June 1, 2017 - May 31, 2018
Approved in June 2017, the Network Enforcement Act (NetzDG) came into full effect in January 2018, obliging social media platforms with more than 2 million registered users in the country to review and delete flagged illegal content, or otherwise face hefty fines. A number of controversial deletions were reported as a result (See Content Removal).
The federal parliament enacted a controversial amendment to the German Criminal Code of Procedure which would expand the powers of law enforcement to install “State Trojans” on electronic devices and perform online searches to investigate an extensive range of criminal offenses (See Surveillance, Privacy and Anonymity).
At the end of February 2018, it was revealed that hackers had infiltrated a supposedly highly secure government network in search of sensitive data (See Technical Attacks).
In the aftermath of Germany’s federal elections in September 2017, experts concluded that no single disinformation campaign had a detectable impact on election results. Germany’s online environment remained free, despite concerns related to the adoption of the Network Enforcement Act, which imposes hefty fines on social media companies that fail to promptly address hate speech and other offenses by users on their platforms.
The media and civil society frequently and openly discuss the state of internet freedom in Germany, with internet regulation issues often given great prominence in widely read online news publications. An independent court system provides oversight on regulatory measures adopted by the executive and the legislature.
However, new pieces of legislation that expand the online surveillance powers of Germany’s domestic and foreign intelligence services as well as police authorities continued to raise privacy concerns, particularly laws that allow for the monitoring of citizens’ online activities on preventive grounds, unconnected to any suspicion of a specific criminal offense. Courts have begun to declare that Germany’s controversial data retention law is contrary to the European Court of Justice’s 2014 guiding interpretation of applicable European Union (EU) law.
In September 2017, the German population voted in elections for the federal parliament. After lengthy deliberations, another “grand coalition” was formed, comprising the Christian Democrats, the Bavarian Christian Social Union, and the Social Democrats. The coalition agreement reaffirms the national security policies of the past several years, including those related to online surveillance and data retention.
Internet access is high in Germany, and there are few inhibiting obstacles. However, differences in internet usage by levels of income demonstrate how prices continue to be a barrier.
Availability and Ease of Access
Germany’s network infrastructure for information and communication technologies (ICTs) is well developed, and overall internet penetration rates are above the EU average.1
The most widely used mode of access is still DSL, with 24.7 million connections in 2017. However, cable internet is becoming more widespread, with 8.5 million connections in 2017, compared with only 8 million in 2016.2 Connections with speeds of more than 30 Mbps are available for 14.6 million households.3Despite earlier promises to quickly provide high-speed internet access to every household in Germany,4 the expansion of broadband infrastructure stagnated throughout 2017.5 Alexander Dobrindt, the federal minister of traffic and infrastructure until after the September 2017 elections, faced criticism for his performance on broadband connectivity.6
In 2017, internet access via mobile devices further increased: 65.5 million people in Germany regularly accessed the internet via UMTS or LTE, compared with 63.1 million in the previous year.7 The total data volume increased from 918 million GB in 2016 to 1.388 million GB in 2017.8 Germany is ranked ninth worldwide in terms of smartphone penetration, with 57.2 million people using a smartphone as of May 2018.9 At the end of 2017, LTE connections were available to 94 percent of all Deutsche Telekom customers, 91 percent of Vodafone customers, and 82 percent of Teléfonica Germany customers.10
There is still a gender gap when it comes to accessing the internet in Germany, though it is gradually getting smaller. While 88 percent of men used the internet every day or almost every day in 2017, only 84 percent of women did.11 Daily or almost daily internet usage in the 16–24 and 25–44 age groups were 96 and 94 percent, respectively. In the over-65 age group, frequent usage remains at 69 percent.12
Differences in internet usage based on formal education have not changed significantly over the past few years. The gap between people with low and high levels of formal education is still noteworthy.13 A comparison of net household incomes also confirms this gap. Households with less than EUR 1,000 (US$1,160) net income per month have a 44 percent rate of digitalization, whereas those with more than EUR 3,000 (US$3,480) net income per month have a rate of digitalization of 65 percent.14 Furthermore, slight differences in internet usage exist between Germany’s western region (83 percent) and the eastern region (73 percent), which was formerly the communist German Democratic Republic; this gap has remained stable over the past few years.15 The gap between the urban states Hamburg, Berlin, and Bremen and the rural states with the smallest internet penetration rates, such as Saxony-Anhalt or Mecklenburg–West Pomerania, is still between 6 and 13 percentage points.16
Telecommunication services have become slightly less expensive, decreasing in price by about 1.1 percent from 2016 to 2017.17 The stark differences in internet usage by levels of income demonstrate that prices continue to be a barrier for people with low incomes and the unemployed. Although the Federal Court of Justice has ruled that access to the internet is fundamental for everyday life, the cost of internet access is still not adequately reflected in basic social benefits.18 In March 2017, the Federal Council (Bundesrat) made the decision to designate providers of free community wireless networks as not-for-profit enterprises, which entails considerable tax advantages. The move has been lauded for facilitating the establishment of freely accessible networks in cities, thereby broadening easy access for parts of the population that could otherwise not afford an internet connection.19
Restrictions on Connectivity
The German government does not impose restrictions on ICT connectivity. Germany’s telecommunications infrastructure is largely decentralized. There are more than a hundred backbone providers in the country.20 Privatized in 1995, the formerly state-owned Deutsche Telekom remains the only company that acts as both a backbone provider and an internet service provider (ISP). However, the German state owns less than a third of its shares, which crucially limits government control.21 There are a number of connections in and out of Germany, the most important being the DE-CIX, which is located in Frankfurt. It is privately operated by eco, the association of the German internet industry.22
The telecommunications sector was privatized in the 1990s with the aim of fostering competition. The incumbent Deutsche Telekom’s share of the broadband market was 40.1 percent in 2017, marking yet another slight decline as competition continued to increase. Other ISPs with significant market share included Vodafone with 19.8 percent, 1&1 with 13.7 percent, the cable company Unitymedia at 10.5 percent, and O2-Telefónica with 6.3 percent.23
There are currently three general carriers for mobile internet access: T-Mobile, Vodafone, and Telefónica Deutschland, which share the market more or less evenly.24 The prices for mobile services continued to decrease, falling by about 2.4 percent from 2016 to 2017.25
Internet access, both broadband and mobile, is regulated by the Federal Network Agency for Electricity, Gas, Telecommunications, Post, and Railway (Bundesnetzagentur, or BNetzA), which has operated under the supervision of the Federal Ministry of Transport since early 2014.26 The president and vice president of the agency are appointed for five-year terms by the federal government, following recommendations from an advisory council consisting of 16 members from the Bundestag (Federal Diet) and 16 representatives from the Bundesrat. The German Monopolies Commission and the European Commission (EC) have both criticized this highly political structure and the concentration of important regulatory decisions in the presidential chamber of the BNetzA.27
In addition to these institutional concerns, regulatory decisions by the BNetzA have been criticized for providing a competitive advantage to Deutsche Telekom, the former state-owned monopoly.28 These concerns were amplified again in late 2015, when the BNetzA presented a proposal to allow Telekom to implement vectoring, a technology that is capable of boosting the bandwidth of DSL connections on preexisting copper lines.29 This arrangement sparked criticism due to the fact that in order to function as intended, the technology requires a single operator to remain in charge of the entire bundle of cables. In turn, unbundling and redistributing individual connections becomes more difficult, with the result that the managing operator (Telekom) will end up in a privileged market position.30 After the Monopolies Commission first voiced its concerns in December 2015,31 and the EC instigated formal review proceedings in early 2016,32 the Federal Chancellery finally announced the end of public support for copper vectoring in March 2018.33
Access to online content in Germany is mostly free. Pressure on social media companies to remove illegal content from their platforms came under renewed pressure over the past year with the implementation of the Network Enforcement Act. Despite concerns over the proliferation of fake news in the run-up to federal elections in September 2017, experts contended that the ultimate impact was limited.
