriate options, so I cannot report on this in any further detail.

The offense groups in which this plays a role: So ultimately, what we're doing here is communication and encryption. Incidentally, we naturally have the same and similar issues relating to encryption not only in ongoing communication - and that is also the bridge to online searches - but also in relation to IT evidence. So, of course, we have the phenomenon that we also have encryption for seized objects and therefore of course we cannot access some of these objects and this evidence. In this respect, the phenomenon is actually not limited to specific crime groups. In this respect, I am also a vehement defender of the catalog of criminal offenses in § 100a and § 100b StPO. This corresponds to the legal reality that we are observing and, of course, does not mean that we are making full use of this catalog of criminal offenses, especially with this intensive measure. In any case, the future will show that there is still another question as to the extent to which it may not regulate itself.

The phenomenon of encrypted communication has a particularly strong impact on all acts and the example of child abuse you mentioned. I always hate to talk about child pornography, I find the term as perverse as the criminal offenses behind it. The phenomenon, which has accelerated to an unknown extent, especially via the Internet, of course has a special meaning in this context, but also all other forms of communication that are very clandestine. So I'm back to the beginning: in the end, it's not very crime-specific.

Regarding Mr. Grötsch's question, legally secure application and, ultimately, you asked me about the interim results. I had already initiated it. I am currently unable to even give a very cautious interim balance. We just don't have legal facts. Incidentally, there are also some non-replies to the requesting parliamentary groups from the opposition in such a way that we can only provide information on proceedings that have been completed. We have no completed procedures in which we have carried out such actions. Then we will report and of course we will also make the relevant legal facts available to you, if they exist. However, there are currently no completed procedures with these measures. In this respect, the interim results would be completely dubious, so I ask for your forbearance that I cannot do that now.

The handling of the application and the implementation of measures, in particular the judicial treatment: The empirical values ​​that we have there result from the past. We already had the measures before 2017. You can say that the judges - and that is part of it, an implicit reproach - are well aware of the scope and are also aware that a decision will have a decisive impact on the measure can act, and so do they. So we already have legal facts from the past, and that without the new StPO regulations, which have shown very specific and very narrow rules and limits for the implementation of such measures.

Regarding Mr. Kuhle: The specifications of the Remote Communication Interception Software (RCIS) were not adjusted in 2017, RCIS is the name of our software developed in-house. It was not adjusted because the legal change in 2017 gave no reason to do so. We simply have the same standards that we found to be correct at the time - and at that time it was about use in accordance with the provisions of the BKA Act (BKAG) - which we applied at the time. This is still the case, as the change in the law has not introduced any new standards here.

The online search and source TKÜ, as you put it - if I remember correctly - at the present time, is being carried out by us with different products. We address ongoing communication in a technical way, and you have to trust me now because, due to lack of time, I cannot make a technical discussion here, which means that the BKA's in-house development technically ensures that ongoing communication is involved limited. Incidentally, that was also a central point of the review that was carried out on our product, but also of the BfDI review - because that was also part of your request, and I am trying to make an elegant transition. At that time it was still the BfDI. There was an audit visit with several continuations and a corresponding examination of our source code, examination of the source code, examination of all documents, including detailed test reports classified as classified as confidential, that was checked by the BfDI and the BfDI would have to provide further information.

Then I wrote down only one question very briefly because you were very quick in the timing of your questions: Cases, I no longer know exactly what it was, but insofar as you refer to the legal facts, what I said at the beginning applies said: I cannot provide any information on this yet, because only ongoing and not closed cases.

The question of the measures before 2017 and the applicable legal basis. In addition, as with most of the remarks I have made now, there are more or less basic written replies to small questions from all the groups represented here. I am basically referring to them. You have also received information about this, because of course it related to a period that was far in the past, namely before 2011, because that was when we stopped taking this measure. In the period before that, on the legal basis of the then valid StPO, we did not conduct an online search, but only source TKÜs according to the then valid § 100a StPO and according to the BKAG, according to which it had been valid in the new version since 2008.

MDg Andreas Könen (BMI): I would perhaps add that again, Mr Ujen especially cites the answers to your questions one and two in printed matter 19/1020. That is exactly what we are talking about here. To recapitulate it briefly, there were three measures of the sources TKÜ according to § 20l BKAG, i.e. from the danger prevention, and correspondingly three procedures of the online search according to § 20k BKAG. And there were the five measures indirectly cited by Mr. Ujen on the basis of the then applicable StPO of the Quellen-TKÜ.

Helmut Ujen (BKA): Yes thank you. They also asked about the deletion. The same applies to deletion as to ongoing communication. The fact that we delete residue-free - as it is called in the law - is also due to technical reasons and has been proven and tested. In this respect, I would ask you to trust - in the best of cases - that we will do so. It is also in our own interest that we do it and, at the same time, it encounters technical restrictions, which then certainly lead to it working in the ideal case and not optimally in the non-ideal case. But in principle it works very well and, as I said, that relates in particular to our own development.

