What is state surveillance? Can it endanger democracies? How does it affect our lives and thinking, and is it even purposeful? We have already talked about the tracking and analysis of our behaviour and personal preference by companies in the past, but an aspect worth discussing is also digital surveillance by the state and corresponding security apparatuses.
UPDATE: on June 8th 2021 the coalition parties of the current german government, CDU, CSU and SPD agree to a draft bill which allows the 19 German intelligent services the use of severe, preventative surveillance techniques.
The surveillance of communication is, of course, a critical point that reflects positively or negatively on the freedom and light-heartedness of a society. Not only the famous novel “1984” by George Orwell from the late 1940s tells of a totalitarian surveillance state that checks the communication of its citizens for possible content contrary to the regime’s opinion. But even the real world, outside of dystopian stories and fears, has always produced times and places where secrets and privacy are nothing more than a distant wish.
Even the democracies of western states, which claim to place particular value on general freedom as well as freedom of expression, use a whole network of surveillance structures within and outside their own borders, as became known, among other things, through the publications of Edward Snowden.
However, democratic control bodies, independent reporting and a broader understanding of the dangers of the issue can certainly protect us from unlawful encroachments by the security authorities. At the same time, however, state surveillance also puts them at great risk. But before we can talk about the effects of surveillance, we need to clarify what surveillance is (or what surveillance is not).
What is “Surveillance”?
The concept of surveillance can have different meanings depending on the situation and the perspective, regardless of a normative classification. In the context of digital surveillance of civil groups by state agencies, however, attention should be paid to the following aspects, as elaborated by Monahan and Wood and by Richards: [1, 2]
- the systematic or routine, focused and also targeted observation of individual actors, groups or situations.
- a hierarchical or organisational subordination of those being monitored, i.e. an existing power imbalance.
- the aim or purpose of the surveillance to protect, manage or influence those being monitored.
According to these criteria, measures by security authorities and secret services can be critically evaluated and defined as either surveillance or not.
Accordingly, they exclude random or occasional checks (e.g. samples) from the notion of surveillance. At the same time, however, it should not be forgotten that digitalisation and the greater shift of our lives into the digital space result in other qualities and possibilities of tracking and that for this reason classification criteria are (and have to be) in a constant state of change. [1, 2]
Which methods are being used?
What forms of state surveillance exist and are used in practice? In the following, we list some information from Germany and use this example to show how state surveillance has developed over the last decades. Here we restrict ourselves to surveillance methods targeting digital communication and digital end devices. But surveillance is also generally possible outside of these, such as through surveillance cameras, especially when combined with new technologies such as facial recognition AI.
Data Preservation (VDS)
As early as the mid-2000s, political efforts were made in the Federal Republic of Germany to give police authorities more rights and opportunities to prevent and prosecute crimes in digital and analogue space. In particular, communication service providers and network operators should be obliged to collect specific data about users, store it for a certain period of time and make it available to authorities in the context of possible investigations. Data of all users should be kept available for a comparatively long period of time without any reason, thus enabling surveillance retrospectively. 
Even though both the German Federal Constitutional Court in 2010 and the European Court of Justice four and six years later respectively declared the specific design of data retention in Germany to be illegal, individual political actors brought the “Vorratdsdatenspeicherrung – VDS” (engl.: “Data Preservation”) back into play last year. This time, too, the European Court of Justice ruled in principle against the efforts of the state to carry out surveillance without concrete evidence, but conceded the possibility of temporary data retention in the event of a threat to national security, for example in the case of an imminent terrorist threat. [4, 5, 6, 7]
Surveillance of Telecommunication (TKÜ)
The “Telekommunikationsüberwachung – TKÜ” (engl.: Telecommunications surveillance”) is not exclusively but especially aimed at the surveillance of technical communication, e.g. SMS, e-mail and telephone conversations. It represents classic interception mechanisms of security authorities in the digital space. Unlike the VDS, however, the TKÜ is not a retroactive investigative method. Surveillance by means of telecommunications interception can only provide information from the start of the investigation. Also, unlike the VDS, the TKÜ tends to target individuals and groups in the context of ongoing investigations or targeted surveillance. [8, 9]
Its use is more strictly regulated than the planned implementations of the VDS, but surveillance of telecommunication is potentially more intimate. More importantly, it is difficult to determine in advance which data may or may not be accessed by the interceptors. The object of interception is therefore any content of a particular communication. Simplified, one can think of the TKÜ as a third person listening in on a four-eye conversation without being noticed. [8, 9]
It is with the increasing emergence of encryption methods in communications technology that the TKÜ becomes particularly explosive. In particular, the use of end-to-end encryption (E2EE) by more and more messenger services makes the use of TKÜ effectively useless, as intercepted data streams remain encrypted and thus no information can be extracted from them. To counteract this, more and more security authorities are calling for the possibility of so-called Quellen-TKÜ, better known under the synonym of the “state Trojan”.
