
UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
THE GERMAN TELECOMMUNICATION ACT (TELEKOMMUNIKATIONSGESETZ)
The German Telecommunication Act (TKG) requires certain operators of telecommunication systems used to provide telecommunication services to the public to maintain technical and organisational capabilities to execute interception measures provided for by law (Section 110 TKG).
Section 110 TKG requires operators of telecommunication systems used to provide telecommunication services to the public (as further specified in Section 3 TKG) to maintain the technical facilities, and to make the organisational arrangements to execute telecommunication interception measures expressly provided for by law. This includes the obligation to maintain interception capabilities to execute any interception order without delay (including, in particular, handing over a copy of the requested communication). More detailed requirements and specifications, including required technical and organisational standards, are set forth in the Telecommunications Interception Ordinance (Telekommunikations- Überwachungsverordnung – TKÜV) and the corresponding Technical Directive issued thereunder (Technische Richtlinie zur Umsetzung gesetzlicher Maßnahmen zur Überwachung der Telekommunikation und zum Auskunftsersuchen für Verkehrsdaten – TR-TKÜV).
There are a number of legal statutes that can serve as a legal basis to request the implementation of interception measures, as, for instance, StPO, G10, ZFdG, BKAG and the Police Acts of the federal states as detailed below.
CODE OF CRIMINAL PROCEDURE (“STPO”)
The measures pursuant to Section 100a Strafprozessordnung (StPO) require a prior court order following an application by the public prosecutor’s office (or, in relation to tax offences, the tax authority); yet, in pressing circumstances, the public prosecutor’s office may also issue an order, which must be confirmed by the court within three working days in order not to become ineffective (Section 100b(1) StPO).
An order may only be granted in cases where certain facts give rise to the suspicion that a serious criminal offence referred to in Section 100a(2) StPO has been committed (or, in cases where there is criminal liability for an attempt, there was an attempt to commit such an offence, or such offence had been prepared by committing a criminal offence), and the offence is one of particular gravity in the individual case as well, and other means of establishing the facts or determining the accused person’s whereabouts would be significantly more difficult or even futile (Section 100a(1) StPO).
The measures may only be directed against the accused person or against persons in respect of whom it may be assumed, on the basis of certain facts, that they are receiving or transmitting messages intended for, or stemming from, the accused person, or that the accused person is using their telephone connection (Section 100a(3) StPO).
All persons providing, or contributing to the provision of, telecommunications services on a commercial basis are required to assist the public prosecutor’s office (and certain of officials working in the police force or, in relation to tax offences, the tax authority) to implement the necessary measures required for the interception/recording of the communication and to provide all necessary information without delay (Section 100b(3) StPO). The measures to be taken are further specified by Section 110 TKG and the TKÜV/TR-TKÜV.
ARTICLE 10 ACT (ARTIKEL 10-GESETZ-G10)
An order under Section 3 G10 may be granted where actual facts give rise to the suspicion that a serious criminal offence directed against the free democratic basic order or the existence or safety of the Federal Republic of Germany or its federal states (as listed in Section 3(1) G10) will be, is being or has been committed. It may also be granted if a person is part of a group having the purpose of committing such crimes, and the investigation of the facts by other means would be significantly more difficult or even futile.
Measures may be directed against the suspect or a third person who, on the basis of certain facts, is reasonably suspected of receiving or forwarding messages intended for, or stemming from, the suspect (Section 3(2) G10; ‘individual interception’).
An order under Section 5 (for bundled telecommunications) or Section 8 G10 may be granted where the intercepted information is necessary in order to prevent the danger of an armed attack or terrorist attacks on Germany, international drug trafficking, money laundering or similar crimes that will have an impact on German territory (as listed in Section 5(1) G10). It may also be granted to prevent the danger to the life or physical integrity of a person abroad, if such danger directly affects German interests (Section 8 G10).
The interception measures under Section 5 and 8 G10 are not directed at a specific individual. Rather, certain geographic regions are defined as intelligence areas (Aufklärungsgebiete), allowing the Federal Intelligence Service to monitor the communication in this area by using certain suitable search terms (Section 5(2) and 8(3) G10; ‘strategic interception’).