Blocking and Filtering
The German government rarely engages in blocking of websites or internet content.34 There were no publicly known incidents carried out by state actors during this coverage period. YouTube, Facebook, Twitter, and international blog-hosting services are freely available.
In 2015, the Federal Court of Justice ruled that the blocking of a website may be ordered as a last resort if it is the only means for a copyright holder to effectively end the rights infringement on that website.35 In such cases, after an assessment of all relevant circumstances, the owner of the copyright may ask an ISP to block the website in question. If the provider refuses, a court can intervene. The decision has been subject to criticism, as such blocking is considered easy to circumvent and thus ineffective.36 In February 2018, a regional court in Munich for the first time awarded an injunction against the internet provider Vodafone, obliging it to block the streaming website kinox.to because the latter was hosting illegally uploaded content.37 The decision, which has been appealed by Vodafone,38 was also criticized as both ineffective and excessive.39
The protection of minors constitutes an important legal basis for the regulation of online content.40 Youth protection on the internet is principally addressed by Germany’s states through the Interstate Treaty on the Protection of Human Dignity and the Protection of Minors in Broadcasting (JMStV), which bans content similar to that outlawed by the criminal code, such as the glorification of violence and sedition.41 A controversial provision of the JMStV, reflecting the regulation of broadcast media, mandates that adult-only content on the internet, including adult pornography, must be made available in a way that verifies the age of the user.42 The JMStV enables the blocking of content if other actions against offenders fail and if such blocking is expected to be effective.
In February 2018, the Federal Court of Justice decided that Google is not obligated to filter out search results in advance in order to prevent potential violations of users’ rights of personality. In the case at hand, a married couple had sued Google after they were gravely insulted in an online forum, prompting the search engine’s algorithms to link the offensive expressions with the plaintiffs’ names in its search results.43 The court held that Google had merely acted as an intermediary, and that search engines have to act only when there is suspicion of a specific violation.
Most of the content-removal issues in Germany relate to the removal of search engine results rather than actual deletions of content. However, pressure on social media companies to remove illegal content from their platforms has increased since the implementation of the Network Enforcement Act (NetzDG), which imposes severe fines if certain illegal content is not removed promptly.
In the context of social tensions related to an influx of refugees since 2015, social media companies have come under political, societal, and legal scrutiny for not sufficiently curbing hate speech, fake news, and other harmful content on their platforms.44 One case against Facebook concerned Syrian refugee Anas Modamani, whose widely shared photograph with Chancellor Angela Merkel repeatedly prompted right-wing activists to falsely connect him to a number of different crimes. Modamani’s attorney demanded that Facebook delete not only the original defamatory posts, but also all shares and copies.45 A court in Würzburg ruled that Facebook is not obliged to actively search for and delete hateful postings involving Modamani’s photo,46 but Modamani announced in April 2018 that he intends to sue Facebook again in order to compel the social media company to delete all misleading and defamatory posts.47 While expressing sympathy for Modamani’s concerns, many observers warned that a ruling in his favor might compel Facebook to implement upload filters that could subsequently be used as a censorship tool.48
The NetzDG, approved in June 2017,49 came into full effect in January 2018, obliging social media platforms with more than 2 million registered users in the country to investigate and delete flagged content, or otherwise face hefty fines.50 If the flagged content is “obviously illegal,” the company must remove it within 24 hours; if otherwise illegal, the content must be removed within seven days. After making its decision, the company has to inform both the complainant and the user who had uploaded the content. If it fails to do so, it could face fines of up to EUR 50 million (US$58 million) (see “Legal Environment”).51
Social media companies have set up internal systems to comply with these demands. In addition to a dedicated team of employees in Berlin,52 Facebook established a second team in the western city of Essen in November 2017, meaning the company now employs 1,200 people in Germany whose sole task is to review posts on the platform.53 Twitter also hired new staff to make the necessary legal assessments.54 Moreover, in March 2017, Facebook, Microsoft, Twitter, and YouTube had launched the prototype of an upload filter—based on a shared database—that is supposed to suppress the uploading of terrorist and extremist content.55 In March 2018, the EC announced that the social media platforms ought to expedite and broaden this approach.56 Such upload filters have been criticized for infringing on freedom of expression, not least because they do not seem limited to extremist content, despite announcements to the contrary.57
Since the NetzDG came into effect, a number of controversial deletions have been reported. Several tweets with satirical content have been deleted, including one by the author and poet Sophie Passmann,58 as has the entire account of the well-known satirical magazine Titanic.59 While Twitter did not explicitly mention the NetzDG in these cases, it displayed a message stating that Passmann’s tweet had been retracted on the basis of local laws in Germany. Titanic’s account remained blocked for 48 hours; after Twitter reactivated it, at least five of its earlier tweets remained unavailable in Germany.60 The case of a deleted tweet by the leftist politician Jörg Rupp in January 2018 illustrated one of the fundamental problems with the new law: Many tweets, posts, or other statements on social media platforms may appear to fall into the scope of hate speech provisions if taken out of context.61
Under a 2014 EU Court of Justice (CJEU) decision on the “right to be forgotten,”62 Google and other search engines are required to remove certain search results if they infringe on the privacy rights of a person and that person formally requests the action. As of April 19, 2018, Google had assessed some 670,835 requests to delist search results across the EU, affecting more than 2 million URLs, with nearly 112,000 coming from Germany alone.63 In 48.3 percent of the German requests, Google decided to remove the link. The process follows guidelines developed by an advisory group of experts, aiming to strike a balance between the right to be forgotten on the one hand and freedom of expression and information on the other.64 In 2016, Google announced that it would in the future resort to geo-blocking so that delisted links could not appear in Google search queries within the EU even if someone used Google.com instead of a national version of the search engine.65 This had been one of the most pressing demands from European data protection officials since the publication of the CJEU decision.66 Under the new General Data Protection Regulation (GDPR), which took effect on May 25, 2018, the right to be forgotten is now part of codified data protection law across the EU.67
The autocomplete function of Google’s search engine also has repeatedly been subject to scrutiny. In 2013, the Federal Court of Justice ruled that Google could be held liable, at least under some circumstances, for the infringement of personal rights through its autocomplete function.68 In a subsequent decision concerning the same case, the Higher Regional Court in Cologne decided that Google’s liability amounted to an obligation to delete the respective automated search query combination and to refrain from repeating the tort, but not to pay further compensation.69
Figures released by ICT companies indicate that postpublication content removal requests are issued with regard to defamation and other illegal content. According to Google’s latest transparency report, covering requests to remove content from July to December 2017, the company received 356 requests from the German courts and other public authorities. The most common reason (in 48 percent of cases) is defamation, followed by privacy and security concerns and adult content.70 Acting on requests from authorities between July and December 2017, Facebook restricted access to 1,893 pieces of content, compared with 919 between July and December 2016, including items that constituted incitement of hatred and Holocaust denial, which are illegal under the German criminal code.71
