Today, on Wednesday 27th February at 10am, the German Federal Constitutional Court in Karlsruhe made an official statement regarding its verdict on online surveillance.
The final verdict: although online surveillance is permitted, this is only in cases where a overwhelming threat to the existence of extremely important legally protected interests exists, and certain specific criteria will have to be met. Additionally, a new basic right will be introduced, for the first time since 1983, when a basic right was introduced regarding the capacity of the individual to determine in principle the disclosure and use of his/her personal data. This new basic right is intended to guarantee the integrity of IT systems and the confidentiality of data held on these systems.
The catalyst for these proceedings was a collective complaint brought against a law in the German state of Nordrhein-Westfalen designed to protect the constitution. This law permits the installation of spy programs on the computers of alleged criminals and terrorists. Such software, designed to intercept passwords, read the contents of disks, intercept encrypted conversations and transmit all of this via the Internet to the investigating authorities, gave rise to the term ‘online surveillance’.
Exactly what the practical results of today’s verdict will be remain to be seen. It’s clear that the Nordrhein-Westfalen law protecting the constitution will have to be amended. Meanwhile, discussions about the software – nicknamed the ‘Bundestrojan’ – will continue.
This won’t have any effect on our work as an antivirus company. As has already been said, in spite of the fact that it’s financed by the government, a Trojan which uses the same methods as spyware created by virus writers (which will very probably be detected by our proactive detection methods, such as heuristics, behavior analysis etc) has to be viewed as being potentially malicious. And although we will probably be able to detect the program, we wouldn’t be able to classify it as the ‘Bundestrojan’; it’s very unlikely that the authorities will provide AV companies with samples, so we would simply have to classify it on the basis of its behaviour, just as we do any potentially unwanted program.