Germany Moves Law Enforcement Access to Encrypted Mobile Devices

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

A German bill to allow law enforcement access to mobile device encrypted communications goes beyond what most Western countries allow, privacy attorneys told Bloomberg BNA.

The bill would create a legal framework to allow court-approved surveillance, the attorneys said. The bill cleared the lower house of Parliament June 22 and is expected July 7 to pass the upper house. It would need the president’s signature to become law. If enacted, the bill would take effect immediately.

Under the proposed law, companies that promise to keep user communications private, such as Facebook Inc.'s WhatsApp and Messenger, Open Whisper Systems’s Signal, and Telegram Messenger LLP, would face new challenges in Germany.

Germany has one of the strictest privacy regimes in the world and has been a strong advocate in the European Union of consumer privacy rights, but the anti-terrorism legislation would place national security ahead of personal privacy, attorneys say.

“Europeans, generally speaking, are more concerned with privacy rights than” U.S. citizens, Shawn Chang, privacy partner at Wiley Rein LLP in Washington and a former chief counsel in the U.S. House of Representatives, told Bloomberg BNA. “I am surprised that” Germany “would consider measures that would go so far,” he said.

Intercepting Communications

German law enforcement, specifically the Federal Criminal Police Office, are already authorized to hack into consumer devices in cases of imminent threat of terror attacks, attorneys said.

Under the new bill, the authority would be expanded to cover other “severe” crimes—from online betting fraud to murder. The measure would also expand the authority to other law enforcement agencies that now must get a court warrant to intercept text messages and phone calls to investigate specific crimes.

The present legal regime also allows for access to communications via telecommunications operators, which can only turn over encrypted consumer data from apps. But law enforcement doesn’t have a a way to decrypt the communications, attorneys said. Apps with end-to-end encryption options, such as Microsoft Corp.'s Skype and WhatsApp, pose difficult challenges for law enforcement. The bill seeks to change that, the attorneys said.

In the U.S., a standoff between Apple Inc. and the FBI over access to an encrypted terrorist’s iPhone hurled the issue to the forefront of the debate over balancing privacy and security. Congress is considering legislation in the area and the Trump administration supports forcing companies to create consumer encryption backdoors.

The bill would allow law enforcement to secretly hack into the devices of suspected criminals with programs that would intercept their ongoing communications in real time via logging keystrokes, recording audio, or taking screenshots.

A WhatApps spokesman, although declining to comment on the particular bill, told Bloomberg BNA that legislation doesn’t “include any attempts to crack our method of end-to-end encryption or to include backdoors.”

“The bill would not oblige the manufacturers or service providers to cooperate but would allow the government to use existing backdoors or security loopholes to access the device—they would be allowed by law to hack the phone,” Christoph Nuessing, a technology attorney with Morrison & Foerster’s Berlin office, told Bloomberg BNA.

“What’s new is that they could listen in on data while you are typing that would otherwise be encrypted—so it would circumvent any encryption that has been put into place—without having the phone in hand,” he said.

Constitutional Issues

Jorg Hladjk, privacy and data protection of counsel at Jones Day in Brussels, told Bloomberg BNA that the bill “opens up the big battlefield between safety, law enforcement and access to personal data on devices on one side, and data privacy on the other.” There may be issues with the legislation regarding constitutional privacy rights, he said.

Nuessing says the reach of the bill is likely to be struck down because of the degree to which it would intrude on individual rights: “Live ongoing communication is protected much more strictly than the seizure of data stored on a device,” he said.

In general, the U.S. has strict standards requiring law enforcement gain a warrant to seize or monitor personal data. The burden of proof for conducting live intercepts is very high, requiring a showing that there is no alternative, less intrusive manner to get the information, Jennifer Archie, a privacy and data protection partner at Latham & Watkins in Washignton, told Bloomberg BNA. “Everyone is sick of hearing that the U.S, doesn’t have privacy laws but we have the 4th amendment and that’s even better than European protections,” Archie said.

Lothar Determann, a data privacy and technology partner at Baker McKenzie in Palo Alto, Calif., told Bloomberg BNA that “legal protection against government surveillance is relatively strong in the United States compared to many European jurisdictions, including Germany.”

To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The bill is available, in German, at http://dip21.bundestag.de/dip21/btd/18/127/1812785.pdf.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security