Facebook knows your friends and political affinities, your mobile service provider knows your whereabouts, Instagram knows what you had for dinner. But who are they telling? As Orwell’s dystopian world turns 30, are Berliners in danger of becoming transparent citizens?
On your U-Bahn to work, most likely under the eye of one of the 3165 cameras on BVG trains and platforms, you pull out your phone and start typing a comment on Facebook. Realising it may be too polemical (who could tell if your future boss is snooping around?), you erase it instead of posting. A common practice, seven out of 10 users do it. Facebook knows these figures, because they saved what you just erased. Last year, the company made a survey analysing data from the ‘self-censored’ messages of nearly four million users. (Why? Less generated content equals less ‘social value’, which may harm their service.)
It’s not a matter of having anything to hide or not, but a human rights issue.
As you get off the train, 500 metres away from you a bag is being snatched. The incident has nothing to do with you, but afterwards the police may nevertheless find out who you are, who you called and when, just because your cell phone was in the area. They may request this data from all mobile network operators and filter it to find potential suspects. This practice, called Funkzellenabfrage
, is only supposed to be used in investigations of severe crimes. However, since it was revealed that the Dresden police used it against anti-neo-Nazi demonstrators in 2011, it has been subject to public debate. Last year, the Berlin police gathered 50 million records of phone traffic metadata, more than ever before. That means, provided you hang out in areas with average crime rates, your data was collected 14 times.
The post-Snowden landscape
Known for some of the strictest data protection laws in the world, Germany has blocked the harmonising of laws in the European Union, afraid they wouldn’t be able to keep their high standards. Germans have had Google blur their houses on map street views, and Facebook remove facial recognition. Yet, never before has it been so difficult to maintain one’s anonymity, such that the average German is in risk of becoming a gläserner Bürger
– a transparent or “glass citizen”.
In the words of Edward Snowden himself, in a June 2013 interview with The Guardian
: “Even if you’re not doing anything wrong, you’re being watched and recorded.” Since the revelations concerning mass surveillance through programmes like the NSA’s PRISM and XKeyscore, it appears our personal information is up for grabs. Should we assume everything we do online is being monitored? “In principle, yes,” says Alexander Dix, Berlin’s Data Protection and Freedom of Information Commissioner. “That is probably the reality, unless one takes certain steps to prevent that from happening. But if someone is not a nerd in that sense of the word, then everything he does online is under surveillance.”
The brunt of this intrusion stems from the NSA, whose guiding philosophy has been referred to as the ‘haystack method’: compile as much information as possible, and sift through it to find that one useful ‘needle’. According to Dix, Germany’s foreign intelligence agency, the Bundesnachrichtendienst
(BND) operates under stricter conditions as the only German government body that can secretly screen our calls: “Under German law, this [haystack method] is only legal in the very particular case of international telecommunications, where you can screen contents of conversations indiscriminately based on certain keywords.” This keyword scanning and recording method is applied to all international telephone calls and internet traffic with a link to Germany. Recorded calls are then crossreferenced with other databases to determine whether a communication appears suspicious.
There are restrictions, though. Only one-fifth of the communication data traffic that has a ‘foreign element’ can be copied and reviewed by the BND. Also, they’re not supposed to be spying on German citizens. But in an online world, that is largely theoretical. Email addresses ending in .de could of course be erased, but what about Germans with Gmail accounts, Facebook and Skype? Or Al-Qaida members with .de accounts?
Victim or accomplice?
“It is hard to believe that they didn’t know,” says Dix, on the BND’s complicity with the US intelligence agency’s surveillance programmes. “At least that they didn’t know more than they admitted later on.” In the wake of the NSA’s tapping of Angela Merkel’s mobile phone, one might view the German government as a victim of espionage, rather than an accomplice. Yet around 50 of Snowden’s documents detail Germany’s collusion with the NSA. According to Der Spiegel
, the NSA and BND cooperate at the Bad Aibling listening post near Munich to monitor possible terrorist activity in Pakistan and Afghanistan. It’s known that the BND has used XKeyscore intel – “for testing purposes”, they claim – and through documents leaked to netzpolitik.org it was revealed that the Bundeskriminalamt
(Federal Criminal Police) has acquired FinFisher spyware which allows “remote intrusion” of digital devices. Though this spyware was recently deemed illegal, research is already underway to develop new software that remains within the restrictions of the German constitution.
Says Dix, “Infiltration of computers by malware only seriously began after 9/11,” when German intelligence agencies were escalating in surveillance. With two new sets of laws, the Anti- Terror-Paket I
, they were allowed to request customer data from airlines, postal services and banks. “The detection networks become more dense, the observation-free zones smaller,” Heribert Prantl, Süddeutsche Zeitung journalist and author of Glanz und Elend der Grundrechte
(Splendour and Misery of Fundamental Rights), said in an interview with Telepolis
. “For security reasons, people are now being tapped and observed, computers are being searched. People are being imprisoned, even tortured.”
