Protecting Victims Without Mass Surveillance

Mass data retention is on the rise: on the initiative of Hesse (governed by conservatives and social-democrats), the Bundesrat has called on the Bundestag to introduce a one-month retention period for IP addresses, North Rhine-Westphalia, Schleswig-Holstein and Baden-Württemberg (the coalitions of conservatives and greens in Germany) support a similar initiative, and here on the Verfassungsblog, the (conservative) Bavarian Minister of the Interior, Joachim Herrmann, is also calling for “More protection for victims through data retention”. In the current heyday of security packages in Germany, we are now also seeing a “super grand coalition” in favor of mandatory IP address retention.

Herrmann argues, on behalf of this “coalition of the willing” to store data, that the changes in Germany’s and Europe’s security is forcing constitutional courts to reconsider the proportionality standards of past decisions and, in particular, to allow the introduction of mass data retention. He paints a dystopian picture of the situation in Germany, a state of hate and violence. What he and his political comrades-in-arms overlook: The investigative capacities of law enforcement authorities have never been better, and the digital data pools that can be analyzed have never been larger.

The never-ending story of mass data retention

Mass data retention to combat Internet-related crimes is an evergreen in European security policy. The German Federal Constitutional Court and the European Court of Justice (ECJ) have by now issued (at least) eight different rulings on the permissibility and structure of a preventive obligation to store metadata (such as telephone numbers and times of telephone calls, the connection owner behind an IP address and location data of cell phones, see Art. 5 of the Data Retention Directive of 2006). Herrmann’s accusation that “data retention” is a “misleading term” of a certain “political camp” is not very convincing. As the European Directive repealed by the ECJ in 2014 was entitled “Directive […] on the retention of data […]”, the accusation can basically only be directed self-critically at the (conservative) majority in the Council and Parliament at the time, which adopted the directive with this name.

Data retention has been the subject of intense political and legal debate for almost two decades now. It was introduced in Germany in 2007, immediately restricted by a temporary injunction from the Feeral Constitutional Court, declared unconstitutional in 2010, passed again – in a modified form – by the Bundestag in 2015, declared unlawful under EU law and therefore inapplicable by the OVG Münster in 2017, an assessment that was finally confirmed by the ECJ in 2022. The coalition agreement of the (freshly divorced) “traffic light coalition” provided for regulations on data retention to be designed in such a way that they “can be stored in a legally secure manner on a case-by-case basis and by court order”. While former (liberal) Minister of Justice Buschmann sees this agreement as a mandate to implement the Quick Freeze concept (in which metadata is only “frozen” on an ad hoc basis following a criminal offense), the social-democratic Minister of the Interior Faeser – in contradiction to the coalition agreement, but in agreement with the opposition and the Bundesrat – is calling for the introduction of general IP data retention. It shows that the almost 20-year history of data retention in Germany is quite confusing and has been characterized by many agreements, terminations of agreements, judgments and civil society protests.

The problem of anonymity on the Internet

Data retention is more controversial than almost any other measure in German domestic policy. The current demands are limited to the introduction of IP data retention. Unlike, for example, the storage of location data, times and participants in telephone calls, this is not about the possibility of retrospectively investigating the life of a known suspect, but about identifying an unknown suspect. Thus, it is primarily a tool for de-anonymization, not for comprehensive profiling. Accordingly, the Federal Constitutional Court already emphasized in its 2010 decision (paras. 254-263) and the ECJ since 2020 (paras. 152-159) that the requirements for IP data retention are lower than for the retention of other metadata.

However, it remains the case, as critics repeatedly emphasize in various places, that the retention of data without reasonable cause puts citizens under general suspicion. From this point of view, anonymity is seen as a danger whose primary function is to provide a cover for crimes. As a result, citizens are generally seen as possible perpetrators who must accept interferences with their fundamental rights in order to be identifiable at the time when the suspicion is realized and a crime is committed. The possibility of identification is not a by-product of other data processing – such as the storage of IP addresses for commercial purposes or maintenance purposes – but the sole purpose of the state’s command to store data. This ignores that anonymity – both in virtual as in physical spaces – is a prerequisite for freedom. The mere existence of surveillance increases the pressure to conform and leads to chilling effects for the exercise of freedoms protected by fundamental rights, including stating (supposedly) controversial opinions.

The dependency on context of fundamental rights judgments

Herrmann is right to emphasize that the legal assessment of interferences with fundamental rights depends on the context. For example, new technological developments for alternative investigative procedures could lead to less intrusive, equally effective means to foster a legitimate goal, so that previously permissible interferences with fundamental rights are no longer necessary. In its 2010 decision on data retention, the Federal Constitutional Court also made it clear that the proportionality of an individual surveillance measure must always be assessed in the context of the overall state of state surveillance (“general surveillance account”):

“[…] the retention of telecommunications traffic data must not be understood as paving the way for legislation aiming to enable, to the greatest extent possible, the precautionary retention of all data that could potentially be useful for law enforcement or public security purposes. Regardless of how the provisions governing data use were designed, any such legislation would be incompatible with the Constitution from the outset. The retention of telecommunications traffic data without specific grounds will only satisfy constitutional standards if it remains an exception to the rule. It must not be possible to reconstruct practically all activities of citizens even in combination with other existing datasets.”

