Digital policy and the recurring state trojans
In the future, intelligence services will be allowed to use malware to spy on suspects cell phones. This is not a new idea. According to Seehofer, the "draft of a law for the adaptation of the constitutional protection law" is supposed to be an overdue step in the fight against terrorists and right-wing extremists. For years, attempts have been made to legalize such action under the term "state trojan". But authorities tend to fail mostly because of themselves.
The pattern that the Ministry of the Interior uses is well known: A comprehensible purpose - the security of society - is supposed to justify this invasive intervention. But this does not only harm those it is aimed at. And the fact that the very Ministry of the Interior, which vehemently rejects a study on racism in the police force in order to pursue right-wing extremist structures in the public service, clearly shows that there are actually quite different interests at play here.
The proposed approach
Messaging services such as Signal, Threema and WhatsApp transmit their data in encrypted form. If malicious software is installed on the source of the communication, i.e. the cell phone, PC or tablet, the communication can be read by this software. The installation could then be disguised as a software update. Persons who are generally under suspicion or suspected of a crime should in this way be able to be spied on digitally. The crazy thing about it: Telecommunication providers (such as Telekom) are supposed to support the authorities by obliging them to smuggle in the spy software.
Data protection concerns
For years, various authorities have been trying to expand the scope of action for investigating authorities. So far, the Federal Court has created strict guidelines for digital surveillance, but since 2017 the police have had considerable leeway.1 And for years, data protectionists have also been warning that such trojans are technically illusory. A sharp distinction between ongoing communication - the actual target of the investigations - and the rest of the data is not possible. The verdict is also problematic in other respects:
The verdict is dominated by an idea of information technology systems that refers to concrete technical devices, social networks, e-mail providers and the cloud. But targeted systems with IP addresses are not only limited to laptops or cell phones: It could be cars, power plants, emergency call pillars or pacemakers. This means that not only could the most personal items be tapped, but that there could actually be danger to life and limb if such systems were infiltrated.2
In addition, the vulnerabilities that the software exploits to be installed on the device make it also more vulnerable to other attacks. It should be the government's intention to close these vulnerabilities.
The draft can be read here (german version): https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/Downloads/referentenentwuerfe/anpassung-des-verfassungsschutzrechts.html
1 Vgl. https://www.zeit.de/digital/datenschutz/2020-10/ueberwachung-geheimdienste-datensschutz-warnung-staatstrojaner-bundesregierung-schadsoftware/komplettansicht