The State Trojan
Since a series of terrorist attacks and crimes in the past two decades, which – like most people’s private exchanges – were organised mainly via digital communication channels, security authorities have increasingly demanded more legal means for drastic surveillance measures. In the meantime, the legal path for this in Germany has already been paved for secret services, but also for the police in many federal states. The so-called “State Trojan” is therefore already a reality in Germany. [10, 11, 12, 13, 14, 15, 16, 17]
Since the already mentioned telecommunication surveillance is yielding fewer and fewer results due to ever more widespread encryption methods, attention is increasingly falling on the so-called “QTKÜ” (engl.: Source Telecommunication Surveillance). Here, it is not the transmission path of the communication that is “tapped”, as was possible with SMS, letters or even calls, but the end devices of the person to be monitored or their environment. The target of this technique is therefore directly the source of the telecommunication. Encryption procedures are not cracked, but deliberately circumvented. 
In addition, however, in contrast to conventional TKÜ in the context of the “online search”, the QTKÜ goes beyond the tapping and evaluation of live communication data. In this case, even data stored in the past on the end devices are then transferred to the executing security authority. 
In order to access the data before it is encrypted on the end devices of those being monitored, the security authorities use both commercial and self-developed malware, so-called Trojans. Usually, security holes in the operating systems or already installed programmes of the end devices are used to install the respective malware. A computer compromised in this way is thus a direct access point for information to the eavesdroppers. 
The implications of this are also problematic. Security authorities, which among other things also have the task of pointing out security vulnerabilities in popular software, are given an incentive by the active exploitation of these security vulnerabilities to not share the knowledge about them with the developers, such that the vulnerabilities could be fixed and access for hackers, but also the security authorities themselves, may be blocked. In addition, “end devices” do not only include computers and smartphones, but also smart home assistants, which are becoming more and more popular, and are thus targets of this kind of tapping. This allows the authorities to penetrate more and more intimate areas of our lives in the context of surveillance. [2, 17, 20, 21, 22]
Update: Agreement on Preventive Use of QTKÜ
Only a few days after the publication of this blog entry, the coalition parties of the German government agree on a draft law for the preventive use of the source TKÜ (State Trojan) for all 19 intelligence services (Verfassungsschutz of the 16 federal states, Bundesverfassungsschutz, Bundesnachrichtendienst and Militärischer Abschirmdienst) on July 8th 2021. In addition, private companies (for now limited to Internet service providers) are to be involved and must help with the installation on the respective end devices. 
How does surveillance affect us?
The consequences of surveillance, or even the suspicion of surveillance, can be extensive, affecting personal lives as well as democracy and society.
Richards explains that we as individuals and as a society fundamentally reject the idea of a surveillance state, but have difficulty identifying the concrete problem points and for this reason nevertheless accept slowly growing intrusions into our own privacy. 
But what are the concrete effects of state surveillance on our lives, including surveillance on a comparatively smaller scale, as it exists in most democratic states today? It is worth taking a look at the United Kingdom, one of the places in Europe with the most severe invasions of privacy due to mass surveillance. State surveillance, but also that of private security companies, exists both in public space through an omnipresent network of facial recognition surveillance cameras and in digital space with extensive rights for security agencies to track the behaviour of civilians on the internet. 