In order to effectively protect fundamental rights against the possibility to “reconstruct practically all activities of citizens” in today’s “Surveillance Capitalism” (Zuboff), a comprehensive analysis of all data collections available to law enforcement authorities is required. They often complain that the increasing use of encryption technologies makes it more difficult to monitor communication (often referred to as “going dark”). However, in the history of mankind, individuals have never produced as much personal data as they do today. That these data collections, which are held by private companies, are being used for other than their original purposes by law enforcement can be observed intensively in the USA. There, for example, law enforcement authorities have obtained information from Google about which users have used certain search terms or been to certain locations. A striking example of this misappropriation of even the most sensitive data is the well-founded fear that the data stored by female health apps will be accessed in the future to prosecute illegal abortions.

These are all contexts and social conditions that Herrmann seems to overlook. Instead, he emphatically emphasizes that “domestic security is endangered to a degree that would have been unimaginable only a few years ago” and classifies the notion that “surveillance inevitably restricts freedom” as something “inherited from the 1970s”. At this point, it should therefore be noted that life in Germany as a whole – despite some problematic developments in recent years – is safer than ever before. In a long-term view, there are fewer homicides, less violence, more rights for women and minorities and less terrorism than in the past. Therefore, labelling the idea of a society free from surveillance being considered “outdated” by Herrmann is at least not founded in any real-life decrease in security in recent decades in Germany.

IP mass data retention as a panacea

In line with this, Herrmann sketches the image of an internet in which “innumerable dangers” lurk, in which “serious crimes are being committed relentlessly” and “[u]nbridled hate and agitation are proliferating”. This is as (un)true for the internet as it is for physical spaces: where people come together, there is an exchange of knowledge and experience, creativity and inspiration, friendship and solidarity. However, as in any social context, norm violations, including the most serious crimes, are also committed (for the complex state of research on the effects of social platforms on democracy, see here). These must be prevented to a sufficient degree – also due to the state’s duty to protect its citizens – and otherwise be sanctioned. However, Herrmann’s panorama of cybercrime, from the exchange of child sexual abuse material (CSAM) to ransomware attacks, gives the impression that IP data retention is the only thing standing between this state of rampant violence and lawlessness caused by anonymity on the one hand and a good life in absolute security on the other.

This clearly exceeds the reasonably expectations for IP data retention. Firstly, it is already the case that, in practice, all German telecommunications providers voluntarily store IP addresses for seven days¹⁾ for billing purposes, according to the Federal Criminal Police (BKA). The Bundesrat’s initiative mentioned above also explicitly recognizes this (p. 4, E.2). These seven days are already sufficient to enable the identification of suspects in a good three quarters of all proceedings.

However, there are many reasons why IP addresses often do not bring the desired success: For example, if the identified connection is the operator of a public Wi-Fi hotspot, such as those found in cafés, trains and many other public places, the investigation will come to nothing. Even if a connection is shared in a flat or family, identifying the suspect involves considerable further investigation. IP addresses can also be easily disguised technically, for example by using a virtual private network (VPN) or a proxy. Especially in the field of serious crime, criminals also often use the so-called “Darknet” (it should be noted at this point, however, that the use of the Darknet is essential for human rights activists in authoritarian regimes). This refers to a part of the internet that is not accessible via conventional browsers, but via the Tor network with the Tor Browser. This network consists of several layers (Tor is an abbreviation for “The Onion Routing”) that ensure encrypted and anonymous communication. Contrary to what Herrmann claims, IP addresses are in context not “the only indicators for investigation activities by the security services”, but are useless because they are always obfuscated.

Instead, it is more promising – and in line with the state’s duty to protect – to develop targeted solutions for particular criminal phenomena. One promising investigative starting point is the user account, which is used to contact victims and is, thus, a prerequisite for the commission of the crimes. Such an account can provide a variety of clues that can be analyzed by Open Source Intelligence (OSINT) or Social Media Intelligence (SOCMINT) investigations. The ECJ also recognizes this (para. 120-121), but emphasizes the particular intensity of the interference of such comprehensive investigations for the person concerned, as further information about their private life is obtained. However, it does not seem to take into account that these interferences are limited to a specific suspect and therefore have significantly less broad effects than the mass retention of the data of all citizens.

