Thoughts about Internet Surveillance

This blog post is not directly KDE related, but is about freedom in the broader scope. Obviously like all my blog posts this post only represents my personal opinion and not of any organization I am a member of.

Privacy has a long tradition in modern Germany. In 1983 the German government wanted to organize a census and drafted a law for this census. People protested against this law in front of Germany’s highest court Bundesverfassungsgericht (“federal constitutional court”). The court did not only stop the census but went much further and did something which has never happened before in German history: the court created a new civil right directly derived from the other civil rights. The civil right on “informationelle Selbstbestimmung” (“informational self-determination”). I quote verbatim the new civil right directly from the verdict:

Das Grundrecht gewährleistet insoweit die Befugnis des Einzelnen, grundsätzlich selbst über die Preisgabe und Verwendung seiner persönlichen Daten zu bestimmen. (in English: “This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data.”)

Furthermore I want to quote one part of the verdict as it’s rather important in the current discussion about governmental surveillance:

Wer nicht mit hinreichender Sicherheit überschauen kann, welche ihn betreffende Informationen in bestimmten Bereichen seiner sozialen Umwelt bekannt sind, und wer das Wissen möglicher Kommunikationspartner nicht einigermaßen abzuschätzen vermag, kann in seiner Freiheit wesentlich gehemmt werden, aus eigener Selbstbestimmung zu planen oder zu entscheiden. Mit dem Recht auf informationelle Selbstbestimmung wären eine Gesellschaftsordnung und eine diese ermöglichende Rechtsordnung nicht vereinbar, in der Bürger nicht mehr wissen können, wer was wann und bei welcher Gelegenheit über sie weiß. Wer unsicher ist, ob abweichende Verhaltensweisen jederzeit notiert und als Information dauerhaft gespeichert, verwendet oder weitergegeben werden, wird versuchen, nicht durch solche Verhaltensweisen aufzufallen. Wer damit rechnet, daß etwa die Teilnahme an einer Versammlung oder einer Bürgerinitiative behördlich registriert wird und daß ihm dadurch Risiken entstehen können, wird möglicherweise auf eine Ausübung seiner entsprechenden Grundrechte (Art 8, 9 GG) verzichten. Dies würde nicht nur die individuellen Entfaltungschancen des Einzelnen beeinträchtigen, sondern auch das Gemeinwohl, weil Selbstbestimmung eine elementare Funktionsbedingung eines auf Handlungsfähigkeit und Mitwirkungsfähigkeit seiner Bürger begründeten freiheitlichen demokratischen Gemeinwesens ist.

I am sorry that I cannot translate this into English. To paraphrase it says that if you don’t know who has which data and whether the government will gather data about you, you will stop to do certain actions and you will no longer go to demonstrations for example – it describes the chilling effect. The court acknowledges that this renders a high threat for overall democracy. To put it in the context of our current global surveillance situation: I did consider whether it is safe to click links to the guardian as I can be sure that this will be registered and by that I render the risk that I might not be allowed to enter the US the next time I want to travel to the US.

Although this civil right never entered the “Grundgesetz” (Basic Laws – the German “constitution”) it is very important and clearly influenced the German society over the last three decades. For example if you sign up to a new service you always have to sign a privacy policy telling you how the service is going to make use of your private data. You always have to opt-in to newsletters, etc. – it’s never an opt-out. My major during my studies was IT security and this was not just about how to protect data, it was also about how to protect the privacy of your users. The main idea is that you don’t gather private data you don’t need in the first place (“Datensparsamkeit” and “Datenvermeidung” – “data reduction and data economy”). During my studies we once had a lecture in which the (non German) tutor wanted us to implement an e-shop which tracks where the user clicked and store it per user. The complete class protested because that would violate the user’s right of informational self-determination.

To make another bridge to the current surveillance discussion I want to fast forward to the year 2010 and again the Bundesverfassungsgericht has an important role. Germany had established as demanded by the European Union a data retention system which stored for half a year meta data about telephone calls and internet communications (ip addresses, email headers, etc.). As it’s rather obvious this conflicts with the right for informational self-determination and people protested against this law at the Bundesverfassungsgericht. For the first time it was not just one or a few persons but 34,939 people protested against this law in front of Germany’s highest court. The reader of this blog post might not be surprised, that I was one of those. The verdict was very clear: the law is violating Germany’s constitution and is void. The telcos had to delete all data gathered up to this point immediatelly. In the tradition of the ruling of this court this was a rather strict verdict – normally the government gets some time to improve the law and it only becomes void after some time passed if the government doesn’t improve the law to make it suit the constitution. Although the EU demands that we have the data retention no new law got drafted – after the current NSA scandal, I do not see a chance even after the elections.