The side effects of mass surveillance include increased stress among those under surveillance, adapted behaviour and even adapted thought patterns. Often referred to in the literature as the “chilling effect”, activists, journalists and civilians may simply not dare to voice their concerns or opinions for fear that others (e.g. private companies or the state) may monitor the communication, even if the content of the communication is legal but possibly very intimate. Moreover, due to this “chilling effect”, state surveillance can have a concrete impact on our behaviour, similar to peer pressure from friends. Surveillance (or even the fear of being monitored) can in this sense be an intrusion into the freedom of expression and the exchange of information and thus corresponds to the already mentioned aspect of influence. [2, 23, 24, 25, 26, 27]
The centralisation of information is also particularly dangerous here, as it arises for example through digital monopolies but also through mass surveillance by states. It grants the surveillance bodies a decisive surplus of power in terms of information and influence. [2, 28]
Furthermore, mass surveillance for the purpose of preventive law enforcement (as opposed to legitimate, targeted law enforcement) places citizens under general suspicion. At the same time, the surveillance authorities appear to be increasingly intransparent and difficult to control. Even in places where the separation of powers is still preserved by judicial decisions, there is often not enough time to evaluate a concrete measure in detail. In order to avoid the inability to act, measures tend to be waved through rather than blocked, which can lead to the danger of disproportionate overreaching by the security authorities. The aspect of trust in the state, which is quite important for democracies, but also in the population, is in danger of being lost. [29, 30, 31]
Surveillance methods and mechanisms are of course not limited to government agencies. As noted in previous blogposts, surveillance, tracking and analysis methods by private companies are dangerous in a similar way as they are by state authorities. This is compounded by the fact that intelligence methods often find their way into industry sooner or later, at least if they can be used for economic purposes and are compatible with existing laws. Similarly, government agencies repeatedly make use of data collected by private companies or spy software developed by private companies. It is therefore simply too short-sighted to think that surveillance by the state is acceptable but by private companies is dangerous (or vice versa). 
Another aspect, which we would like to mention only briefly here, is the export of surveillance technologies to regimes and actual surveillance states worldwide. Even if one thinks that surveillance methods and software would be well regulated and used moderately in their own country, the commercialisation of such technologies leads to them being used to suppress human rights elsewhere. 
Is surveillance really necessary?
It is undeniable that security agencies need ways and means to carry out investigations. Similarly, it should be possible for intelligence services to reduce the threat of terrorism or to target underground movements, such as the right-wing extremist terrorist cells uncovered in Germany in recent decades. However, it remains unclear whether and how mass surveillance is necessary or even useful in this context.
Although security agencies and governments repeatedly cite mass surveillance for success in detecting and thwarting terrorist attacks, the United Nations and many security experts come to a different conclusion. According to them, there is objectively no empirical evidence for the usefulness of mass surveillance in the fight against terror and crime. Instead, the UN Special Rapporteur on the right to privacy attests those governments populist actionism and calls instead for carefully proportioned and effective methods of investigation. [34, 35]
The often cited arguments that innocent citizens have nothing to fear from surveillance should also be viewed critically. Although criminals and terrorist organisations are repeatedly named as reasons for surveillance measures, they affect everyone and can have real consequences for society and democracy, as noted earlier. [34, 36]
- Monahan, Torin and Wood, David (2018). Surveillance Studies: A Reader. New York: Oxford University Press. ISBN 9780190297824.
- Richards, N. (2013). THE DANGERS OF SURVEILLANCE. Harvard Law Review, 126(7), 1934-1965.
- “padeluun” (2007). 5-Minuten-Info: Vorratsdatenspeicherung. Online at: vorratsdatenspeicherung.de