User accounts as an investigative approach for serious crime

As the accounts are often used repeatedly, the preventive storage of IP addresses is not necessary in order to use them for investigative purposes. Instead, it would be sufficient to forward the IP address of the user account the next time the account is used after a suspicion of a crime has been confirmed and then immediately resolve it in order to identify the individual behind the IP.

Such an approach is promising even in cases of serious crime, such as the dissemination of CSAM. A large number of these cases only become known due to reports from the US-based NGO NCMEC, which cooperates with social platforms and cloud services that systematically filter the content uploaded to them – both public or private material – for CSAM. Law enforcement authorities emphasize that in these cases, the “IP address is the best investigative approach to identify the perpetrators, in some cases even the only one”. However, all of these constellations involve suspects who have created a user account on the respective service. The recurring use of the account means that the respective company repeatedly obtains knowledge of the user’s current IP address – on every single interaction. In these cases, the current IP address can be passed on to the law enforcement authorities (after judicial authorization), and can then be resolved in real time by the telecommunications providers. Consequently, there is no need to store the IP addresses of persons without any connection to a crime.

The same applies to cases of grooming, in which adults approach children and youth with the objective of sexual abuse. This happens mainly on social platforms that are attractive to minors. It is therefore necessary for the perpetrators to have a user account in order to make and maintain contact with the minors. The perpetrators’ aim of establishing a basis of trust with them and possibly even creating a relationship of dependency is only possible through the recurring use of the account.

The reasonability of interferences with fundamental rights

Herrmann is right to emphasize that it is primarily the task of policy-makers to balance and reconcile conflicting fundamental rights. To this end, different parties and governing majorities propose different solutions that are in democratic competition with each other. The frame of this democratic competition is defined by the constitution. There is no “primacy of politics” over the law as claimed by Herrmann, but rather an obligation of the legislation to observe the “constitutional order” and fundamental rights “as directly applicable law” (Art. 1 para. 3; 20 para. 3 German Constitution). This limitation of public power by law characterizes the rule of law. It is dangerous to suggest that the judicial prohibition of a certain surveillance measure is tantamount to elevating the judiciary to a “super legislature” in which there is only room for “one proportionate solution”. Judgements considering one’s own political plans as a violation of fundamental rights may be painful, but should rather encourage a self-critical reflection of the respective political positions than harsh criticism of the courts.

It is (still up for debate) whether and how IP data retention fits into the political margin defined by the ECJ. In La Quadrature du Net II, the ECJ found that the retention of IP addresses “does not constitute a serious interference”. However, the apodictic statement in the judgment that without IP data retention there would be “real risk of systemic impunity” (para. 119) fails to recognize, in my opinion, how extensive the investigative capacities of law enforcement authorities with their access to private data collections already are. The assessment that the retention of additional data benefits the protection of fundamental rights compared to other investigative measures is not very convincing to say the least (see, however, paras. 120-121). Furthermore, as shown above, the widespread use of user accounts in the commission of criminal offenses due to the architecture of today’s internet offers opportunities to identify suspects via their IP address even without preventive data retention.

Moreover, it would be a mistake to interpret the ruling as a blank cheque for IP data retention. The qualification of the interference as not being serious requires “a set of requirements intended to ensure, in essence, a genuinely watertight separation of the different categories of data retained, such that the combination of data belonging to different categories is genuinely ruled out” (para. 103). These high technical requirements for data retention, in particular the “watertight separation” of different data categories to avoid detailed profiles, have led to industry associations from Germany stating publicly that they are in fact no longer allowed to store data and must discontinue the current voluntary retention of IP addresses. It remains unclear how these requirements can be implemented in practice. Therefore, the introduction of laws mandating IP data retention is still associated with a high degree of legal uncertainty. The only thing that seems certain after April 30 is that data retention will continue to occupy courts throughout Europe.

A Zeitenwende in security policy

People in Germany have a right to be protected by the state. The security policy of recent decades has often sailed on the edge of being unconstitutional – and sometimes even beyond it. Such a policy does not make the country safer. Rather, it leads to unjustified interferences with fundamental rights and legal uncertainty. A lot of time and energy is lost in legislative processes, the product of which is declared null and void by the highest courts years later. This does not help the victims of violence.

German security policy needs a Zeitenwende. Law enforcement authorities should work together with victims of crimes and civil society organization in an open process to develop targeted measures to enhance criminal prosecution without expanding mass surveillance and dismantling legal protection. Only recently, Höffler clearly explained here on the blog why the best security policy is a social policy that addresses the structural causes of exclusion and violence and, thus, makes the country safer for everyone.

I agree with Herrmann that our democracy is in danger. Freedoms that were long thought to be safe are once again being called into question. The growing right-wing extremism in this country is a danger to our democracy. It is therefore important that our democratic and constitutional institutions are strengthened. This includes, in particular, the separation of powers and effective judicial review mechanisms. We must not allow ourselves to be intimidated by the enemies of freedom, but instead counter them with more openness and more democracy.