Platform operators can be held liable for illegal content under the Telemedia Act. The law distinguishes between full liability for owned content and limited “breach of duty of care” (Stoererhaftung) for access providers and host providers for third-party content.72 While ISPs are not required to proactively monitor the information of third parties on their servers, they become legally responsible as soon as they gain knowledge of violations or violate reasonable audit requirements.73
Additional blocking and filtering obligations for host providers were put in more concrete terms by the Federal Court of Justice in the 2012 “Alone in the Dark” case.74 In this specific instance, the game publisher Atari sued the file-hosting service Rapidshare for copyright violations concerning a video game. Although the judges did not hold Rapidshare liable for direct infringement, they saw a violation of the service’s monitoring obligations under the “breach of duty of care” standard.75
In a subsequent decision concerning Rapidshare in 2013, the Federal Court of Justice substantiated and further extended host providers’ duties. According to the judgment, if the business model of a service aims to facilitate copyright infringements, the company is considered less worthy of protection with regard to liability privilege.76 As a consequence, host providers are required to monitor their own servers and search for copyright-protected content as soon as it has been notified of a possible violation.77
A special requirement to review content for any rights violations was also confirmed in a 2012 case involving a blogger who integrated a YouTube video into his website.78 However, in 2014, the CJEU ruled that embedding content from other sources by means of framing is not a copyright infringement.79 In 2015, the Federal Court of Justice clarified that embedding is legal, as long as the source itself is legal—which at least in theory means that publishers are legally obliged to determine whether the content they intend to embed was uploaded in violation of copyright.80
In June 2017, the ruling coalition in the federal parliament enacted a law that abolished most legal liability for providers of open wireless networks. For years, the number of free and public Wi-Fi networks in Germany remained low, as providers feared potential negative legal consequences if their networks were used for illegal activities.81 While the new law was generally viewed positively by experts, it drew some criticism as well, as it could allow copyright holders to coerce providers into blocking certain websites or content that is known to violate copyright or other laws.82
Media, Diversity, and Content Manipulation
Germany is home to a vibrant internet community and blogosphere. Local and international media outlets and news sources are accessible and represent a diverse range of opinions. While there were concerns about the proliferation of disinformation leading up to the September 2017 federal elections, no decisive impact could ultimately be documented. Nevertheless, those concerns prompted legislators to push for controversial legal solutions with potential implications for freedom of expression online (see “Content Removal”).
Although experts concluded that no single disinformation campaign had a detectable impact on the 2017 election results, a significant number of false news items were identified.83 Research conducted by the Computational Propaganda Research Project between December 2016 and May 2017 found that hyperpartisan, conspiratorial news and disinformation were prominent on social media in the lead-up to the elections, accounting for approximately 20 percent of political news and information on Twitter. Widely shared sources included the anti-Islam blog Philosphia Perennis and the extremist right-wing publication Zuerst!, and many outlets “displayed indicators of Russian references.” However, the researchers found that automated “bot” activity was “marginal.”84
To date, self-censorship online has not been a significant or well-documented problem in Germany. Still, there are some unspoken rules reflected in the publishing principles of the German press.85 The penal code and the JMStV prohibit content such as child pornography (child sexual abuse images), racial hatred, and the glorification of violence in a well-defined manner. In August 2017, however, the Federal Ministry of the Interior, Building, and Community banned the radical left-wing news website Linksunten.indymedia.org on the grounds of an alleged violation of the law on associations. The persons responsible for running the website were forced to shut down its host server and all accompanying social media accounts. The ministry argued that the association, and the website as an integral part of it, had political goals that were contrary to the constitutional order.86 The ban was criticized as an unjustified infringement on freedom of the press.87 Reporters Without Borders called the decision constitutionally questionable and a dangerous development.88
The new federal government formed in early 2018 has reiterated its support for ancillary copyright for press publishers (Leistungsschutzrecht für Presseverleger), in force since 2013.89 The regulation allows publishers to monetize the small snippets of information that search engine operators display as part of their results.90 This raised concerns regarding the constitutionally protected rights to freedom of expression and freedom of information.91 In order to limit monetization, search engines such as Google began excluding search results leading to the websites of publishers that monetized their search links, or displayed links without the corresponding snippets.92 In response, the publishers’ collecting society, VG Media, lodged complaints and antitrust proceedings against Google. In September 2015, the Federal Cartel Office decided that Google’s practice was not in violation of antitrust laws.93 Later, in November 2015, arbitration proceedings between Google and VG Media failed, with the search engine rejecting VG Media’s demand to receive 6 percent of Google’s aggregate turnover as license fees.94 In February 2017, the first court proceedings dealing with the law commenced before a Berlin district court, after VG Media filed a lawsuit against Google.95 In May 2017, the court referred the case to the European Court of Justice.96
In April 2017, the federal parliament formally incorporated the EU rules on net neutrality into domestic law.97 However, observers remarked that several products of internet and mobile phone providers violate strict net neutrality by favoring certain services, such as “Stream On” by Deutsche Telekom or “Vodafone Pass” by Vodafone.98 The BNetzA subsequently prohibited parts of Stream On for breaching net neutrality principles.99
During the reporting period, several civil society initiatives used the internet to conduct advocacy campaigns on political and social issues in Germany.
After the #metoo hashtag spread across Twitter and other social media platforms in the wake of revelations concerning sexual abuse and harassment by Hollywood film producer Harvey Weinstein and other prominent men, primarily in the United States, it took some time for the movement to catch on in Germany as well. The hashtag was eventually used widely, but unlike the #aufschrei hashtag a few years ago,100 which also concerned systemic misogyny in Germany, the German #metoo movement remained relatively subdued.101 One of the reasons might have been an early backlash in leading publications against the practice of calling out individuals without honoring the criminal law principle of presumed innocence, which was linked to Germany’s legalistic tradition and its lighter national emphasis on unrestrained freedom of expression and press freedom.102 Allegations against the prominent film and television director Dieter Wedel became the most visible consequence of #metoo in Germany.103
In order to protest unrealistic and harmful ideals of beauty in society, in particular for girls and young women, the Düsseldorf-based feminist group Vulvarines started the hashtag #notheidisgirl on Instagram in October 2017. The hashtag alluded to the casting of Germany’s Next Top Model, the widely popular television show, hosted by famous model Heidi Klum.104 In February 2018, the hashtag reemerged in its German variation, #keinbildfürheidi, alongside a song with lyrics that were critical of the show; the video went viral on YouTube.105
In the context of the ongoing “refugee crisis,” there has been a surge in investigations for online “incitement to hatred” in recent years. Meanwhile, the German government continued to take steps to expand surveillance, with new legislation empowering law enforcement agencies to install malware on electronic devices for the purpose of criminal investigations.
