March 7, 2016
German courts have authorized the police in that country to load surveillance software onto computers and mobile devices, without the permission of the owners or operators of those devices. The police can then use the secretly introduced spyware to conduct surveillance of the communications and other digital activities of the suspects. This action seems to represent a significant intrusion into the privacy of German citizens. It also represents another step in the evolution of the “Internet of Things” into a massive surveillance platform.
After obtaining a court order, German police can now secretly install spyware on smartphones and essentially any Internet-enabled device. In order to obtain the requisite court order, the police must persuade courts that the surveillance is necessary as lives may be at risk or that some form of national threat exists. With the appropriate court order, the police can secretly introduce the spyware to the devices in question and conduct ongoing surveillance using those devices.
In order to comply with a 2008 decision of the German Constitutional Court, spyware used by the authorities must comply with certain limitations aimed at protecting privacy. The spyware must monitor only communications between the targeted party and another party. The surveillance is not permitted to include monitoring of materials created by the targeted individual, but not communicated with any other party.
This authorization gives the police permission to obtain spyware from commercial enterprises or other external parties. Law enforcement authorities are not required to develop their own spyware for their surveillance activities. Instead, they can purchase and use commercially available software products for the surveillance.
Some critics have expressed concern that introduction of software onto devices provides a gateway for viruses and other malware. Malicious software in addition to the spyware could be inadvertently introduced to the targeted devices through the secret downloads. Through this process, the security of the targeted devices could be undermined.
Some observers also question the ability of the authorities to limit their surveillance consistent with the 2008 court ruling on privacy. They express concern that actual surveillance activities may not always honor the prohibition against monitoring personal material not presented in the form of a communication with another party.
We should also recognize the potential impact of this surveillance on the development of the Internet of Things, the emerging global network of Internet-connected devices including consumer electronics, entertainment and media products, and appliances. Presumably, a court order authorizing introduction of malware to smartphones and computers of a suspect would also likely grant permission to introduce spyware to essentially all of that suspect’s Internet-connected devices (e.g., automobiles and other vehicles).
It is currently unclear the extent to which the various materials processed by the range of Internet-enabled devices would qualify as communications and would thus be eligible for monitoring. For example, if your television or car can be voice-activated and records certain conversations, it could be argued that those conversations qualify as communications and are thus subject to surveillance. Alternatively, assume your video game system enables you to communicate with other players. It can be argued that the communications capability of your game system makes it eligible for surveillance.
All authorizations to conduct surveillance of smartphones and other traditional computing devices must be evaluated in the context of the Internet of Things, in which essentially all devices, appliances, and equipment can be targeted by spyware. Each time permission is granted to spy on computer users, we must recognize that the authorization will be carried into the Internet of Things. If we are not careful, the Internet of Things, our ubiquitous network for access to communications, entertainment, and information, will also become a global platform for surveillance undermining privacy and civil liberties around the world.