The telecommunication service provider must allow the Intelligence Service to install the relevant technical capabilities on its premises and must grant access to the relevant employees of the Federal Intelligence Service as well as the G10 Commission (Section 110(1) No. 5 TKG and Section 27 TKÜV). The measures to be taken are further specified by the TKÜV/TR-TKÜV.
However, these technical capabilities do not constitute ‘interception capabilities’ in the direct sense of the term. Rather, the interception itself still has to be performed by the telecommunication provider, which then (electronically) hands over a so-called ‘interception copy’ (Überwachungskopie) of the communication to the Federal Intelligence Service. The communication is filtered by special equipment with the help of pre-defined search terms, and the irrelevant part of the interception copy has to be deleted before the relevant part is passed on to the Federal Intelligence Service.
All persons providing, or contributing to the provision of, telecommunications services on a commercial basis are required to implement the measures to enable the interception/recording of the communication (Section 2(1) G10). The measures to be taken are further specified by Section 110 TKG and the TKÜV/TR-TKÜV.
CUSTOMS INVESTIGATIONS SERVICES ACT (ZFDG)
Similar rules as under Section 100a and 100b StPO apply under Section 23a and 23b of the ZFdG (which follow the structure and principles of the StPO).
FEDERAL CRIMINAL POLICE OFFICE ACT (BKAG)
Interception orders under Section 20l BKAG are granted via court order upon request by the President of the Federal Criminal Police Office (Section 20l(3) BKAG). Under pressing circumstances, the President of the Federal Criminal Police Office himself can grant the order but has to obtain judicial approval.
Pursuant to Section 20l(1) BKAG, interception orders may be granted in case of imminent danger to the existence or safety of the Federal Republic of Germany, or to the life, physical integrity or freedom of a person, or to objects of substantial value if it lies in the public interest to preserve such objects, or for the purpose of fending off terrorist attacks if there is no other suitable way to prevent such dangers.
All persons providing, or contributing to the provision of, telecommunications services are required to assist the Federal Criminal Police Office to implement the necessary measures required for the interception/recording of the communication and to provide all necessary information without delay (Section 20l(5) BKAG). The measures to be taken are further specified by Section 110 TKG and the TKÜV/TR-TKÜV.
POLICE ACTS OF THE FEDERAL STATES
Every German federal state has its own Police Act. These Acts in most cases also set forth similar powers for the state police offices as the BKAG does for the Federal Criminal Police Office, as necessary in order to prevent an imminent danger to the life or physical integrity of a person or in similar precarious situations (see, eg Section 34a, 34b of the Bavarian Police Act, ‘BayPAG’). The measures to be taken by the operators of telecommunication systems in assistance of the interception under these state laws are again further specified by Section 110 TKG and the TKÜV/ TR-TKÜV.
In Germany, there appears to be no specific laws that grant government and law enforcement agencies with the legal powers to mandate direct access into a telecommunication service provider’s network without the operational control or oversight of the telecommunication service provider.
Disclosure of Communications Data
THE GERMAN TELECOMMUNICATION ACT (TELEKOMMUNIKATIONSGESETZ)
The German Telecommunications Act (TKG) requires any person providing, or contributing to the provision of, telecommunication services on a commercial basis to provide certain subscriber, line identification and other data upon manual information requests from a range of law enforcement agencies, foreign and domestic intelligence services and other public authorities, where such requests can be based on a legal statutory authorisation (Section 113 TKG).
In addition, Section 112 TKG requires certain providers of publicly available telecommunication services to store certain subscriber, line identification and other data in customer data files to answer automated information requests (handled through the Federal Network Agency Bundesnetzagentur – BnetzA) by courts and a range of public authorities.
CODE OF CRIMINAL PROCEDURE
The Code of Criminal Procedure, or Strafprozessordnung (StPO) further gives the public prosecutor’s office (and, in relation to tax offences, the tax authority) the power to acquire certain traffic data relating to customer communications (Section 100g StPO). Similar powers as under Section 100g StPO are granted to the Customs Criminal Investigation Officer under Section 23g ZFdG; to the Federal Criminal Police Office under Section 20m BKAG; to the Federal Office for the Protection of the Constitution under Section 8a BVerfSchG; to the Military Counterintelligence Service under Section 4a MADG; and to the Federal Intelligence Service under Section 2a BNDG.