Germany’s Basic Law guarantees freedom of expression and freedom of the media (Article 5), as well as the privacy of letters, posts, and telecommunications (Article 10). These articles generally safeguard offline as well as online communication. A groundbreaking 2008 ruling by the Federal Constitutional Court established a new fundamental right regarding the “confidentiality and integrity of information technology systems” as part of the general right of personality under Article 2 of the Basic Law.106
The German criminal code includes a provision on “incitement to hatred” (Section 130), which penalizes calls for violent measures against minority groups and assaults on human dignity.107 The provision is seen as legitimate in the eyes of many Germans, particularly because it is generally applied in the context of Holocaust denial.108
In another attempt to crack down on hate speech online, the law known as NetzDG, approved in June 2017, obliges large social media companies to swiftly remove “illegal content” that violates provisions of the German criminal code (see “Content Removal”). The measure sparked severe criticism from activists, nongovernmental organizations (NGOs),109 politicians, and the UN special rapporteur for freedom of expression, who warned that it could lead social media companies to err on the side of deletion in order to avoid possible fines.110 According to legal guidelines issued by the Federal Ministry of Justice and Consumer Protection in March 2018, possible fines for violations of the law range from EUR 5 (US$6) to EUR 50 million (US$58 million), depending on the severity of the offense.111 Some amendments made to the initial bill were meant to accommodate critics, including exemptions for first-time offenders and companies that had merely made an erroneous legal assessment.112 In October 2017, the Organization for Security and Co-operation in Europe (OSCE) called for a limited implementation of the law and a reevaluation in the near future.113 By mid-2018, several politicians from the ruling Christian Democratic Party had announced their willingness to consider a fundamental revision of the law, including its time limits for making decisions on deletions.114
Online journalists are largely granted the same rights and protections as journalists in the print or broadcast media. Although the functional boundary between journalists and bloggers is starting to blur, the official press card remains available only to “professional” journalists, meaning those whose journalistic activities account for at least 51 percent of their income.115 Similarly, the German code of criminal procedure grants the right to refuse testimony solely to individuals who have “professionally” participated in the production or dissemination of journalistic materials.116
After two journalists with Netzpolitik.org briefly faced criminal proceedings for alleged treason in 2015, Federal Minister of Justice and Consumer Protection Heiko Maas announced a bill with the aim of explicitly excluding journalists from the scope of the treason provision in the criminal code. However, the promised reform has not made any progress to date.117
In response to a case concerning the satirist Jan Böhmermann, who in 2016 had come under criminal investigation for a provocative poem mocking Turkish president Recep Tayyip Erdoğan, the federal parliament abolished the statutory offense that criminalized insulting foreign leaders.118 Erdoğan also filed a civil libel lawsuit against Böhmermann, which led to a ban on three-fourths of the controversial poem,119 and both parties appealed the judgment. In May 2018, the Higher Regional Court in Hamburg upheld the lower court’s decision, rejecting Böhmermann’s request to repeal the partial ban. At the same time, the court ruled that Erdoğan had no right to have the entire poem prohibited.120
Since 2016, the Office of the Federal Commissioner for Data Protection and Freedom of Information has been an independent supreme federal authority, a clear upgrade from its former status as a subdivision of the Federal Ministry of the Interior.121 This change of constitutional status furthermore entailed a significantly larger budget and staff.122
Prosecutions and Detentions for Online Activities
In the context of the ongoing “refugee crisis,” there has been a surge in c investigations invoking the provision on “incitement to hatred” in the German criminal code, mostly related to hate speech against asylum seekers on social media platforms such as Facebook. As a result, there have been considerably more convictions for incitement to hatred.123 The latest official crime statistics document 6,514 cases of “incitement to hatred” in 2016, compared with just 2,670 cases two years earlier, before the start of the 2015 refugee crisis.124 In June 2017, police departments in all but two German states conducted raids against 36 social media users for alleged hate speech.125
Surveillance, Privacy, and Anonymity
A German parliamentary commission of inquiry on intelligence practices—established after former U.S. National Security Agency (NSA) contractor Edward Snowden leaked documents on various activities of U.S., British, and German intelligence services in 2013—completed its work in 2017.126 While the governing coalition concluded that the conduct of both the allied foreign intelligence services and the German Federal Intelligence Service (BND) had been and continued to be within the bounds of the law, the opposition argued that ongoing mass surveillance was unlawful. Both sides drew criticism for not demanding sufficient steps to end the practice in Germany.127 Meanwhile, the German government has taken further steps to significantly expand online surveillance.
A new law on the BND enacted in late 2016 continued to be scrutinized over the course of the reporting period.128 While the BND is mainly tasked with foreign intelligence collection, one of the main concerns is that the law will permit monitoring of the entire network traffic channeled through the world’s largest internet exchange point, DE-CIX (German Commercial Internet Exchange) in Frankfurt, which would at least unintentionally affect communications by German citizens as well. In 2016, before the new law’s enactment, the operators of DE-CIX had sued the BND in the Federal Administrative Court, arguing that the intelligence service’s practices were unconstitutional.129 In May 2018, the court dismissed the claims, declaring that monitoring of the exchange point was lawful.130 Separately, because the BND under the new law has explicit permission to monitor domestic internet traffic as long as it is targeting foreign citizens,131press freedom groups argued that the law threatens the constitutionally protected work of foreign journalists reporting in Germany.132 In reaction to this aspect of the law, a number of NGOs and foreign investigative journalists filed a constitutional complaint in January 2018.133
The BND had also been storing and processing bulk metadata records of phone calls via its traffic-analysis system VerAS. In response to a lawsuit filed by Reporters Without Borders Germany,134 on December 2017 the Federal Administrative Court rejected such intelligence gathering, prohibiting the BND from collecting and processing communications metadata due to a lack of sufficient legal basis for the conduct.135 In May 2018, the BND officially announced that it would end the practice.136 Reporters Without Borders Germany lodged a parallel complaint with the European Court of Human Rights, alleging that the intelligence service had been unlawfully monitoring the NGO’s own email correspondence.137
Surveillance conducted by intelligence services under the Act for Limiting the Secrecy of Letters, Posts, and Telecommunications (also known as the “G10 Act”) has continued to decline.138 With respect to international terrorism, the international arms trade, and international cybercrime, the German intelligence services in 2016 conducted 4,974 interceptions of telecommunications in total, of which just 53 were then deemed relevant for further inquiry by the BND. The BND’s practice of monitoring communications between Germany and foreign countries in accordance with the G10 Act has come under legal scrutiny. Amnesty International has filed a complaint before the Federal Constitutional Court, arguing that the authorities granted by the G10 Act are overly permissive and thus unconstitutional.139 The court has yet to decide on the case.