Again I want to quote the verdict verbatim:

Die Vorratsdatenspeicherung ermögliche Persönlichkeitsbilder mit einer noch nie dagewesenen Genauigkeit. Die Kommunikationsdaten seien inhaltlich äußerst aussagekräftig. Der Zugriff auf die näheren Umstände der Telekommunikation wiege nicht weniger schwer als der auf den Kommunikationsinhalt. Er ermögliche umfassende Persönlichkeits- und Verhaltensprofile. Verkehrsdaten lieferten eine Vielzahl von Informationen über soziale Beziehungen.

Die Vorratsdatenspeicherung erhöhe außerdem das Risiko, zu Unrecht Ermittlungsmaßnahmen ausgesetzt oder unschuldig verurteilt zu werden, und die Gefahr des Datenmissbrauchs. Verkehrsdaten könnten gezielt gegen missliebige Personen eingesetzt werden und eigneten sich zur Kontrolle von Personen und Gruppierungen ebenso wie zur Wirtschaftsspionage. Nur das Absehen von der Datenspeicherung schütze wirksam vor Missbrauch.

An attempt for translating to English (German readers are encouraged to provide improvements to the tranlation in the comment section):

Data preservation allows to create a picture about a personality with a precision which has never been possible before. The data about communication is with regards to content very significant. The access to the meta data about communication is not less severe than the direct access to the content of the communication. This access allows to create broad profiles about personality and behaviour. Telecommunication meta data provides lots of information about social relations.

Data retention also creates the risk to wrongly become a suspect of preliminary proceedings and to be innocently convicted as well as the risk of abuse of data. Meta data can be used directly against personas non grata and can be used to control persons and groups as well as be used for economic espionage. Only not storing the data in the first place protects effectively against abuse.

I have huge respect for the wise decisions of our highest court and how they are able to see the dangers of governmental surveillance for the people and the democracy. Also the court appoints great experts like for example the German Chaos Computer Club. One of the experts appointed by the court was the superviser of my master thesis and I attended a few lectures (e.g. Operating Systems, IT security, IT forensic) at his institute.

The discussion about the verdicts of the Bundesverfassungsgericht needs to include one further verdict from 2008. People protested against a law in the German state North Rhine-Westphalia. This law allowed the secret service of the state to secretly observe the Internet (it sounds quite like what we are currently discussing). Like 1983 the court did not just dismiss the law but also drafted for the second time a new civil right in its verdict: the civil right for “Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme” (“Warranty for confidentiality and integrity of IT systems”). The court made it quite clear when the government is allowed to do Internet surveillance. There must be an actual evidence for a concrete danger against a protected interest of paramount importance. With other words just saying “but the terrorists” is not a concrete danger to spy on all your people. Also any violation of this civil right must be signed by a judge. The verdict also makes clear that the Internet as such is considered as an IT system and that it is a central part of the life of many citizens.

As you see the protection of private data in the Internet is protected by several civil rights in Germany. Two of them have been crafted by the German constitutional court – so to say the German people had to fight for these rights. I personally consider these rights as to be of paramount importance because we had to earn them first. Also this discussion should show that the German government also tried to limit our rights and to establish Internet surveillance but that we as the people are able to fight against such illegal laws and forbid the state to do so.

I am not willing to surrender and give up these essential freedoms. I do not tolerate that foreign governments are limiting my civil rights in Germany with Internet surveillance in a way or even more severe than what our constitutional court forbid our government – I fought against data retention a few years ago after all. Given the latest discussion it seems like Level 3 Communications is doing the espionage in Germany for the US government (given some reactions by Level 3 it is considered that they already claimed guilty – they do not permit access to foreign governments). This is not just violating our civil rights, it is also forbidden given German penal law. We have the so-called “hacker laws” which forbid to access third party data. While writing this blog post I am listening to radio and the news told me that the German federal prosecutor office is considering to start preliminary proceedings in the case NSA. I do hope that this will end up in convictions against the persons responsible for this in Germany and if possible even in the UK, USA and any other affected state.