In addition, certain metadata relating to the circumstances of the communication can be obtained by law enforcement agencies, intelligence agencies and other public authorities entitled under the respective legislative instruments, as part of the interception measures ordered according to Section 100a StPO, Section 20l BKAG, Section 3 G10, Section 23a ZFdG and the respective provisions in the Police Acts of the federal states (see Section 5 and 7 TKÜV). Similar principles apply to measures under Section 5 and 8 G10 (Section 2(1) G10).
SUBSCRIBER DATA, LINE IDENTIFICATION AND OTHER DATA
Section 113 TKG requires any person providing, or contributing to the provision of, telecommunication services on a commercial basis to provide certain subscriber, line identification and other data (specified in Section 95 and 111 TKG) to certain public authorities listed in Section 113(3) TKG (law enforcement agencies, foreign and domestic intelligence services, and other public authorities), as far as necessary for the prosecution of criminal or administrative offences, for averting danger to public safety or order, and/or for the discharge of the legal functions of such agencies.
The request must be made in text form (except in pressing circumstances) and be based on an express legal authorisation. Respective authorisations (which may stipulate further requirements) are, for example, set out in Section 100j StPO, Section 7 and 15 ZFdG, Section 7, 20b and 22 BKAG, Section 22a BPolG, Section 8d BVerfSchG, Section 4b MADG and Section 2b BNDG.
Section 100j StPO gives the public prosecutor’s office (and, in relation to tax offences, the tax authority) the power to request, as part of its criminal investigative powers, certain subscriber, line identification and other data, including access control codes (Section 95 and 111 TKG), where the requested information is necessary to establish the facts or determine the whereabouts of the accused person. Where the information request is directed to obtain access control codes, a prior court order following an application by the public prosecutor’s office is required; yet, in pressing circumstances, the public prosecutor’s office (or certain officials assisting the prosecutor) may also issue an order, which needs to be confirmed by the court without delay. A prior order is not required where the person affected by the request already has or must have knowledge of the request for information or if the use of the data has already been permitted by a court decision.
Similar principles as under Section 100j StPO apply for information requests under the other instruments according to Section 7 and 15 ZFdG, Section 7, 20b and 22 BKAG, Section 22a BPolG, Section 8d BVerfSchG, Section 4b MADG and Section 2b BNDG, as far as the request is necessary for the fulfilment of the respective purposes (eg customs control, the prevention of dangers against the free democratic basic order, terrorist attacks or espionage affairs).
Section 112 TKG requires any provider of publicly available telecommunication services (that in providing commercial telecommunication services allocates telephone numbers or other line identifications or provides telecommunication connections for telephone numbers or other line identifications allocated by others) to store certain subscriber, line identification and other data (specified in Section 111(1) and (2) TKG) in customer data files. These data files must be made available to the BNetzA by means of an automated procedure as necessary for the prosecution of administrative offences under the TKG or the Act Against Unfair Competition (Gesetz gegen unlauteren Wettbewerb – UWG) and for answering information requests by certain public authorities (listed in Section 112(2) TKG). Section 112(5) TKG requires the telecommunication services provider to make the technical arrangements in its area of responsibility as required for handling the automated information requests.
The public authorities may only request information from the customer data files, as far as such information is necessary for the discharge of their legal functions (as specified by different legal statutes, such as the StPO, BKAG, ZFdG, BNDG, MADG, BVerfSchG, federal and state Acts on the Protection of the Constitution, and Police Acts on federal and state level). The information request by such public authorities must be made by means of an automated procedure to the Federal Network Agency, which will retrieve and forward such information.
TRAFFIC DATA
Section 100g StPO gives the public prosecutor’s office (and, in relation to tax offences, the tax authority) the power to obtain traffic data, also without the knowledge of the person concerned.
The measures pursuant to Section 100g StPO require a prior court order following an application by the public prosecutor’s office (or, in relation to tax offences, the tax authority); yet, in pressing circumstances, the public prosecutor’s office may also issue an order, which must be confirmed by the court within three working days in order not to become ineffective (Section 100g(2) and 100b(1) StPO).