Telecommunications interception by state authorities for criminal prosecutions is regulated by the code of criminal procedure and may only be employed for the prosecution of serious crimes for which specific evidence exists and when other, less intrusive investigative methods are likely to fail.
A 2008 Federal Constitutional Court ruling established a new fundamental right to the “confidentiality and integrity of information technology systems.” The court held that preventive covert online searches are only permitted “if factual indications exist of a concrete danger” that threatens “the life, limb, and freedom of the individual” or “the basis or continued existence of the state or the basis of human existence.”140 Based on this ruling, the federal parliament in 2009 passed a law authorizing the Federal Bureau of Criminal Investigation (BKA) to conduct—with a warrant—covert online searches to prevent terrorist attacks.141 The act also authorizes the BKA to employ other methods of covert data collection, including dragnet investigations, surveillance of private residences, and the installation of software on a suspect’s computer that intercepts their communications at the source. Separately, antiterrorism legislation that was first passed after the September 11, 2001, terrorist attacks—which, among other provisions, obliges banks or telecommunications operators to disclose customer information to the authorities—was once again extended in 2015 through 2021.142
In June 2017 however, the federal parliament enacted the “law for more effective and more practical criminal proceedings” (Gesetz zur effektiveren und praxistauglicheren Ausgestaltung des Strafverfahrens). Most significantly, it included an extensive list of criminal offenses that would allow for the deployment of spyware on suspects’ mobile phones, tablets, and computers in order to enable monitoring of written and spoken text as well as the copying of data.143 Critics consider the law unconstitutional due its expansive scope and long list of applicable offenses.144 In accordance with the law, the BKA has been permitted to install monitoring software (the so-called Bundestrojaner, or “federal Trojan horse”) on suspects’ devices since January 2018.145 Observers have pointed out that one of the ongoing risks of this practice is that it exploits known security holes in communication software instead of attempting to fix them to protect the general public.146 In December 2016, it was reported that the BKA had successfully cracked the encrypted messenger app Telegram in at least 44 cases in order to monitor the text conversations of suspects. Several legal experts as well as politicians cast doubt on the legality of these measures.147 In July 2017, it was revealed that the BKA was working on cracking other apps, such as the widely used WhatsApp.148
In the state of Bavaria, Germany’s second largest by population, the governing Christian Socialist Union (CSU) introduced a bill at the beginning of 2018 that would grant the Bavarian police vastly expanded powers, including the authority to access any information technology system preventively in the event of a broadly defined imminent danger, without concrete evidence of a specific crime.149 Critics allege that the bill would blur the line between police and intelligence services, a strict distinction that was built into the constitution as a consequence of the abuses of the Nazi era.150 Federal Interior Minister Horst Seehofer, the former minister president of Bavaria and a member of the CSU, has stated that he intends to use the Bavarian law as a model for police laws in all German states.151
Despite a 2014 CJEU decision that struck down the EU Data Retention Directive,152 the federal parliament enacted a law on data retention in 2015.153 Both the parliamentary opposition and data protection officials had fiercely objected to the legislative proposal, maintaining that it contradicted civil laws and violated the guidelines established by the CJEU. Under the new law, different sets of data have to be stored on servers located within Germany for 10 weeks, while providers have to retain the numbers, as well as the dates and times, of phone calls and text messages. Internet providers are also required to retain the IP (internet protocol) addresses of all users, as well as the dates and times of connections. The location data of mobile phone connections must be saved for four weeks. The requirements exclude sites accessed, email traffic metadata, and the content of communications.
Several constitutional complaints against the data retention legislation have been filed and are pending at the Federal Constitutional Court.154 In February 2017, the federal parliament’s own research service concluded that the law does not conform with the guidelines set by the CJEU in its 2014 ruling and is thus contrary to EU law.155 After the internet provider Spacenet filed a lawsuit against its obligation to start storing its customers’ data, the Higher Administrative Court of North Rhine–Westphalia, which has jurisdiction over this question, likewise decided in June 2017 that the German legislation contradicts EU law and is thus not applicable to Spacenet’s conduct.156
The amended telecommunications act of 2013 regulates “stored data inquiry” requirements (Bestandsdatenauskunft).157 Under the provision, approximately 250 registered public agencies, among them the police and customs authorities, are authorized to request from ISPs both contractual user data and sensitive data. While the 2004 version of the law allowed the disclosure of sensitive user data only for investigations of criminal offenses, the amended act extended it to cases of misdemeanors or administrative offenses. In addition, whereas the disclosure of sensitive data and dynamic IP addresses normally requires an order by the competent court, contractual user data (such as the user’s name, address, telephone number, and date of birth) can be obtained through automated processes. The law’s requirement of judicial review has been subjected to two empirical studies, both of which found that in the majority of cases a review by a judge does not take place in practice.158 Data protection experts have criticized the lower threshold for intrusions of citizens’ privacy as disproportionate.
A number of other government measures have raised concerns regarding the protection of citizens’ data. In May 2017, the federal parliament enacted a new law on the introduction of an electronic identification system. It includes a provision that allows the police authorities of all states as well as the Federal Police, the Federal Office for the Protection of the Constitution, all German intelligence agencies, and the Military Counterintelligence Service (Militärischer Abschirmdienst, or MAD) to access a database of passport photos of all German citizens established by the legislation. Data protection experts have argued that the move, in combination with massively expanded video surveillance in public spaces, will enable the authorities to automatically monitor citizen’s movements.159
Newly arriving migrants and refugees are also targets of new measures that infringe on the protection of their data. According to 2017 amendments to the asylum law, an arriving refugee’s mobile phone, laptop, or other electronic devices’ data may be copied and analyzed in order to determine the person’s place of origin if he or she does not provide identity documents. Although authorities originally gave assurances that these measures would be limited to exceptional cases, later statements revealed that because no such limitation is explicitly provided for in the text of the law, the Federal Office for Migration and Refugees intends to implement the measures as standard practice. Human rights advocates have especially criticized the fact that even location data will be seized.160
User anonymity is compromised by SIM card registration rules under the telecommunications act of 2004, which requires submission of the purchaser’s full name, address, international mobile subscriber identity (IMSI), and international mobile station equipment identity (IMEI) numbers, if applicable.161Nonetheless, the principle of anonymity on the internet is largely upheld as a basic right. A 2014 decision by the Federal Court of Justice further strengthened this right, confirming that an online review portal is under no obligation to disclose the data of anonymous users. In the preceding judgment, the Higher Regional Court in Stuttgart had ruled to the contrary.162 Website owners and bloggers are not required to register with the government. However, most websites and blogs need to have an imprint naming the person in charge and providing a contact address. The anonymous use of email services, online platforms, and wireless internet access points is legal. Experts criticized a 2017 legislative proposal by the governing coalition to allow civil lawsuits to gain knowledge of an alleged offender’s real name in the case of violations of the right of personality online, especially defamation. Observers voiced concern that this might infringe on the right to anonymity online if interpreted too broadly.163
Intimidation and Violence
There were no reported cases of direct physical intimidation or violence against online journalists or other ICT users in retaliation for their activity during the coverage period.