I hope that everybody fights for their freedom. We should not tollerate that in the name of terrorismn our civil rights are limited. I am not a terrorist and there is no reason to track all my online communication in the fight of terrorismn:

They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.

Especially to my readers in UK and USA: fight for our rights. Do not tollerate that your government is spying on people of other countries. We are not second class humans! Help us! Fight for us! Protest against your government! Fight for our freedom, fight for your freedom! Not even 23 years ago part of the German people had to live in an Unrechtsstaat with strong surveillance of the people by the Ministry of State Security. Former members of the Stasi say today that they would have loved to have the capabilities the NSA has today – it’s some food for thoughts. If you want to get a feeling about what surveillance means I highly recommend to watch the excellent Academy Award winning movie The Lives of the Others.

15 thoughts on “Thoughts about Internet Surveillance”

  1. Thanks for a solid Constitutional Law blogpost. I think I should start learning German to study BVerfG decisions directly in German, but, while I do that, where are the BVerfG rulings themselves? I’m sure that I’ll find a SJD, with a Doctorate degree obtained in Germany, who will point me to an accurate Spanish translation for those rulings. This is a quite interesting topic, and the German vision of civil rights about data will serve me well if I want to raise the topic against a data-manipulating firm in Chile, in court.

    1. The respective rulings are linked in the article. I simply found them by google. The best place for German law related material is dejure.org – note: all laws and rulings in Germany are public domain.

        1. “The company is based in Paoli, Pennsylvania, United States in Greater Philadelphia” – sorry, but if the government demands them to give them data all the good claims won’t help. After all Google still claims not to be evil.

              1. I my opinion there is more reason to trust duckduckgo then google. google has proven often enough that they are evil. So i will not search there anymore.

  2. The UK, it is said, has the most video surveillance (CCTV) in city centres. In my city, when CCTV was first introduced petty crime (theft) moved from the city centre to the suburbs (with no video cameras) – theft from shops reduced, but theft from homes increased – there was only a temporary discouragement. Having ugly CCTV cameras in the city, implies the city is unsafe and the people have low moral standards, which causes many people to vacate the city centre leaving the people with drink/drug addiction and low income problems, hence making the city feel less safe. When crime does occur, CCTV seems ineffective at getting the police to the incident in time and providing evidence to catch the criminals afterwards.

    My point, CCTV lowers the quality of life for normal people, and criminals just hide their identity with hoodies and hats, which is an echo of your point about the loss of rights by everyone and the criminals encrypting their communication.

    I think, having to worry about personal privacy, saps your mental energy (resource) and makes you less creative in the tasks you want to do.

    1. I quite agree about the point with CCTV. The city where I live in used to be one of the first with CCTV in Germany. When I moved there I was a little bit afraid because it had a bad reputation (crime is so bad that it needs CCTV). Nowadays most of the CCTV is disabled because the crime has gone (and not just moved to the next street) – that this had anything to do with CCTV is highly unlikely.

  3. A few days ago, someone (I think it was a NSA guy, unfortunately I don’t remeber who or what exactly, but at least someone official) said on TV, that they can access every computer in the world if they want/need to. This statement gave me quite an uncomfortable feeling in my stomach, and I’m really wondering, if this is true, because I can’t really believe that. Also, he didn’t say if this means: “We need this machine, let’s look in our database” or “We need this machine, let’s assign some of our specialists to it.”
    The latter would be at least a little better than the first, but still… Not very desirable in my eyes.
    So is this somehow near realistic or just an exaggeration?

      1. Yeah, that’s propietary software. but I’m more concerned about free software, eg Linux, what I’m using. When he claimed “every”, I was wondering if they also have the possibility to gain access to Linux/bsd/whatever-free-os computers…

        1. IIRC Zierke once claimed that the Bundestrojaner is ultimativ and can handle all OS. In practice the Staatstrojaner analysed by the CCC was very Windows specific. I cannot say that they cannot do it, but I am sure it it way more difficult as you cannot just walk to Debian and say “we need that”.

Comments are closed.