Regarding Mrs Renner's questions, which ultimately all revolve around what the State Secretary already mentioned at the beginning. The problem is, and I would like to try to put it into perspective, that there is indeed not only a narrow market here, actually none at all. So there are a couple of manufacturers in this market and of course we are constantly monitoring this market, we have done that in the past and we do that today. We learnt. You know which companies we have been in contact with in the past and which contracts have also been concluded, and we have also answered that in the past. In recent times, the development has come to a head so dramatically that there are actually hardly any providers on the market. The remaining have made it very clear to us that there is no publication from their side about cooperation, and if there is from our side, there is no business relationship with these companies. If I had to provide information about this, then that would mean that I can no longer carry out this measure with the products of the respective manufacturer. In this respect, in my opinion, it is actually questionable whether the list of these companies, which you can of course research yourself, would have added value if I confirm that these are the companies that I also know. Incidentally, a corresponding process of concentration is under way again in the economy. So this is a highly dynamic area. He is now so sensitive that I actually - - That is the reason why, despite my personal regret as a citizen, I do not give any information about some things, because at the moment I do that, not only we can but - I also stand and sit here on behalf of the other security and law enforcement authorities - all law enforcement and security authorities no longer carry out these measures, quite simply. That just requires the restrictive information on the questions about companies. Of course, your four sub-questions to one must all be answered the same way.

Submission Martina Renner (DIE LINKE.): But then I have a question about it. If you could then no longer carry out these measures - that is only a hypothesis for the time being - why is the state well-being endangered, i.e. the existence of the Federal Republic of Germany? So that's the card you're drawing. The continued existence of the Federal Republic of Germany is in jeopardy if you answer the question. You now say that business relationships will then be difficult. I think that is not the requirement.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): That is not the same.

Submission Martina Renner (DIE LINKE.): Exactly, it's not the same. Therefore, can you please explain how what you have just said is endangering the continued existence of the Federal Republic of Germany?

Helmut Ujen (BKA): So I am only allowed to introduce, but then Mr. Könen continues. So it's not that I said business relationships are difficult. I have a hard time. I have a hard time with this measure anyway, I can tell you. No, my point is, and that is my professional end, so to speak, and then the political evaluation begins, my point is: Then I can no longer cooperate with them and then I can no longer carry out this measure.

Submission Martina Renner (DIE LINKE.): And that endangers the existence of the Federal Republic of Germany?

Chairman Andrea Lindholz (CDU / CSU): Mr Mayer will now answer that. Maybe we will now wait for the answers.

PSt Stephan Mayer (BMI): Perhaps I may join in now because it is now a question of political evaluation. It is not the case that the possible - and I believe that is a very realistic assessment - termination of business relations per se jeopardizes the security of our country. However, due to the termination of the business relationship, the measures can no longer be carried out in the future. The insights not gained from this, which in turn can in individual cases very well lead to elementary threats to internal security and public order. That is why I can very well come to the conclusion on the part of the Federal Ministry of the Interior in the political assessment that we are not answering these questions in detail, even with very appropriate reasons, especially with regard to specific business relationships. I would ask you again, I only refer to the comments I made at the beginning, simply for your understanding. Mr Ujen has now shown very authentically how the battle situation is with this narrow market that exists in this area. The companies do not want it to be revealed that they are cooperating with the federal government or with federal security agencies. If so, then terminate your business relationship with us.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): Closed for wealth.

PSt Stephan Mayer (BMI): Colleague Dr. von Notz, with all due respect, I do not see it so succinctly. As I said, I come to a different political assessment here and ask for your understanding.

Chairman Andrea Lindholz (CDU / CSU): Mr. Könen is adding to the complex, please.

MDg Andreas Könen (BMI): Yes, I would add that we have to make a clear distinction here between the concept of the state welfare on the one hand and the concept of the existence of the Federal Republic of Germany. The latter is a term from security protection. This concerns the documents that are classified accordingly as secret, the disclosure of which could well endanger the existence of the Federal Republic of Germany. In the case of the state welfare, however, other issues are also subsumed, namely simply the term, for example, the ability of the authorities to act to enforce applicable law. That means, at the moment when information about companies becomes clear or - we have given a few other reasons why we have not answered questions - when operations of the BND or the BfV would be endangered: These are just below Individual facts to be subsumed under the term state welfare. The continued existence of the Federal Republic of Germany is at most endangered by the fact that what exists in the form of secret information becomes known in detail. So that must be differentiated. Not everything that relates to the public welfare is directly and necessarily classified as secret, there are also lower classified, for example where the question of the precise content of source codes and other questions is involved, because it would of course be foreseeable with which methods one could, for example, fend off the sources TKÜ software and online search software used and generally use it as a free rider.

