Criminal Justice & the Rule of Law Cybersecurity & Tech Executive Branch Intelligence Surveillance & Privacy

The German NSA Affair and the Need for Reform in Berlin

Mirko Hohmann
Thursday, September 17, 2015, 7:12 AM

When Chancellor Angela Merkel recently cited the “challenges” concerning the National Security Agency as an area that the German government has “tackled excellently” this term, many observers were surprised – not least because, two years into the “NSA affair,” the German government continues to vocally criticize American surveillance efforts while failing to address the shortcomings of its own intelligence agencies.

Published by The Lawfare Institute
in Cooperation With

When Chancellor Angela Merkel recently cited the “challenges” concerning the National Security Agency as an area that the German government has “tackled excellently” this term, many observers were surprised – not least because, two years into the “NSA affair,” the German government continues to vocally criticize American surveillance efforts while failing to address the shortcomings of its own intelligence agencies.

On the one hand, judicial control of German surveillance efforts does not exist and parliamentary oversight remains weak. On the other, the relationship between German intelligence agencies and their American counterparts remains asymmetric. Both issues have implications beyond German borders: They not only undermine Germany’s legitimacy as an international advocate for privacy and data protection, but also impede consistent transatlantic intelligence cooperation.

Indicative of such troubles are recent revelations of cooperation between the National Security Agency and the German domestic intelligence service – called Bundesamt für Verfassungsschutz, or BfV. In August, the German newspaper Die Zeit disclosed the “terms of reference” of an agreement between BfV and NSA. The BfV had apparently made a questionable bargain: In exchange for access to the NSA’s powerful search-and-analysis software, XKeyscore, BfV agreed to “share all data relevant to NSA's mission” with the American intelligence agency “to the maximum extent possible.”

Granted, there is nothing fundamentally wrong with a strong working relationship. After all, the BfV is tasked with gathering relevant information on threats to national security for the German government. Information sharing with the NSA – and other Western intelligence agencies – is crucial to that end. Moreover, access to the NSA’s superior surveillance software and expertise expands the BfV’s technological capabilities.

But as the NSA–BfV terms of reference demonstrate quite troublingly, the German intelligence services will go out of their way to gain access to US spyware. To begin with, the BfV’s sharing of data with the NSA is problematic from a legal point of view, as constitutional experts already pointed out last year during a hearing of the Parliamentary Committee charged with investigating the NSA’s activities in Germany. In essence, the BfV is subject to both the German G-10 Law – named after article 10 of the German Constitution, which guarantees the privacy of correspondence, posts and telecommunications – and the Act on the Protection of the Constitution (Bundesverfassungsschutzgesetz, or BVerfSchG). Both laws authorize the BfV to restrict the constitutionally guaranteed right to privacy in individual cases, and allow the collection of the content of communications and metadata. Given these provisions, it remains debatable whether the BfV is allowed to share with international partners the raw data it thereby gains access to, or only information resulting from the interpretation of such data. Matthias Bäcker, a professor of public law at the University of Mannheim, goes further: He argues that the current legal regime does not provide a sufficient basis for allowing the BfV to transfer either type of information to foreign intelligence agencies to begin with. Unsurprisingly, the German government adheres to a different legal interpretation.

Whatever legal view might be correct, there’s also the worrisome near-absence of transparency or parliamentary oversight over the BfV’s “acquisition” and use of XKeyscore. Seemingly, the BfV alone can decide how much data is “relevant to the NSA’s mission” and thus shared. Given the BfV’s role as a domestic intelligence agency, the shared material – possibly both personally identifiable data and metadata – might pertain to German citizens. Still, neither the Parliamentary Control Committee nor Germany’s data protection commissioner were informed of the BfV’s secret agreement with the NSA. Parliamentarian Hans-Christian Ströbele, a member of the Control Committee, complained to Die Zeit about “again having to learn about a deal between the BfV and the NSA from the press.”

Putting the BfV Affair Into Context

Although these issues may seem rather singular and technical, they are nevertheless revealing of how Germany generally handled the “challenges with the NSA” that Merkel recently referred to.

For their part, the intelligence agencies are forthcoming about their imbalanced relationship with the Americans. Gerhard Schindler, President of Germany’s Federal Intelligence Service – called Bundesnachrichtendienst, or BND – publicly confessed that “we depend on the NSA, not the other way around.” As a result, the agencies are apparently willing – compelled, some might argue – to operate in a legal gray zone.

At the same time, the German public remains strongly opposed to increasing the capacities of its own intelligence agencies. After all, many Germans were not just outraged by the revelations about the NSA’s activities in 2013, but also by the previously unknown level of cooperation between German and American services. And yet this hasn’t translated into radical or even modest structural changes, perhaps because the debate on the reform of German intelligence services has been left to a few journalists, activists and researchers. The revelations on the BfV’s recent deal with the NSA, for example, were hardly noticed; off the record some parliamentarians even pointed out that they “haven’t gotten a single email or phone call from constituents” urging greater attention on the behavior of German agencies.

The government thus remains inert, seemingly stuck between a dependency on American intelligence and technology, and a public that doesn’t want to see domestic intelligence capabilities bolstered. As a result, the government has neither pushed basic reforms (those having to do with, say, staff and funding for intelligence work), nor taken serious steps to enhance oversight mechanisms. The suggestion of increasing the resources available to the Parliamentary Control Committee have not been taken up, either; there are still only nine members of parliament who oversee the work of over 10,000 employees at Germany’s three intelligence services. Their meetings take place only once a month, and in secret.

This leaves Germany in a contradictory situation, wherein the country – despite the public outrage, its historically strong stance on data protection and its active support for international efforts to strengthen privacy rights – has mostly preserved its historical approach to intelligence collection. The intelligence apparatus, as researchers at the Berlin-based think tank stiftung neue verantwortung described in 2013, therefore still appears to have “more similarities than differences” with their British and American counterparts “when it comes to how these programs are authorized, how they function, and what oversight mechanisms exist to control them.”

Given the current discourse in Germany, the government may very well get away with simply preserving the status quo. But if it wants to remain a credible international actor, it needs to subject itself to the level of transparency and parliamentary oversight that it publicly demands of others. If it wants to reduce its intelligence agencies’ dependence on international partners, the German government will need to lead and encourage a public debate on the capacities and information that should be available to the German agencies – and the limits that should be set to them.

Otherwise, Merkel’s self-proclaimed “excellent” tackling of the NSA affair is nothing but sheer hypocrisy.

Mirko Hohmann is a research associate at the Global Public Policy Institute (GPPi) in Berlin. He works on the intersection of technology and policymaking with a focus on cybersecurity. He contributes to GPPi's work on Global Internet Politics and co-leads the Global Governance Futures program.

Subscribe to Lawfare