New IT Security Law Draft: Why Should the Police Get Instagram Passwords?

guest Post

Only recently, the government-internal draft of the planned second law for increasing security in information technology systems (IT Security Act 2.0) was published by "netzpolitik.org". The Federal Ministry of the Interior, Building and Home Affairs (BMI), which is responsible for the bill, wants to strengthen IT security in Germany, especially given the data leak of politicians and celebrities that became known in early 2019.

Would the law in this form really increase IT security, ie the "state in which the confidentiality, integrity and availability of information and information technology are protected by appropriate measures"? Or is it another indicator of the Federal Government's inability to implement strategy in IT security addressed in the Interior Committee?

IT security versus public security

In fact, the draft contains a number of useful measures. These include extensive reporting on security incidents at suppliers of key critical infrastructure components as well as additional tools to combat botnets.

The powers of the Federal Office for Information Security (BSI) are being extended by the bill, making it even more a special-order authority. The office is to receive 864 new jobs.

Additional industries such as the media and culture are also required to provide more IT security. According to the bill, additional costs of about 45 million euros will be added to the economy. The companies will certainly not be thrilled. But if the IT security law 2.0 remained completely on the subject of IT security, it might have become a solid design.

Unfortunately, BMI as the lead ministry mixes IT security and public safety. This intentional uncleanliness was also the reason for the cyber security strategy in 2016 that some of the measures proposed at that time tend to create uncertainty.

For example, providers should recognize in the future if their services are used for the "unlawful transfer or publication of illegally obtained data", and inform the Federal Criminal Police Office immediately. In addition, the Provider shall, after consultation with the competent authorities, block access to the data or delete the data. Apparently, the BMI wants to prevent a re-exposure of politicians by publishing their data and documents, as it had happened in January.

Even the controversial "Darknet-Paragraf", which has so far been discussed only at country level, is reflected in the present bill.

However, neither these measures, nor the further amendments to the Penal Code on criminal liability for unauthorized interference in information technology systems will lead to more IT security in Germany.

Pass the password to the police

The fact that this law is not always about IT security is also clear from the obligation to provide access data. Thus, in the future, a suspected person should be forced by law enforcement to hand over their username and password for telecommunications or telemedia services. This can include both their Instagram account as well as the login to the illegal underground forum for the exchange of weapons and drugs.

Thus, according to the explanation of the law, the virtual identity of the suspected person should be taken over in order to collect evidence of crimes committed by others. However, it becomes problematic if the access is additionally secured by two-factor authentication - that is, with an additional code that the suspect, for example, receives via SMS or app on his smartphone. In this case, the suspect would have to tell the prosecutors in addition to the access data to the account and the unlock code for the smartphone. Only then could they disable this additional protection. Alternatively, the suspect would have to be forced to suspend this protection himself.

Thus, this part of the bill would only lead to more IT security on the part of criminals, namely if they increasingly activate two-factor authentication and also introduce illegal underground forums to this additional protection, so that the disclosure of their customers' login data would be more difficult. This is certainly not the intention of the BMI, but the exact opposite.

From a democratic point of view, difficult to understand

Furthermore, it is unclear why, although media and cultural organizations, but not political parties should be charged with the obligation to provide more IT security. Although politicians and parties are targeted by foreign intelligence services, they will not be required to report IT security incidents. They also do not have to stick to IT security standards in the future. From a strategic perspective, this is incomprehensible.

In addition, there are some technical errors, such as the reference to a paragraph in the Federal Data Protection Act on information obligations after data leaks, which has long since been eliminated by the implementation of the EU General Data Protection Regulation. One can therefore be curious about the legal assessment by the Federal Ministry of Justice and Consumer Protection.

In sum, the approximately 90-page bill is a colorful mix of meaningful measures, but also problematic regulations that are more in a law to strengthen public safety than in an IT security law. The fact that the BMI has not devoted itself to these challenges, but once again tried to introduce new powers for prosecutors under the guise of strengthening IT security is not completely honest and difficult to understand from a democratic perspective.