An order may only be granted where certain facts give rise to the suspicion that a person has either committed a criminal offence of substantial significance in the individual case as well (or, in cases where there is criminal liability for an attempt, there was an attempt to commit such an offence, or such offence had been prepared by committing a criminal offence), or has committed a criminal offence by means of telecommunication, and access to the data is necessary to establish the facts or determine the accused person’s whereabouts (and further requirements are met).
The measures may be directed only against the accused person or against persons in respect of whom it may be assumed, on the basis of certain facts, that they are receiving or transmitting messages intended for, or transmitted by, the accused person, or that the accused person is using their telephone connection (Section 100g(2) and 100a(3) StPO).
All persons providing, or contributing to the provision of, telecommunications services on a commercial basis are required to assist the public prosecutor’s office (as well as certain officials working in the police force or, in relation to tax offences, the tax authority) and to provide all necessary information without delay (Section 100g(2) and 100b(3) StPO).
Similar principles as under Section 100g StPO apply for information requests under:
- Section 23g ZFdG and Section 20m BKAG; and
- Section 8a BVerfSchG, Section 4a MADG and Section 2a BNDG (though only an order by the Ministry of the Interior is required).
In addition, traffic data can be obtained by law enforcement agencies, intelligence agencies and other public authorities entitled under the respective legislative instruments, as part of the interception measures ordered according to Section 100a StPO, Section 20l BKAG, Section 3 G10, Section 23a ZFdG and the respective provisions in the Police Acts of the federal states (see Section 5 and 7 TKÜV). Similar principles apply to measures under Section 5 and 8 G10 (Section 2(1) G10). The StPO gives courts and public prosecutors (and certain officials assisting the prosecutor’s office and, in relation to tax offences, the tax authority) the power to request, as part of their criminal investigative powers, the disclosure and, as necessary, the seizure of stored customer communications (Section 94 et. seqq. 98 StPO). This applies to emails on the provider’s mail server and likely also applies to voicemails and similar communications stored by the provider.
Where the content of customer communications is yet to be considered part of an ongoing telecommunication process, then the content of the communication may only be accessed by means of an interception order according to Section 100a and 100b StPO. This also comprises communications that are placed in or retrieved from a storage facility, which is assigned to the primary identification that is to be intercepted (Section 5(1) No. 3 TKÜV).
The request for disclosure under Section 94 and 95 StPO does not require a prior judicial order. Where the request is not complied with, the public prosecutor’s office (or, in relation to tax offences, the tax authority) may initiate the formal seizure of the stored communication according to Section 94 ff., 98 StPO.
The seizure of stored communications requires a prior court order; yet, in exigent circumstances, the public prosecutor’s office (or certain officials assisting the prosecutor’s office) may also issue an order. An official who has seized the communication without a prior court order must apply for a court confirmation within three days if neither the person concerned nor a relative was present at the time of seizing the information (or such persons have declared their objection). The person concerned by the seizure may request a court decision at any time (Section 98 StPO).
The order may be granted where there is sufficient probability of a suspicion of a criminal offence and the stored communication may be of importance as evidence for the criminal investigation (subject to a strict proportionality test and a balancing of all the interests involved).
National Security and Emergency Powers
Except as already outlined above, the German government does not have the legal authority to invoke special powers in relation to access to a communication service provider’s customer data and/or network on the grounds of national security.
German government agencies do not have special powers that can be invoked in time of national crisis or emergency.
Oversight of the Use of Powers
CODE OF CRIMINAL PROCEDURE (StPO)
As well as what is set out above, according to Section 101 StPO, the participants in the telecommunication under surveillance must be notified of any interception measures, including their option to obtain subsequent court relief, unless there are overriding conflicting interests of an affected person. Notification must take place as soon as it can be effected without endangering the purpose of the investigation or the life, the physical integrity and/or personal liberty of a person, or significant assets. For up to two weeks following their notification, the participants may apply to the competent court for a review of the lawfulness of the measure, as well as of the manner and means of its implementation. The participants may file a complaint against the court’s decision. There is a dispute if and to what extent the operator of a telecommunication system is entitled to file a complaint (according to Sec. 98(2) or 304(2) StPO) against an interception order issued under Sec. 100a StPO, though it is recognized that there is no legal obligation to verify or challenge the lawfulness of an interception order.
