This article is a response to the following discussion prompt: To what extent does Germany's new BND draft bill provide a rights-based and modern framework for foreign intelligence? A number of different contributions have addressed this question or will do so soon. See all of them here.
Following the Constitutional Court’s ruling earlier this year, the German Chancellery’s new draft legislation for the Foreign Intelligence Service (BND) claims to remedy existing legal violations called out by the Court. Instead, however, it will leave gaping loopholes for the BND to creatively interpret, failing to effectively regulate and oversee the service’s military intelligence activities, its surveillance of communications abroad when performed from outside German territory, its data collection through suitability tests, and more. By also further fragmenting an already splintered oversight structure, the German government is thereby set to flout the protection of fundamental rights in Germany and abroad.
The Federal Constitutional Court’s decision of 19 May 2020, relating to the surveillance of communications between non-German citizens abroad carried out by the Federal Intelligence Service (Bundesnachrichtendienst or BND) attracted widespread public attention in Germany. It was hailed as a major success by some, especially advocates of civil rights and liberties. Then again others — especially advocates for the status quo when it comes to the intelligence services’ surveillance practices — regarded it as a fiasco, contending that it puts security at risk. In the wake of Edward Snowden’s revelations and the investigations conducted by the Bundestag’s BND inquiry committee from 2014 to 2017, the ruling seemed to herald a completely new beginning in German intelligence.
The Constitutional Court’s ruling
Germany’s highest court did in fact rule that the BND’s foreign intelligence collection, a mass surveillance carried out without specific grounds of suspicion, represented a massive infringement of fundamental rights; that the BND’s current practices violate the principle of proportionality in several respects; and that German authorities still remain bound by fundamental rights abroad. Yet, this assessment reflected more the tenor of the brief summary of the Court’s decision intended for media consumption, that was read out on the day the ruling was delivered. The main body of the 122-page decision was not read out, and it contained numerous indications of how these existing violations of the law could potentially be remedied.
At the same time, a closer examination also revealed inconsistencies and contradictions in the argumentation, up to, and including, the Court’s lack of knowledge about digital communication technologies and surveillance of them, and about the extent and scope of real oversight in this area. This gave the Federal Chancellery an opportunity, which it seized, to put forward draft legislation at the end of September and a modified draft at the end of November, in an attempt to legalise, for the first time, the BND’s existing practices when it comes to surveillance of communications abroad, which were unlawful or fell in a grey area.
Independent Oversight Council
According to the draft legislation, an Independent Oversight Council will be created. This body, which will have more than 60 members of staff, will be responsible for the quasi-judicial and administrative legal oversight of part of the BND’s technical surveillance of communications abroad. The quasi-judicial oversight body — replacing the previous Independent Panel (Unabhängiges Gremium) — will have six members, of whom at least four must have actively served as judges and up to two as federal public prosecutors at the Federal Court of Justice (Bundesgerichtshof). They will be elected by the Parliamentary Oversight Panel by a simple majority — i.e. by the government majority — for a twelve-year term of office.
The matters overseen by the quasi-judicial Independent Oversight Council will be based on a list of competences and will include, to name just a few examples: examining whether the ordering of strategic surveillance measures is lawful, whether individual measures such as hacking IT systems outside Germany are proportionate, or whether the criterion of a “qualified need” for surveillance is met when the BND cooperates with foreign intelligence services and automatically transmits meta data in its entirety. Yet, a closer examination of the draft legislation quickly reveals that the framework for oversight is very limited. Operations carried out by the BND solely abroad in the form of strategic surveillance measures will still not be subject to any kind of oversight, and the same is true of operations which it carries out abroad in the framework of communications surveillance partnerships with foreign intelligence services. The control practices envisaged relate solely to surveillance measures conducted from German territory.
Loopholes
In contrast to the level of detail which otherwise prevails in the provisions, the draft legislation is all but silent on the subject of surveillance of communications abroad that is performed from outside the territory of the Federal Republic of Germany. This can only be regarded as a deliberately manufactured gap in the law, which the BND is left to creatively fill. As we know, Germany’s foreign intelligence service has long been given irresponsibly wide scope to creatively interpret the law.
For example, it created what is known as the “space theory” (Weltraumtheorie), which claimed that data from communication satellites could be monitored and passed on to the NSA. Irrespective of the fact that this data was collected and processed on German territory, the BND purported that it was gathered in space and German law supposedly does not apply there. In addition, international interception operations, such as “Monkeyshoulder” with the UK’s GCHQ or “Maximator”, an alliance with Denmark, Sweden, France and the Netherlands, were never subject to oversight, and evidently there are no plans for this to change in future.