Human rights activists and NGOs are rarely victims of cyberattacks or other forms of technical violence that are aimed at stifling freedom of expression. However, government institutions and the business sector have been targeted with cyberattacks.164
At the end of February 2018, it was revealed that hackers had infiltrated a supposedly highly secure government network. The attackers allegedly implanted malicious software in order to steal sensitive data. The federal government accused “APT28,” a suspected Russian hacking group that is thought to be connected to the Russian government, of perpetrating the attack.165
To strengthen its response capabilities, the federal parliament enacted an information-technology security law in 2015, obliging telecommunications firms and critical infrastructure operators to report security breaches to the Federal Office for Information Security (BSI). However, the law has been criticized for being largely ineffective and overly intrusive concerning the storage of traffic data to determine the source of possible cyberattacks.166
6 Tomas Rudl, “Nun offiziell: Bundesrechnungshof zerpflückt Ex-Minister Alexander Dobrindt“ [Now official: Federal Audit Office picks former minister Alexander Dobrindt to pieces], Netzpolitik.org, January 30, 2018, https://bit.ly/2DPwkm8
18 Bundesgerichtshof [Federal Court of Justice], “Bundesgerichtshof erkennt Schadensersatz für den Ausfall eines Internetanschlusses zu” [Court awards damages for internet failures], press release 14/13, January 24, 2013, http://bit.ly/1FLvz98. Hartz IV standard rate is € 416, see: https://bit.ly/2xR1keO; € 2.28 of that sum are for Internet access, See: Deutscher Bundestag [German Bundestag], Drucksache 17/3404, p. 60, http://bit.ly/1LnUX6U
19 Markus Beckedahl, “Bundesrat entscheidet für Gemeinnützigkeit von Freifunk-Communities“ [Federal Council decides in favor of not-for-profit status of free wireless network communities], Netzpolitik.org, March 10, 2017, http://bit.ly/2muOGyt
20 Björn Brodersen/Alexander Kuch, “Backbones – die starken Hintergrundnetze des Internets” [Backbones – the strong background networks of the internet], teltarif.de, http://www.teltarif.de/internet/backbone.html
26 Markus Beckedahl, “Verkehrsministerium gewinnt Fachaufsicht über Bundesnetzagentur” [Ministry of Transport gains supervision over Federal Network Agency], Netzpolitik.org, February 14, 2014, http://bit.ly/1jDT9KQ
27 Monopolkommission [Monopolies Commission], “Telekommunikation 2009: Klaren Wettbewerbskurs halten” [Telecommunication 2009: stay on target in competition], Sondergutachten 56, 2009, p. 75, http://bit.ly/2dBXDUY; European Commission, “Progress Report on the Single European Electronic Communications Market (15th Report),” COM(2010) 253, p. 196, http://bit.ly/1Od2qpT
28 European Commission, Progress Report, p. 196. Since the Federal Republic still exercises its rights as a shareholder of Deutsche Telekom (circa 38 percent) through another public law entity, commentators see a potential conflict of interest. See: Christian Schmidt, “Von der RegTP zur Bundesnetzagentur. Der organisationsrechtliche Rahmen der neuen Regulierungsbehörde” [From RegTP to Federal Network Agency. The organizational framework of the new regulator], Die Öffentliche Verwaltung 58 (24), 2005, p. 1028.
30 Richard Sietmann, “Fiber to the Neverland. Die Telekom forciert VDSL-Vectoring statt Glasfaser” [Fiber to the Neverland. DT pushes VDSL-Vectoring instead of Fiber], c't 10/2013, April 29, 2013, pp. 18-21, http://heise.de/-1847272
31 Volker Briegleb, “VDSL-Turbo Vectoring: Monopolkommission warnt vor ’Technologiemonopol der Telekom‘” [VDSL turbo vectoring: monopoly commission warns against ’technology monopoly of the Telekom’], heise.de, December 7, 2015, http://bit.ly/2eeTyog
32 Tomas Rudl, “Vectoring: Beirat der Bundesnetzagentur fordert Nachbesserungen” [Vectoring: advisory board of Bundesnetzagentur demands amendments], Netzpolitik.org, January 26, 2016, http://bit.ly/2dD05a2
34 Due to substantial criticism by activists and NGOs that provoked an intense political debate, the 2010 law on blocking websites containing child pornography, the Access Impediment law (Zugangserschwerungsgesetz), never came into effect and was finally repealed by the German parliament in December 2011.
35 Constanze Kurz, “BGH-Entscheidung zu Netzsperren: Die nichtsnutzige digitale Sichtschutzpappe ist zurück” [Federal Court of Justice decision on blocking of websites: the useless digital screen wall is back], Netzpolitik.org, November 26, 2015, http://bit.ly/2d3wCmY
36 Constanze Kurz, “BGH-Entscheidung zu Netzsperren: Die nichtsnutzige digitale Sichtschutzpappe ist zurück” [Federal Court of Justice decision on blocking of websites: the useless digital screen wall is back], Netzpolitik.org, November 26, 2015, http://bit.ly/2d3wCmY
39 Tomas Rudl, “Netzsperren: Vodafone muss kinox.to blockieren und Kundendaten speichern“ [Blocking of websites: Vodafone has to block kinox.to and store user data], Netzpolitik.org, February 12, 2018, https://bit.ly/2GaZEAd
40 The legal framework regulating media protection of minors in particular consists of the Law for the protection of children and youth (“Jugendschutzgesetz”, JuSchG) of the federal government and the Interstate Treaty on the Protection of Minors in the Media (short “Jugendmedienschutzstaatsvertrag”, JMStV).