Chairman Andrea Lindholz (CDU / CSU): Looking at the clock, I may now ask you very briefly, but really only very briefly, because the answer is actually clear. Not everyone may like it, okay, I understand that from both sides, but the answer was given. That is why I would now like to ask you brief questions, because we will then have to close the session. So, let's start with Dr. from Notz.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): Madam Chairperson, the answer was given, but it is not tenable.

Chairman Andrea Lindholz (CDU / CSU): That is an assessment.

Outg. Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): It absolutely leads to hell - -

Chairman Andrea Lindholz (CDU / CSU): I really ask for short questions, it is already 1:00 p.m.

Outg. Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): Because the news of - I don't know - arms companies is uncomfortable for Krauss-Maffei. If we get involved with the number, we will no longer receive any information about such orders.

Chairman Andrea Lindholz (CDU / CSU): Your question please.

Submission Dr. Konstantin von Notz (ALLIANCE 90 / THE GREENS): Mr. Könen, you know that yourself, the source code inspection and checking is a legal requirement according to the highest case law. You can say that the companies don't like that, but we still live in a constitutional state, thank God. This Parliament has to defend that here. You can't just not answer these questions. You said that it must then be secret, that is why we have the secret protection agency, it does not carry through what you are arguing here.

Chairman Andrea Lindholz (CDU / CSU): So, questions from the FDP, so which of the two of you now? Mr. Höferlin.

PSt Stephan Mayer (BMI): I have to go to the plenary for Question Time.

Chairman Andrea Lindholz (CDU / CSU): Yes, Mr Mayer has to go to Question Time now, please brief questions.

Submission Manuel Höferlin (FDP): Yeah, then we'll put that back on the next time, we don't have a problem with that.

Chairman Andrea Lindholz (CDU / CSU): No, the answer is there.

Outg. Manuel Höferlin (FDP): You haven't even answered the question about the number of cases in the ongoing process. This is not a piece of information worth keeping secret. We didn't want any information about the cases at all. This shows: You don't want to answer the questions because if there is a need for ongoing cases, then it concerns the content, but it is certainly not worth keeping secret, for example, to assess the number of cases that are currently running.

Then what Dr. von Notz said, you have to say something, how do you feel about the fact that you tend to say: Well, yes, we have jobs in the Bundestag where we can give secret information, e.g. that Parliamentary Control Body (PKGr), but we cannot do that here in the Interior Committee. But now the question that we are making does not concern the area of ​​the PKGr. It's not about the secret services, but specifically about the things we are concerned with. If you keep saying to us now: Well, it has such a high level of secrecy, we can't tell you, if it were secret services now, then you could tell the PKGr, but not us, the PKGr is not responsible and we are not told. How is that supposed to represent an orderly and democratic control of the German Bundestag vis-à-vis the executive?

Chairman Andrea Lindholz (CDU / CSU): Understand the question, then please give me a short answer and then I have to close the session.

PSt Stephan Mayer (BMI): Again, very briefly, I really ask for your understanding, I actually have to be in Question Time. We have pointed out that we provide information about closed cases.

Outg. Manuel Höferlin (FDP): The number of cases is not worth keeping secret.

PSt Stephan Mayer (BMI): I also ask for your understanding that we cannot provide information on the number of ongoing cases. As soon as the cases are closed, you will be informed immediately.

Outg. Manuel Höferlin (FDP): Why not now? What kind of need for secrecy is that with regard to the number?

PSt Stephan Mayer (BMI): Because, of course, one could possibly draw conclusions from the number of ongoing cases as to which cases are involved.

Outg. Manuel Höferlin (FDP): That's nonsense.

PSt Stephan Mayer (BMI): Okay thanks.

Chairman Andrea Lindholz (CDU / CSU): Well, then Mr. Mayer has to go now. Mr. Könen, do you have anything else to add? No. Then another week and see you Friday. The classification VS-NfD is hereby canceled.


Note: In a previous version of this article, a quote from Stephan Mayer (Parliamentary State Secretary in the Ministry of the Interior) was mistakenly attributed to Helmut Ujen (Head of the Competence Center for Information Technology Surveillance at the BKA). We have corrected the relevant text passage.

Would you like more critical reporting?

Our work at netzpolitik.org is financed almost exclusively by voluntary donations from our readers. With an editorial staff of currently 15 people, this enables us to journalistically work on many important topics and debates in a digital society. With your support, we can clarify even more, conduct investigative research much more often, provide more background information - and defend even more fundamental digital rights!

You too can support our work now with yours Donation.

About the author

other

Andre has been with netzpolitik.org since 2008 and has been a permanent employee since 2012. He mainly deals with investigative research. Andre studied social sciences at the Humboldt University in Berlin and obtained a bachelor's and master's degree on network policy topics. He is a founding member of the digital society, society for freedom rights and netzpolitik.org, member of the Chaos Computer Club and observer at European Digital Rights. He also works as a system administrator, e.g. he set up the first Frag Den Staat mail server and enjoys using it. And something about treason. || Contact:Email, OpenPGP, Twitter, Bitcoin.
Published 07/12/2018 at 8:47 am