Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
Germany has a rigorous framework for the use of “state trojans”, which are government hacking tools permitted under tightly controlled conditions. Since 2008, federal law has authorized state hacking by police in situations involving international terrorism and for preventing terror attacks. In 2008, the Federal Constitutional Court set important boundaries for IT surveillance, distinguishing between “online searches” (secret access to stored data) and “telecommunication surveillance” (tracking ongoing communication), with stricter limits on the former due to its intrusive nature (Decision BvR 370/07). In 2017, a new law expanded the use of state hacking to all law enforcement agencies for investigating 42 types of criminal offenses, such as submitting fraudulent asylum claims, tax evasion, and drug-related crimes. Finally, in July 2021, a law (Gesetz zur Anpassung des Verfassungsschutzrechts) came into force that grants all 19 German intelligence services (16 of the Länder and 3 federal ones) the right to use state trojans to read ongoing communication on computers or smartphones and even past communication data.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
Article 100b of the Code of Criminal Procedure provides a narrower list of crimes (compared to Article 100a) for which the use of spyware is allowed. Moreover, Article 49 § 1 of the Federal Criminal Police Office Act allows the Federal Criminal Police Office to access IT systems only if certain facts justify the assumption that there is a danger to the (i) body, life or liberty of a person or (ii) such public goods, the threat to which affects the foundations or the existence of the federation or a country or the foundations of human existence
3. What kind of data, if any, could be collected with spyware?
The Federal Constitutional Court places strict limits on online searches, especially when they intrude into core areas of private life. Telecommunication surveillance, which involves monitoring active communications, is subject to fewer restrictions but still requires clear, proportional legal authorization. In contrast, covert searches of IT systems are generally allowed only when there is a direct and serious threat to life, freedom, or crucial public interests. These searches must have judicial approval and safeguard private life.
4. Has there been any official evaluation of the need for, or added value of, spyware?
/
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
According to Section 49 (4) BKAG, the Federal Criminal Police Office (BKA) may only intervene on the information technology systems used by suspects and collect data from them without the knowledge of the person concerned, at the request of the President of the Federal Criminal Police Office or alternatively by authorisation from the court. Moreover, Sections 100a and 100b of the Strafprozeßordnung (StPO) prescribes that telecommunications surveillance and online searches may only be ordered by the court at the request of the public prosecutor’s office. Under strict circumstances provided by law, the order can also be issued by the public prosecutor’s office. However, if the order of the public prosecutor’s office is not confirmed by the court within three working days, it becomes ineffective.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
Oversight includes both judicial and independent executive authorization bodies. More specifically, the G10 Commission and the Independent Oversight Council play a key role in the oversight of the security services. For instance, the Independent Oversight Council acts as an administrative oversight body for ex post oversight. Its members are six judges of the Federal Supreme Court and/or the Federal Administrative Court, who are elected by the Parliamentary Oversight Panel for 12 years.
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
On one hand, Section 101 of the Code of Criminal Procedure prescribes a notification mechanism of targeted surveillance measures in the framework of criminal proceedings. On the other hand, Section 59 of the Federal Intelligence Service Act and section 12 of the Article 10 Act regulates a system of notification in cases of targeted surveillance carried out by security services.
Germany
According to Article 100e § 2 of the Code of Criminal Procedure, the time limit for the use of spyware in criminal proceedings is one month. However, after a total period of six months it is the higher regional court which decides on any further extension orders. In the case of intelligence investigations, the time limit is three months (Article 49 § 6(3) of the Federal Criminal Police Office Act). In that case, an extension by no more than three months is allowed.
In Germany third parties who are sufficiently linked to the main target can also be the object of spyware surveillance. Pursuant to Article 100b § 3, the use of spyware is allowed where it is to be assumed, on the basis of certain facts, that: (i) the accused uses the other person’s information technology systems; and (ii) the interference with the accused’s information technology systems alone will not lead to the establishment of the facts or to the determination of the whereabouts of a co-accused. See also Article 49 § 3 of the Federal Criminal Police Office Act (when unavoidable).
Federal laws govern broader anti-terrorism measures, primarily via the Federal Criminal Police Office and Intelligence Services. Individual German states (Länder) have their police laws regulating preventive surveillance.
Authorisation of targeted surveillance measures in intelligence investigations is entrusted to the executive backed up by an independent authorisation body. Indeed, the federal intelligence services are not permitted to carry out telecommunications interceptions at source until they have received orders from the Federal Ministry of the Interior and Community and the operation has been cleared by the G10 Commission (a commission composed of five members, at least three of whom must be qualified to hold judicial office appointed by the Parliamentary Oversight Panel), while the Federal Intelligence Service (BND) requires clearance from the Independent Oversight Council (Unabhängiger Kontrollrat) before it can undertake computer network exploitation measures.
Moreover, Germany also has a parliamentary oversight of the activities of the intelligence agencies. Among its tasks the Bundestag’s Parliamentary Oversight Panel scrutinises the federal intelligence agencies and the selection of members of the G10 Commission. The Ministry of the Interior shall also inform the committee of the implementation and use of the G10 Act (at least biannually).
According to Section 74(6) of the BKAG, persons affected by covert intervention in information technology systems (as defined in Section 49 BKAG) must be notified. Moreover, according to Section 74 (2) BKAG, notification is given as soon as this is possible, and it is made by the Federal Criminal Police Office. Under certain conditions, referrals and extensions are allowed.