42 Cf. the respective § 5, Abs. 3 JMStV.
43 Tomas Rudl & Marie Bröckling, “Bundesgerichtshof: Google muss Suchergebnisse nicht vorab filtern“ [Federal Court of Justice: Google does not have to preventively filter search results], Netzpolitik.org, February 27, 2018, https://bit.ly/2HRZ7Vh
48 Markus Reuter, “Merkel-Selfie-Prozess: Fremdenfeindliche Gerüchte als Türöffner für Zensur“ [Merkel selfie case: xenophobic rumors as gateway for censoring], Netzpolitik.org, February 6, 2017, http://bit.ly/2jY6Fh8
50 Constanze Kurz, “NetzDG gegen Hass und verbal Gewalt: Das Löschen beginnt“ [Social Network Enforcement Law against hate and verbal violence: The deleting begins], Netzpolitik.org, January 2, 2018, https://bit.ly/2lM9RKD
52 Fabian Reinbold and Marcel Rosenbach, “Hetze im Netz: Facebook löscht Kommentare jetzt von Berlin aus” [Incitement on the net: Facebook now deletes comments from Berlin], Spiegel Online, January 15, 2016, http://bit.ly/200TbdO
55 Matthias Monroy, “Facebook, Twitter & Co: Upload-Filter gegen ‘Terrorismus und Extremismus’ gestartet” [Facebook, Twitter, and co.: upload filter against ‘terrorism and extremism’ activated], Netzpolitik.org, March 13, 2017, http://bit.ly/2mHSJHz
57 Tomas Rudl, “EU-Kommission: Immer mehr Plattformen sollen Uploads filtern“ [EU Commission: More and more platforms are supposed to filter uploads], Netzpolitik.org, February 23, 2018, https://bit.ly/2oxRgU2
59 Thomas Borgböhmer, “NetzDG: Twitter sperrt Account des Satiremagazins Titanic wg. Beatrix von Storch – und löst Zensur-Debatte aus“ [Social Network Enforcement Law: Twitter blocks account of satire magazine Titanic because of Beatrix von Storch – and triggers debate on censorship], Meedia, January 3, 2018, https://bit.ly/2J4EFR0
61 Markus Reuter, “Moderation nach Gutsherrenart: Wie Twitter Accounts ohne Einordnung des Kontexts sperrt“ [Moderation in an autocratic manner: How Twitter blocks accounts without regard to context], Netzpolitik.org, January 15, 2018, https://bit.ly/2raBT8O
64 Eco.de, “Ein Jahr Recht auf Vergessenwerden: Löschen von Suchergebnissen beeinträchtigt die Zivilgesellschaft” [One year right to be forgotten: Removal of search results impairs civil society], May 13, 2015, http://bit.ly/1N9DnDW
68 BGH [Federal Supreme Court], judgment of May 14, 2013, Az. VI ZR 269/12; Jürgen Kuri/Martin Holland, “BGH zu Autocomplete: Google muss in Suchvorschläge eingreifen” [BGH on autocomplete], May 14, 2013, http://heise.de/-1862062
69 Beck Aktuell, “OLG Köln: Klage gegen Google auf Unterlassugn bestimmter Suchwortkombinationen erfolgreich” [Higher Regional Court Cologne: Injunction suit against Google concerning certain search query combinations successful], April 8, 2014, http://bit.ly/2dnwPSY; Adrian Schneider, “OLG Köln: Die Autocomplete-Entscheidung im Detail” [Higher Regional Court Cologne: the autocomplete decision in detail], Telemedicus, April 11, 2014, http://bit.ly/1iRT59G
72 In particular: Part 3, §§ 7-10 TMG: liability for own content (§ 7, Abs. 1 TMG); limited liability for access providers (§§ 8, 9 TMG) and host providers (§ 10 TMG).
77 Thomas Stadler, “BGH erweitert Prüfpflichten von Filehostern wie Rapidshare” [Federal Court of Justice extends monitoring duties for host providers such as Rapidshare], Internet-Law, September 4, 2013, http://bit.ly/1N9EWSv
81 In 2010, the German Federal High Court sentenced the private owner of a wireless router on the grounds that his or her open network allowed illegal activities. cf. Christopher Burgess, “Three Good Reasons to Lock Down Your Wireless Network,” The Huffington Post (blog), June 8, 2010, http://huff.to/1LYHK3k.
82 Ingo Dachwitz, “WLAN-Gesetz: Bundestag schafft Störerhaftung endlich ab, ermöglicht aber Netzsperren“ [Wi-fi law: Federal Parliament finally abolishes ‘breach of duty of care‘ regulation but enables blocking of websites], Netzpolitik.org, June 30, 2017, https://bit.ly/2sDsoLx
84 Lisa-Maria N. Neudert, University of Oxford, “Computational Propaganda in Germany: A Cautionary Tale,” Working Paper No. 2017.7, http://comprop.oii.ox.ac.uk/wp-content/uploads/sites/89/2017/06/Comprop-Germany.pdf
86 BMI, “Bundesinnenminister verbietet den Verein mit der linksextremistischen Internetplattform ‘linksunten.indymedia‘“ [Federal Minister of the Interior bans association with the left-wing extremist internet platform ‘linksunten.indymedia‘], press release, August 25, 2017, https://bit.ly/2vAsRUS
89 Leonhard Dobusch, “Urheberrecht im Koalitionsvertrag: Zwischen ‘modernen Nutzungsformen‘ und einem EU-Leistungsschutzrecht“ [Copyright Law in the coalition agreement: Between ‘modern forms of use‘ and a EU ancillary copyright], Netzpolitik.org, February 9, 2018, https://bit.ly/2sp4sjs
92 Henry Steinhau, “Leistungsschutzrecht: T-Online und 1&1 verbannen Verlage der VG Media aus ihren Suchergebnissen” [Ancillary copyright: T-Online and 1&1 ban VG Media publishers from their search results], irights.info, September 16, 2014, http://bit.ly/1JKFxlY
93 Friedhelm Greis, “Kartellamt hält Googles Vorgehen gegen Verlage für begründet” [Cartel Office considers Google’s approach against publishers justified], golem.de, September 9, 2015, http://bit.ly/2dJRQc4
98 Mirjam Hauck and Helmut Martin-Jung, “Auch in Deutschland ist die Netzneutralität durchlöchert“ [In Germany, too, net neutrality has holes], Sueddeutsche.de, December 15, 2017, https://bit.ly/2Jd9tPv
99 Markus Reuter, “Netzneutralität: Bundesnetzagentur untersagt Teile von Stream On” [Net neutrality: Federal Network Agency prohibits parts of Stream On], Netzpolitik.org, December 15, 2017, https://bit.ly/2j9LLIU
101 Lisa Seelig, “#metoo bleibt in Deutschland eine Debatte ohne Namen – warum ist das so?“ [In Germany, #metoo remains a debate without names – why?], Edition F, December 5, 2017, https://bit.ly/2HgsEr8
104 Markus Reuter, “#NotHeidisGirl: Instagram-Protest gegen utopische Schönheitsideale” [#NotHeidisGirl: Instagram protest against utopian ideals of beauty], Netzpolitik.org, October 4, 2017, https://bit.ly/2F3Rqc6
106 BVerfG [Federal Constitutional Court], Provisions in the North-Rhine Westphalia Constitution Protection Act (Verfassungsschutzgesetz Nordrhein-Westfalen) on online searches and on the reconnaissance of the internet null and void, judgment of February 27, 2008, 1 BvR 370/07 Absatz-Nr. (1 - 267), http://bit.ly/1YVssS3; See also: Press release no. 22/2008, http://bit.ly/2dnoChN. For more background cf. Wiebke Abel/Burkhard Schaferr, “The German Constitutional Court on the Right in Confidentiality and Integrity of Information Technology Systems – a case report on BVerfG,” NJW 2008, 822”, 2009, 6:1 SCRIPTed 106, http://bit.ly/2dNZSCJ