The BND also has a great deal of scope when it comes to suitability tests. Personal data can be automatically collected and analysed to determine suitable telecommunications networks or suitable search terms. Suitability tests are ordered internally by the President of the BND vis-à-vis telecommunication service providers for a period of six months, but can be extended for another six months for an indeterminate amount of times. The data gathered from suitability tests must normally be erased after no more than four weeks. However, it may continue to be used if there are “factual indications” that it offers information about a significant danger to a person’s life, limb, or freedom, to Germany’s security, or to the security of a member of the EU, EFTA, or NATO. This opens up at least the possibility that, alongside the official collection of data, data may secretly be collected in parallel without being subject to oversight in the future. Data collection in the context of suitability testing is simply not subject to control and limitation, both in terms of time and the amount of data collected.
Another area that will continue to be completely exempt from scrutiny in the future is the military intelligence activities carried out by the BND for the armed forces (Bundeswehr). Next to nothing is publicly known about this. The draft legislation refers to it for the first time. The BND and the Bundeswehr will now officially be permitted to maintain joint files. However, the provision is silent or, at best, vague about how potentially protected personal data is to be handled in the framework of Bundeswehr missions abroad, for example. Furthermore, high-frequency interception based on the Circularly Disposed Antenna Array (CDAA) in Gablingen is omitted entirely; this is a special area in the BND’s military intelligence activities, as it does not operate on the basis of search terms. In addition, in practice it is all but impossible to oversee all requirements which are introduced using the undefined legal term of “factual indications” – a phrase used constantly throughout the draft legislation.
German nationals, EU residents, and individuals subject to particular confidentiality requirements — such as members of the clergy, lawyers, and journalists — can be investigated on a targeted basis and are subject to data collection largely without review if factual indications provide grounds for suspicion of any of a list of risks. This largely undermines the special protection for persons subject to a duty of professional secrecy that was confirmed by the Constitutional Court.
Further oversight gaps
The draft legislation also says little about the body responsible for administrative legal oversight. This body will be tasked with scrutinising the BND’s technical means, but the second draft of the legislation also assigns it legal oversight powers for the ex-post review of search terms. The administrative oversight body will have access to the IT systems used in the BND’s technical surveillance, but only if these systems are in the sole control of the BND. It is highly probable that a surveillance tool operated in cooperation with the NSA, such as XKeyscore, for example, could not be scrutinised. The government’s draft legislation unfortunately does not provide for direct access to all information processing stages and types of data – a prerequisite for modern, data-based oversight of the intelligence services.
Instead, the draft legislation refers to random checks and an observer role, which — setting aside the fact that it is unclear who will select the sample to be checked — will rapidly reach its limits in relation to the large quantities of data involved in AI-based surveillance processes.
Further, the draft legislation seeks to comply with the Constitutional Court’s prohibition of global surveillance by limiting the volume of strategic surveillance of communications abroad to 30 per cent of all existing telecommunications networks worldwide. However, in practice this is likely to be almost impossible to scrutinise. After all, the only thing that can be determined from an internet node or a link which is under surveillance is the specific transmission capacity at a given moment in time, not what proportion of global traffic this represents.
Finally, a key shortcoming in the draft legislation is the near-complete disempowerment of parliamentary oversight, following on from the system put in place in the first BND reform in 2016. Unfortunately, the Constitutional Court did not establish any concrete requirements on this subject. That said, an oversight body is not effective if it merely has the right to object and does not have the power to act as a counterpart to the Federal Government if necessary. At the same time, the creation of the new Independent Oversight Council would in fact give rise to a strange discrepancy. In the future, the BND’s surveillance of communications abroad would be subject to more intensive oversight than the surveillance of international communications (communications where one communicating party is located within Germany and the other is abroad), an area overseen by the G10 Commission. This is even though the latter actually represents a more serious interference with fundamental rights according to the standards applied by the Federal Constitutional Court. The G-10 Commission, another important construction site within German intelligence law, therefore does not even attain the very limited level of oversight powers and personnel that is designated to be available to the Independent Oversight Council.
Conclusion
In conclusion, Germany’s already fragmented oversight of the intelligence services will be fragmented further. In the future, there will be no institution with a genuine overview of what is really going on at the BND. That may please the government, but for Parliament and in particular for the opposition, it is unacceptable.
Great paper. It would be helpful to have a discussion about France before the law of intelligence is set up.