- Skowronek, M. (2020). Pauschale Vorratsdatenspeicherung laut EuGH-Urteil unzulässig. In Zeit-Online from Oct. 6th 2020. Online at: zeit.de
- Wolf, B. (2020). Ein Grundsatz mit Ausnahmen. In Tagesschau from Oct. 6th 2020. Online at: tagesschau.de
- Münch, M. (2015). Die Vorratsdatenspeicherung im Vorurteilscheck. Bundeszentrale für politische Bildung. Online at: bpb.de
- Hügel, S. (2021). Und täglich grüßt das Murmeltier. In Netzpolitik.ORG from May 26th 2021. Online at: netzpolitik.org
- Der Bundesbeauftragte für den Datenschutz und die Informationssicherheit. Telekommunikationsüberwachung in Deutschland. Online at: bfdi.bund.de
- Bundesamt für Justiz. Telekommunikationsüberwachung. Online at: bundesjustizamt.de
- Dake, B. (2020). Staatstrojaner gegen Rassismus-Studie: War es ein Deal? In Bayrischer Rundfunk from Oct. 21st 2020. Online at: br.de
- Zimmermann, K. (2020). Geheimdienste sollen in Messenger-Apps mitlesen dürfen. In Zeit-Online from Oct. 21st 2020. Online at: zeit.de
- Steinke, R. (2020). Vom Trojaner zum Trojaner plus. In Süddeutsche Zeitung from Aug. 19th 2020. Online at: sueddeutsche.de
- dpa (2020). Geheimdienste sollen Messenger-Botschaften mitlesen dürfen. In Frankfurter Allgemeine Zeitung from Oct. 20th 2020. Online at: faz.net
- Bundesministerium des Innern, für Bau und Heimat 82020). Bundeskabinett beschließt Novelle des Verfassungsschutzgesetzes. Online at: bmi.bund.de
- Deutscher Bundestag (2021). Geplante Ausweitung des Verfassungsschutzrechts kritisiert. Anhörungsprotokoll. Online at: bundestag.de
- Mattes, A. (2018). Polizeigesetz Baden-Württemberg. Online at: freiheitsrechte.org
- Podsadny, L. (2019). BKA-Gesetz. Online at: freiheitsrechte.org
- Bundeskriminalamt. Quellen-TKÜ und Online-Durchsuchung: Notwendigkeit, Sachstand und Rahmenbedingungen. Online at: bka.de
- Holland, Martin (2020). Missing Link: Nichts zu verbergen? Von Staatstrojanern, Quellen-TKÜ und Palantir, nicht nur in Hessen. In heise Online from Feb. 16th 2020. Online at: heise.de
- Buermeyer, U. (2017). Gutachterliche Stellungnahmezur Öffentlichen Anhörungzur „Formulierungshilfe“ des BMJV zur Einführung von Rechtsgrundlagen für Online-Durchsuchung und Quellen-TKÜ im Strafprozess. Online at: freiheitsrechte.org
- Erxleben, C. (2019). Seit wann ist staatliche Überwachung eigentlich wieder sexy?. Online at: basicthinking.de
- Nocun, K. (2018). Leider richtig hässlich. In Der Freitag 42/2018. Online unter: [freitag.de](https://www.freitag.de/autoren/der-freitag/leider-richtig-haesslich9
- Snyder, A. (2019). How surveillance changes behavior. In Axios from Sep. 7th 2019. Online at: axios.com
- LeVine, S. (2018). Orwellian surveillance is changing us, and it’s powered by AI. In Axios from July 18th 2018. Online at: axios.com
- Ellis, D., Harper, D. und Tucker, I. (2016). Experiencing the ‘surveillance society’. The Psychologist, 29(9), 682-685. thepsychologist.bps.org.uk
- White, J., Ravid, D. and Behrend, T. (2020). Moderating effects of person and job characteristics on digital monitoring outcomes. Current Opinion in Psychology, 31, 55-60. https://doi.org/10.1016/j.copsyc.2019.07.042
- Munn, N (2016). How Mass Surveillance Harms Societies and Individuals – and What You Can Do About It. In CJFE from Nov. 8th 2016. Online at: cjfe.org
- Lau, M. (2013). “Wir werden belogen und hingehalten”. In Zeit-Online from July 23rd 2013. Online at: zeit.de
- Nocun, K. (2019). Amnesty zu neuen Polizeigesetzen: „Diese Entwicklung nicht einfach hinnehmen“. In Netzpolitik.ORG from Jan. 25th 2019. online unter: netzpolitik.org
- Nocun, K. (2013). Cyberwar der Regierungen gegen ihre Bürger. In Süddeutsche Zeitung from July 6th 2013. Online at: sueddeutsche.de
- Flade, F. (2020). Was macht eigentlich die “Hackerbehörde”?. In Tagesschau from Oct. 28th 2020. Online at: tagesschau.de
- Rogers, Z. (2019). Deleting Democracy: Australia and the surveillance juggernaut. AQ: Australian Quarterly, 90(3), 10-36.
- Nachawati, L. (2012). Syrien-Akte: Mehr westliche Technologie für das Regime. In Global Voices from July 10th 2012. Online at: globalvoices.org
- Debating Europe. Staatliche Überwachung – Für & Wider. Online at: debatingeurope.eu
- Cannataci, J. (2017). Report of the Special Rapporteur on the right to privacy. Human Rights Council Thirty-fourth session. Online at: documentcloud.org
- Weck, A. (2014). Absurde Argumente für Überwachung – und was Ihr darauf antworten solltet. In t3n from Jan. 5th 2014. Online at: t3n.de
- Meister, A. (2021). Große Koalition einigt sich auf Staatstrojaner-Einsatz schon vor Straftaten. In Netzpolitik.ORG from June 8th 2021. Online at: netzpolitik.org
Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.
In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.