There is a dispute if and to what extent the operator of a telecommunication system is entitled to file a complaint (according to Section 98(2) or 304(2) StPO) against an interception order issued under Section 100a StPO, though it is recognised that there is no legal obligation to verify or challenge the lawfulness of an interception order.
ARTICLE 10 ACT
There is no ex-ante judicial control for measures under the Article 10 Act, ie no court order or warrant is required. However, the interception measures pursuant to Section 3, 5 and 8 G10 require a written order by the Ministry of the Interior (or the relevant highest state authority) following an application by one of the public authorities authorised under the respective provision.
In addition, the so-called G10 Commission may at any time examine – following a complaint or also of its own volition – the admissibility and necessity of the ordered measures.
There are no legal remedies available for a person concerned by an interception measure under Section 3 G10 as long as such measure is not yet communicated to the person (Section 13 G10). After this communication, the person concerned can challenge the interception order before the administrative courts. A communication to the concerned person shall be made after the measure has been completed, unless such communication may endanger the purpose of the interception measure or may cause overall harm for the wellbeing of the federation or its states.
CUSTOMS INVESTIGATIONS SERVICES ACT (ZFdG)
For measures under the ZFdG, similar principles as for measures under Section 100a and 100b StPO apply (see, in particular, Section 23c ZFdG).
FEDERAL CRIMINAL POLICE OFFICE ACT (BKAG)
The measures pursuant to Section 20l BKAG require a prior court order following an application by the President of the Federal Criminal Police Office; yet, in pressing circumstances, the President of the Federal Criminal Police Office may also issue an order, which must be confirmed by the court within three working days in order not to become ineffective (Section 20l(3) BKAG).
According to Section 20w BKAG, the participants in the communication under surveillance must be notified of any interception measures, including their option to obtain subsequent court relief, unless there are overriding conflicting interests of an affected person. Notification must take place as soon as it can be effected without endangering the purpose of the investigation or the life, the physical integrity and/or personal liberty of a person, or significant assets. The participants may file a complaint against the court’s decision.
POLICE ACTS OF THE FEDERAL STATES
Similar rules as under the BKAG apply under the Police Acts of the federal states (though details may differ from state to state).
SUBSCRIBER DATA, LINE IDENTIFICATION AND OTHER DATA
For manual information requests under Sec. 113 TKG, the judicial oversight and legal remedies depend on the specific different legal statutes granting the authorizations for the information requests.
For information requests pursuant to Sec. 100j StPO, no prior court order is required, except where the information request is directed to obtain access control codes (following an application by the public prosecutor’s office or, in relation to tax offences, the tax authority); in exigent circumstances, the public prosecutor’s office (or certain officials assisting the prosecutor or, in relation to tax offences, the tax authority) may also issue such order, which then needs to be confirmed by the court without delay. A prior order is not required where the person affected by the request already has or must have knowledge of the request for information or if the use of the data has already been permitted by a court decision.
The person concerned must be notified of the information request only in certain cases (relating to data enabling access to terminal devices and requests based on the use of IP-addresses), and only if there are no overriding conflicting interests of an affected person (Section 100j(4) StPO). The notification must take place as soon as it can be effected without endangering the purpose of the information request. The person concerned may challenge the lawfulness of the measure in front of the courts.
Similar rules as under Sec. 100j StPO apply for information requests under Sec. 20b BKAG (which follows the same structure and principles).
For automated information requests under Section 112 TKG, the judicial oversight and legal remedies depend on the specific different legal statutes defining the legal functions and powers of the public authorities.
TRAFFIC DATA
In addition to the above, according to Section 101 StPO, the participants in the telecommunication concerned by the measure surveillance must be notified of any disclosure of their traffic data, including their option to obtain subsequent court relief, unless there are overriding conflicting interests of an affected person. Notification must take place as soon as it can be effected without endangering the purpose of the investigation or the life, the physical integrity and/or personal liberty of a person, or significant assets. For up to two weeks following their notification, the participants may apply to the competent court for a review of the lawfulness of the measure, as well as of the manner and means of its implementation. The participants may file a complaint against the court’s decision.