108 BVerfG, [Federal Constitutional Court] 1 BvR 2150/08 from November 4, 2009, Absatz-Nr. (1 - 110), http://bit.ly/1KWt940; See also: Press release no. 129/2009 of 17 November 2009, Order of 4 November 2009 – 1 BvR 2150/08 – § 130.4 of the Criminal Code is compatible with Article 5.1 and 5.2 of the Basic Law, http://bit.ly/2e0uK0C
109 Reporter Ohne Grenzen [Reporters Without Borders], “Gesetzentwurf bedroht Pressefreiheit“ [Bill threatens freedom of the press], March 15, 2017, http://bit.ly/2nqPGFF; Digitale Gesellschaft [Digital Society], “Fake News und Hate Speech: Vorstoß des Bundesjustizministers gefährdet Meinungsfreiheit im Netz“ [Fake news and hate speech: Federal Minister of Justice’s proposal threatens freedom of opinion online], March 14, 2017, http://bit.ly/2qORsRZ
123 See for example: Pia Ratzesberger, “Verurteilt wegen Hasskommentaren auf Facebook” [Convicted for hateful comments on Facebook], sueddeutsche.de, February 3, 2016, http://bit.ly/1P8Luzi; Lisa Steger, “Hennigsdorfer soll Geldstrafe wegen Volksverhetzung zahlen” [Person from Hennigsdorf fined for incitement to hatred], rbb-online.de, April 26, 2016, http://bit.ly/2d3m8Uz; “Bewährungsstrafe wegen Facebook-Hetze gegen Flüchtlinge” [Suspended sentence for incitement against refugees on Facebook], Zeit Online, October 16, 2015, http://bit.ly/1PKYR6U
124 Daniel Leisegang, “Rechte Hetze im Netz und die Grenzen des Rechtsstaats“ [Rightwing incitement online and the limits of the state under the rule of law], Netzpolitik.org, September 30, 2017, https://bit.ly/2HkY2E5
127 Constanze Kurz, “Abschluss des NSA-BND-Ausschusses: Keine Revolte gegen die Geheimdienste“ [Conclusion of the NSA BND commission: No revolt against the intelligence services], Netzpolitik.org, June 29, 2017, https://bit.ly/2tqZsde
134 Andre Meister, “Eingestuftes Gutachten: Der BND speichert massenhaft Daten, will aber Betroffene nicht informieren“ [Classfied assessment: BND stores data in bulk but refuses to inform affected], Netzpolitik.org, December 14, 2016, http://bit.ly/2gNO58i
135 Anna Biselli, “Bundesverwaltungsgericht: BND-Metadatensammlung in Datenbank VerAS unzulässig“ [Federal Administrative Court: BND metadata collection in database VerAS unlawful], Netzpolitik.org, December 14, 2017, https://bit.ly/2F1FoQD
140 Bundesverfassungsgericht [Federal Constitutional Court], Provisions in the North-Rhine Westphalia Constitution Protection Act (Verfassungsschutzgesetz Nordrhein-Westfalen) on online searches and on the reconnaissance of the Internet null and void, judgment of February 27, 2008, 1 BvR 370/07; For more background cf. W Abel and B Schafer, “The German Constitutional Court on the Right in Confidentiality and Integrity of Information Technology Systems – a case report on BVerfG”, NJW 2008, 822, (2009) 6:1 SCRIPTed 106, http://bit.ly/2dNZSCJ
141 Dirk Heckmann, “Anmerkungen zur Novellierung des BKA-Gesetzes: Sicherheit braucht (valide) Informationen” [Comments on the amendment of the BKA act: Security needs valid information], Internationales Magazin für Sicherheit nr. 1, 2009, http://bit.ly/1KWuRm6
147 Sebastian Lipp and Max Hoppenstedt, “Exklusiv: BKA-Mitarbeiter verrät, wie Staatshacker illegal Telegram knacken“ [Exclusive: BKA employee reveals how state hackers illegally crack Telegram], Motherboard, December 8, 2016, http://bit.ly/2rbuReU
148 Andre Meister, “Geheimes Dokument: Das BKA will schon dieses Jahr Messenger-Apps wie WhatsApp hacken“ [Secret document: As early as this year, the BKA wants to hack messenger apps such as WhatsApp], Netzpolitik.org, July 20, 2017, https://bit.ly/2uvCTCl
149 Markus Reuter, “CSU will Polizei in Bayern zum Geheimdienst aufrüsten“ [CSU wants to transform Bavarian police into intelligence service], Netzpolitik.org, February 8, 2018, https://bit.ly/2EcUYsR
150 Marie Bröckling, “Ab Sommer in Bayern: Das härteste Polizeigesetz seit 1945“ [Coming this summer in Bavaria: The toughest police law since 1945], Netzpolitik.org, March 24, 2018, https://bit.ly/2pIwTUL
154 Jakob May, “Weitere Verfassungsbeschwerde gegen Vorratsdatenspeicherung eingereicht” [Further constitutional complaint against data retention filed], Netzpolitik.org, January 27, 2016, http://bit.ly/1nQGru9
155 Tomas Rudl, “Bundestagsgutachten: Deutsche Vorratsdatenspeicherung genügt EuGH-Vorgaben nicht“ [Parliamentary legal assessment: German data retention does not conform to CJEU guidelines], Netzpolitik.org, February 23, 2017, http://bit.ly/2lLC5oz
156 Anna Biselli, “Zusammengefasst: Die Entscheidung zur Vorratsdatenspeicherung und ihre Folgen“ [Summary: The decision concerning data retention and its consequences], Netzpolitik.org, June 23, 2017, https://bit.ly/2uh5VUL
158 Two independent studies from by the Universität of Bielefeld (2003: Wer kontrolliert die Telefonüberwachung? Eine empirische Untersuchung zum Richtervorbehalt bei der Telefonüberwachung“ [Who controls telecommunication surveillance? An empirical investigation on judicial overview of telecommunication surveillance], edited by Otto Backes and Christoph Gusy, 2003) and Max-Planck-Institut Institute for Foreign and International Criminal Law (Hans-Jörg Albrecht, Claudia Dorsch, Christiane Krüpe 2003: Rechtswirklichkeit und Effizienz der Überwachung der Telekommunikation nach den §§ 100a, 100b StPO und anderer verdeckter Ermittlungsmaßnahmen [Legal reality and efficiency of wiretapping, surveillance and other covert investigation measures], http://www.mpg.de/868492/pdf.pdf) evaluated the implementation of judicial oversight of telecommunications surveillance. Both studies found that neither the mandatory judicial oversight nor the duty of notification of affected citizens are carried out. According to the study by the Max Planck Institute, only 0.4 percent of the requests for court orders were denied.
160 Anna Biselli, “Jetzt doch: Behörde soll auch Geodaten aus Handys von Geflüchteten auswerten“ [After all: Authority is supposed to analyze refugees‘ geodata], Netzpolitik.org, September 21, 2017, https://bit.ly/2F34wpT
163 Markus Reuter, “Hate Speech: Union und SPD wollen Klarnamen-Internet durch die Hintertüre” [Hate speech: CDU and SPD want real name Internet through the back door], Netzpolitik.org, February 23, 2017, http://bit.ly/2lD7UQt