The Federal Constitutional Court rejected a constitutional complaint against the state Trojan law in Baden-Württemberg as inadmissible. The plaintiffs describe the judgment as a success, because the Karlsruhe judges regulate the handling of security loopholes.
Because this case is not about the use of state trojans in general, but rather the question of the extent to which authorities are allowed to exploit security gaps. The complainant's allegation: The state should not be allowed to hoard the corresponding zero-day exploits en masse, because this violates the fundamental right to the confidentiality and integrity of IT systems.
Requirement for vulnerability management
The complaint, which, according to a Spiegel report, was submitted by the Society for Freedom Rights, the Chaos Computer Club Stuttgart (CCCS), journalists and a provider, is specifically directed against the police law in Baden-Württemberg. The exploitation of security loopholes is therefore not limited in the Baden-Württemberg police law. Thus, there is a lack of a legal framework that is “suitable for avoiding fatal disincentives for its authorities that undermine IT security within the scope of the Basic Law and beyond”.
The complaint has now been declared inadmissible by the Federal Constitutional Court. Nevertheless, plaintiffs such as Ulf Buermeyer from the Society for Freedom Rights consider the judgment to be a success.
Great success of the @freedom rights for IT security: The basic IT right & quot; obliges the state to contribute to the protection of the systems against attacks by third parties. & Quot; Therefore authorities are not allowed to hoard unlimited security gaps for #Staatstrojaner.https: //t.co/ExHZg7qlUe
& mdash; Ulf Buermeyer (@vieuxrenard) July 21, 2021
The reasoning for the judgment states that authorities cannot simply exploit security loopholes, but have to weigh up between using the state Trojan and protecting the population. The state is therefore obliged to “protect the users of information technology systems from attacks by third parties on these systems”.
There is also no fundamental right to the authority's obligation to immediately and unconditionally report every undetected IT security gap to the manufacturer. However, the fundamental rights obligation to protect requires a regulation on how the authority has to resolve the conflict of objectives between protecting information technology systems from third-party attacks by means of unknown IT security gaps on the one hand and keeping such gaps open to enable a source TKÜ serving to avert danger on the other in accordance with fundamental rights.
Federal Constitutional Court
The legislator is therefore obliged to regulate the state's handling of security gaps in law. That could be a judgment with a signal effect, because there are still further constitutional complaints against the state Trojans.
Nothing will change for the time being for the State Trojans in Baden-Württemberg. This complaint was rejected because the complainants could not sufficiently justify that the state was violating its duty to protect. So the law remains in place.
More lawsuits are ongoing
The state trojans Regulation remains controversial. There are other constitutional complaints against the law that the federal government passed in 2017. In addition, there are lawsuits against the police laws of the federal states.
Despite the ongoing proceedings, the use of the state Trojans was expanded again during this legislative period. Now all German secret services can use the corresponding surveillance instruments. Complaints against the law have also already been announced.