There is a dispute if and to what extent the telecommunication service provider is entitled to file a complaint (according to Section 98(2) or 304(2) StPO), though it is recognised that there is no legal obligation to verify or challenge the lawfulness of a request.
For information requests under Section 8a BVerfSchG, Section 4a MADG and Section 2a BNDG, no prior court order is required.
However, a prior order by the Ministry of the Interior is necessary (following an application by the respective responsible authority).
With regard to information requests that are ancillary to interception measures according to Section 100a StPO, Section 20l BKAG, Section 3, 5 and 8 G10, and Section 23a ZFdG, the respective judicial oversight procedures for these interception measures extend to the information requests.
The request for disclosure does not require a prior judicial order but may be challenged by the person concerned before the courts.
The seizure of stored communications requires a prior court order; yet, in pressing circumstances, the public prosecutor’s office (or certain officials assisting the prosecutor’s office or, in relation to tax offences, the tax authority) may also issue an order.
An official who has seized the communication without a prior court order must apply for a court confirmation within three days if neither the person concerned nor a relative was present at the time of seizing the information (or such persons have declared their objection). The person concerned by the seizure may request a court decision at any time.
A seizure order by a court may be challenged by the person concerned by filing a complaint.
Censorship-related Powers
SHUT-DOWN OF NETWORK AND SERVICES
German Telecommunications Act
Section 126 of the German Telecommunications Act entitles the Federal Network Agency (the Bundesnetzagentur) to order ‘necessary measures’ if a network provider violates its obligations under the Act or the EU Roaming Regulation. These measures can extend to the whole network service, or parts of it; however, the measures must be proportionate and only as intrusive as required by the circumstances. Therefore, the Federal Network Agency has the power to order Vodafone to shut down some or all of its network or services, if it determines this to be a necessary measure.
There is a three-step procedure for measures under Section 126: first, the network provider is given a deadline (usually one month) to remedy its violation; if it fails to do so within the deadline, the Federal Network Agency can order measures necessary to remedy the violation. In certain cases, the Federal Network Agency can deviate from this procedure and order necessary preliminary measures at the outset; this is usually when the network provider’s violation endangers public safety and order or causes substantial disadvantage to other network providers or users. In case of a severe or repeated violation, the Federal Network Agency may ultimately prohibit a network provider from providing its network or services.
The Federal Network Agency also has powers under Section 115 if a network provider does not fulfill its obligations with regard to public security (for example, data security or technical safety measures). The procedure under Section 115 is similar to the procedure outlined above, with the exception that no preliminary measures can be ordered.
BLOCKING OF URLS & IP ADDRESSES
Interstate Broadcasting Treaty
Section 59(3) of the Interstate Broadcasting Treaty (the Rundfunkstaatsvertrag) entitles the State Media Authorities (the Landesmedienanstalten) to order necessary measures if a website breaks the law. These measures can extend to requesting a network provider (such as Vodafone) to block access to the website, although this is the last resort and should only be called upon if other measures have failed to remedy the problem. In practice, the State Media Authorities usually receive references from the police or public prosecutor’s office with respect to websites that breach the law before taking any of the aforementioned measures.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
The government does not have the legal authority to take control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
GERMAN TELECOMMUNICATIONS ACT
In case of preliminary measures under Section 126 of the German Telecommunications Act, the concerned party is heard by the Federal Network Agency. The Federal Network Agency then decides whether to maintain, alter or set aside its order.
Additionally, because Sections 115 and 125 provide for administrative acts, they can be challenged before Germany’s administrative courts.
INTERSTATE BROADCASTING TREATY
All measures under Section 59(3) of the Interstate Broadcasting Treaty constitute administrative acts and therefore can be challenged before Germany’s administrative courts.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. According to Section 8(3) of the Telecommunications Interception Ordinance (TKÜV), which applies to interception measures under the German Code of Criminal Procedure (StPO), the Article 10 Act (G10), the Customs Investigations Services Act (ZFdG), the Federal Criminal Police Office Act (BKAG) and the Police Acts of the federal states, an operator of a telecommunication system (a Telco Communication Service Provider, CSP) has to remove all encryption measures it has applied to the communication data before delivering an interception copy of the communication to the authorities.
