On November 24, the SPD, the Greens and the FDP ("traffic light coalition") presented their coalition agreement. IT security is to be given a higher priority again in it. Instead of tightening surveillance of citizens, as has been the case in recent years, things are now to move in the other direction again.
You can find out here what exactly the goals in the area of IT security are to be under the traffic light coalition.
Role of the BSI in IT security
The coalition agreement states that the Federal Office for Information Security (BSI) is to become "more independent". What exactly is meant by this wording is still unclear. In any case, the BSI will probably not be appointed a supreme federal authority.
However, government agencies are to be obliged to report known security vulnerabilities to the BSI. In addition, their IT systems are to be audited externally on a regular basis. The BSI is then to report the security vulnerabilities to the companies. The goal should always be to close vulnerabilities as quickly as possible. The government should not buy security gaps or keep them open.
If these goals were implemented, the traffic light coalition would even go beyond what the Federal Constitutional Court (BVerfG) recently demanded in the area of IT security. Indeed, the BVerfG had last allowed security authorities to "conduct source telecommunication surveillance by means of an unknown protection gap" in July.
In the past, however, German authorities rarely placed spyware on end devices with the help of security vulnerabilities. Therefore, doing without them should not be too difficult.
White hacking for IT security under the traffic light coalition
The agreement of the traffic light coalition on IT security further states that "white hacking", i.e. in the language of the coalition agreement the "identification, reporting and closing of security gaps in a responsible procedure" should become legal. This would require an amendment to the "hacker paragraph" in the Criminal Code (Section 202c StGB).
However, conducting hackbacks against suspected cyberattackers is rejected.
State Trojans and Online Searches
The use of government surveillance software is not to be completely banned. However, the requirements for this are to be higher in the future. In this context, the coalition government also wants to implement the requirements of the Federal Constitutional Court. However, the coalition agreement is only very vague on the subject of reviewing the authority of the Office for the Protection of the Constitution to use such state Trojans.
The traffic light coalition maintains that a legal basis must be created for the controversial hacker authority Zitis. In this way, it wants to guarantee that parliament and the data protection supervisory authorities can monitor Zitis without any gaps.
No changes seem to be found in the development of monitoring tools.
No permanent monitoring
The coalition agreement clearly positions itself against blanket video surveillance and the use of facial recognition software. This should be emphasized positively in any case. The traffic light coalition demands: "The right to anonymity both in public spaces and on the Internet must be guaranteed". It even goes so far as to demand that biometric identification in public and government scoring systems be banned at the European level.
In any case, data retention should only be allowed on an "occasion-related" basis. The exact form this will take is still unclear. It could amount to a kind of quick-freeze regulation, which has already been discussed. However, a ruling by the European Court of Justice (ECJ) is still awaited.
Instruments of the traffic light coalition for IT security
In order to identify cyber attackers and similar perpetrators, the traffic light coalition wants to use login traps for more IT security while protecting fundamental rights. To this end, the authorities are to be allowed to make corresponding inquiries to providers, who will then reveal the current IP addresses. In this way, even pseudonymized users should be able to be identified in the future "in a way that protects fundamental rights and is freedom-oriented.
In order to take sufficient account of civil liberties overall, a surveillance audit is also to be carried out by the end of 2023. This is to include "an independent scientific evaluation of the security laws and their impact on freedom and democracy in the light of technical developments. It remains to be seen what impact this will have on practice.
No upload filters for IT security under the traffic light coalition
The traffic light coalition rejects mandatory upload filters "to protect the freedom of information and expression". Against the background of Art. 17 of the EU Copyright Directive, this wording seems unclear.
In any case, the traffic light coalition openly opposes "general monitoring obligations, measures for scanning private communications and an identification obligation" as envisaged by the EU. Whether measures such as the planned chat control can be prevented remains to be seen.
All in all, the coalition agreement of the traffic light coalition on IT security is promising. As is always the case with coalition agreements, however, it remains to be seen whether and how they will actually be implemented.
If you need help in the area of information security contact us, we will be happy to support you in the technical and organizational implementation in your company.