Germany's Constitutional Court Ponders Whether Government Users Of Zero-Day Surveillance Malware Have A Duty To Tell Software Developers About The Flaws

from the resolving-conflicting-aims dept

As Techdirt has reported previously, the use of malware to spy on suspects — or even innocent citizens — has long been regarded as legitimate by the German authorities. The recent leak of thousands of telephone numbers that may or may not be victims of the Pegasus spyware has suddenly brought this surveillance technique out of the shadows and into the limelight. People are finally starting to ask questions about the legitimacy of this approach when used by governments, given how easily the software can be — and apparently has been — abused. An interesting decision from Germany’s constitutional court shows that even one of the biggest fans of legal malware is trying to work out how such programs based on zero-days can be deployed in a way that’s compatible with fundamental rights. The court’s press release explains:

The complainants [to the constitutional court] essentially assert that, by enacting the authorisation laid down in [the German Police Act], the Land Baden-Württemberg violated the guarantee of the confidentiality and integrity of information technology systems — a guarantee arising from fundamental rights — because under that provision, the authorities have no interest in notifying developers of any vulnerabilities that come to their attention since they can exploit these vulnerabilities to infiltrate IT systems for the purpose of source telecommunications surveillance, which is permitted under [the German Police Act]. Yet if the developers are not notified, these vulnerabilities and the associated dangers — in particular the danger of third-party attacks on IT systems — will continue to exist.

That is, the failure to notify developers about the vulnerabilities means the authorities are putting IT systems in Germany at risk, and should therefore be stopped. The complainants went on to argue that if the court nonetheless ruled that the use of such malware was not considered “inherently incompatible with the state?s duty of protection”, at the very least administrative procedures should be be established for evaluating the seriousness of the threat that leaving them unpatched would represent, and then deciding on a case-by-case basis whether the relevant developers should be notified.

The German constitutional court dismissed the complaint, but on largely technical grounds. The judgment said that the complainants did not have standing, because they had failed to substantiate a breach of the government’s duty of protection. Moreover, the top court said the question should first be considered exhaustively by the lower courts, before finally moving to the constitutional court if necessary. However, the judges did recognize that there was a tension between a desire to use zero-days to carry out surveillance, and the German government’s duty to protect the country and its computer systems:

In the present case, the duty of protection encompasses the obligation for the legislator to set out how the police are to handle such IT security vulnerabilities. Under constitutional law, it is not inherently impermissible from the outset for source surveillance to be performed by exploiting unknown security vulnerabilities, although stricter requirements for the justification of such surveillance apply due to the dangers posed to the security of IT systems. Furthermore, fundamental rights do not give rise to a claim that authorities must notify developers about any IT security vulnerabilities immediately and in all circumstances. However, the duty of protection does necessitate a legal framework that governs how — in a manner compatible with fundamental rights — an authority is to resolve the conflicting aims of protecting IT systems against third-party attacks that exploit unknown IT security vulnerabilities on the one hand, and on the other hand keeping such vulnerabilities open so that source surveillance can be carried out for the purpose of maintaining public security.

It’s not clear whether that call for a legal framework to regulate how the authorities can deploy malware, and when they must alert developers to the flaw it exploits, will be heeded any time soon in Germany. But in the light of the Pegasus leak, it seems likely that other countries around the world will start to ponder this same issue. That’s particularly the case since such malware is arguably the only way that the authorities can reliably circumvent encrypted communications without mandating the flawed and unworkable backdoors they have been calling for. If more countries decide to follow Germany in deploying these programs, the need for a legal framework to regulate their use will become even more pressing.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Germany's Constitutional Court Ponders Whether Government Users Of Zero-Day Surveillance Malware Have A Duty To Tell Software Developers About The Flaws”

Subscribe: RSS Leave a comment

I think the answer should be something like, "You knew about the vulnerability and did not disclose it, it cost the company XYZ, you’re on the hook." It could also be, "You disclosed it to the company, they chose to do nothing about it, and they are on the hook for XYZ." Do we need an agency that is responsible for getting vulnerabilities and reporting them to the appropriate people? It seems like some accountability is in order.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it