As stated above, this obligation only applies to operators of telecommunication systems (Telco CSPs). However, according to Section 100b (3) of the German Code of Criminal Procedure (StPO), every telecommunication service provider (ie also an Over the Top (OTT) CSP) has to comply with judicial orders requiring them to provide data and information on the communication which might also include providing the respective data in a readable (ie decrypted) format.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
There is no express statutory obligation in this regard in Germany. Section 8(3) of the Telecommunications Interception Ordinance (TKÜV) only applies to encryption mechanisms that have been applied by the operator (Telco CSP) itself and not by third parties and thus according to its wording does not entail an obligation to (try to) remove third-party encryption mechanisms.
The compliance obligations of telecommunication service providers (Telco CSPs as well as OTT CSPs) under Section 100b (3) of the German Code of Criminal Procedure (StPO) can naturally only relate to measures that are in their capacity and within the range of reasonable measures. Thus, Vodafone are of the view that the government generally does not have the authority to expressly require the telecommunications operator to (try to) decrypt data from third-party OTT services on this basis.
In case an ‘equipment interference’ by the telecommunications operator is possible, however, this could be construed to fall within the scope of compliance obligations of telecommunication service providers (Telco CSPs as well as OTT CSPs), pursuant to Section 100b (3) of the German Code of Criminal Procedure (StPO), and the government might be able to request this from Vodafone. However, according to our research, there are no precedents in this regard in Germany, and it is doubtful whether a court would deem such a measure adequate and reasonable (note: we have not reviewed whether such interference is admissible from a criminal law point of view).
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and content of the communication on receipt of a lawful demand?
Generally, there is no statutory provision in Germany prohibiting providers from offering end-to-end encryption. However, there is an ongoing discussion whether further legal regulations should be introduced in this regard in view of the technical progress and the difficulties the government is facing when trying to access encrypted data but, so far, no legislative action has been taken.
However, the interpretation of the German statutory law is somewhat complex in this area.
As for BAU services, the statutory law could be interpreted in a way as to suggest that a Telco CSP may not offer end-to-end encryption. This depends on how it is to be interpreted that Section 8(3) of the Telecommunications Interception Ordinance (TKÜV) only applies to encryption mechanisms that have been applied by the provider itself and not by third parties. Technically, the end-to-end encryption is applied by the customer and not by the telecommunications operator. As a result, it could be stated that the telecommunications operator cannot be obliged to remove the encryption under this provision as it has not applied the encryption itself.
On the other hand, as the telecommunications operator itself offers the software making the end-to-end encryption possible and only the factual encryption is applied by the customer, it could also be said that it is an encryption applied by the telecommunications operator and therefore would have to be removed by the telecommunications operator in case of an interception order. As a consequence, if a telecommunications operator cannot remove an encryption in accordance with national law enforcement obligations, it is not allowed to apply it.
The interpretation of the law in this regard likely also depends on whether the customer is able to decide on a case-by-case basis whether the encryption is applied.
All in all, Vodafone are of the view that it is likely that this does not prevent Telco CSPs from offering end-to-end encryption to their customers. There are several voices in legal literature that agree with this view and the fact that there is an ongoing discussion on how law enforcement authorities could be enabled to better access encrypted communication shows that it is generally considered to be the ‘problem’ of the government whether they are able to obtain decrypted information and, on the other hand, that telecommunication service providers are not prohibited from offering or applying such encryption in the first place.
As Section 8(3) of the Telecommunications Interception Ordinance (TKÜV) only applies to Telco CSPs, OTT CSPs would not be affected by the above and would be allowed to offer end-to-end encryption to their customers.
Law enforcement authorities may also implement technical measures on their own in order to be able to intercept encrypted communication data before it is encrypted by secretly installing certain software applications on the user’s equipment. This is called a ‘lawful interception at the source’ (Quellen-TKÜ). Although it is sometimes seen critical that the telecommunications provider is in no way involved in this interception, it is still considered to be legitimate and is regularly performed by the government. However, such interception at the source – like almost all interception measures by the government – can only be implemented if approved and ordered by a judge and if a severe crime is investigated.
4. Please provide examples in your jurisdiction where legislation that predated the advent of commercial encryption (which Vodafone estimate as circa 1990) has been applied to contemporary cases involving encryption.
To our knowledge, there are no such examples in Germany.