​

WOLFGANG SCHÄUBLE, Germany’s tough-talking interior minister, made no secret of his directive to police and intelligence services last year to use spyware to monitor the computers and Internet traffic of suspected terrorists. Some applauded the move. The western state of North Rhine-Westphalia passed legislation specifically allowing its police to use spyware.

But others took issue with the measure, alleging invasion of privacy. Now, Germany’s Federal Constitutional Court has ruled that law enforcement agencies cannot spy on a suspect’s computer, cell phone, PDA, or MP3 player except in a few carefully defined cases.

Intelligence and law enforcement agencies will only be able to collect data from a suspect’s hard drives if the authorities present “factual evidence of a concrete danger” to a judge, who must authorize each operation. Investigators cannot collect or analyze a suspect’s personal data if it is not directly related to the case.

Civil rights campaigners said the decision was a landmark ruling that establishes a constitutional right to confidentiality and integrity of information technology systems. Moreover, it may set a precedent that other European countries will follow.

“International law experts will study this [ruling] intensely, and of course, you can see that this line of reasoning could be used in other countries,” says Ralf Bendrath, a political scientist at Bremen University who specializes in digital privacy issues.

Authorities say they need to use spyware because the Internet has evolved into a potent communications, recruitment, and information-sharing tool for terrorists. When Germany last year broke up a terrorist conspiracy to bomb U.S. military installations, they were able to do so because authorities reportedly learned of the plot through American surveillance of Internet communications between Pakistan and Germany. That reinforced Schäuble’s demand for German authorities to win similar powers.

However, Germany’s GdP police union says the court’s decision need not interfere with investigations. “This judgment creates legal security for the work of the police,” Konrad Freiberg, GdP chairman told German media.

Freiberg said the next step is for parliament to rewrite pending legislation regulating the security services’ activities to take account of the ruling. The legislation would reform the BKA federal police agency, transforming it into an investigative and intelligence body similar to the FBI.

Apart from the legality of the use of spyware by government agents, however, is the feasibility. Obviously, it’s possible to hack into a computer. Even the German government has been the target as in a case reported by German news magazine Der Spiegel, in which Chinese hackers last year installed spyware on computers in the foreign ministry, the economics ministry, and the office of Chancellor Angela Merkel herself.

But as in that case, such hacking incidents invariably get discovered. Terrorists presumably expect attacks and will take precautions. Furthermore, antivirus software can usually detect and block such spyware.

“Attempts to place Trojans and/or keystroke monitors would face the same problems that hackers need to overcome,” says Peter Sommer, a visiting professor at the London School of Economics, and a digital evidence and computer forensics expert. They’d have to avert detection by conventional antivirus, anti-Trojan, and antispyware programs.

Bendrath adds that the relatively low salaries and unattractive working conditions in the public sector probably would not attract first-rate talent: “Anyone able to write an undetectable Trojan would not be working for the police. They would be working for themselves.”

Commercial IT security providers say they would not give government spyware any favorable treatment. “We are not able to alter the settings of an individual’s software... so they can be surveilled. We would never alter our software on a mass scale to allow any kind of surveillance unless a court ordered us to do it,” says Cris Paden, a spokesman for U.S. antivirus producer Symantec.