While law enforcement must procure a warrant to perform surveillance operations such as Funkzellenabfrage
, the BND must justify itself to the G10 Commission (named after the article of the German constitution that safeguards communications privacy) and the Parliamentary Control Commission. This sounds like reassuring oversight, yet the process is entirely opaque, Dix says. “We do have laws regulating surveillance, but the key issue is to what extent can they really be enforced, and controlled.”
Trouble in Neuland
Although ridiculed for her comment, “The internet is Neuland
for us all,” Chancellor Merkel was correct – in legislative terms, the internet is nigh-uncharted territory. Posteo.de, a Berlinbased email provider dedicated to its customers’ privacy, had a rough encounter with this legal minefield. “Last year, the police came to our offices with a warrant to claim inventory data which we didn’t have, but they didn’t believe our lawyer,” says founder Patrik Löhr. German email providers that store Bestandsdaten (
the names and phone numbers of clients who may be under suspicion of illegal activity) are legally obliged to submit it – but Posteo.de does not retain this information. “They tried to intimidate us and were very forceful. In the end, they had to leave empty-handed.”
According to Dix, surveillance laws are so broad that they cannot cover every situation, leaving many loopholes: “For example, a new power is given to investigate a serious crime, but as society changes the definition of a ‘serious crime’ changes… Police legislation always uses broad language, they need to become more specific.” Malte Spitz, Green Party member and activist for media and internet policy, speaks of the system’s inadequacies: “How can parliamentarians oversee something if they don’t understand the concrete process of how intelligence agencies monitor people, or if they have no possibility to ask experts on specific cases? The oversight system in Germany isn’t working; the idea of oversight is there, but it’s not a powerful and controlling oversight.”
Metadata is content
If you see that a person is texting someone at 3am, you can assume he doesn’t have a job for which he needs to wake up at 6am, and that he has friends who don’t either… That’s how metadata works.
If citizens are being subjected to surveillance, don’t they have a right to know the extent? After a lengthy battle with the mobile service provider Deutsche Telekom, Spitz finally won back data that had been recorded over six months of his life: the times and locations of his phone calls, from which extensive personal information could be extrapolated. “I was surprised by the amount,” says Spitz. “I didn’t expect there would be 35,000 lines… every few minutes you could see where I was, what I was doing.” German phone companies are obliged to save this metadata, but they’re not allowed to store the actual calls. From a surveillance perspective, Spitz says, metadata is easier to analyse anyway: “If you see that a person is texting someone at 3am, you can assume this person doesn’t have a job for which he needs to wake up at 6am, and that he has friends who don’t either… That’s how metadata works.”
Politicians have asserted harvesting times and locations of phone calls and emails is less invasive than collecting actual content, and that the two could be separated. Privacy activists argue that collecting metadata can in fact be more intrusive in people’s privacy than listening to content – as Spitz outlined with compelling graphics in a TED Talk in 2012. The type of information that can be piled up under the term ‘metadata’ now consists of much more than the time and the person involved in the communication. You can read out the location, device number, language setting of the cell phone or computer, operating system… “The old distinction between metadata and content is outdated. You can create content out of metadata,” says Jan-Peter Kleinhans from the data protection initiative Privacy Project. “And still the law doesn’t treat metadata as content. This is just wrong!”
Hacker’s paranoia or human rights issue?
Does heightened awareness of your transparency make you care? In Berlin, groups like Digitale Gesellschaft, netzpolitik.org and Chaos Computer Club have been talking for years about data protection. “But they were the nerds and the hackers, who could easily be perceived as ‘IT people’ or conspiracy theorists,” says Kleinhans. Privacy Project wants to change the focus of the public debate from an ‘internet topic’ to a question of human rights: “It’s not a matter of having anything to hide or not, but a human rights issue. The right to privacy, to form your opinion.” He thinks the BND works according to double standards: “The EU Charter of Human Rights assumes everyone is equal. At the same time, our intelligence agencies operate on national terms, where foreigners have NO rights. Zero protection.”
So how to proceed? Once or twice a week, hordes of Berlin hackers full of confidence about “taking back what is already written into our constitutions” gather to teach you all they know about anonymous surfing and encrypting your email. Michael Schmidt spends 10-15 hours a week organising these so-called cryptoparties. “How would you feel if you knew as we’re sitting here that someone is in your flat, in your bedroom? You’d want to go home and throw him out. Do you have anything to hide? Not really. You could just live there and ignore him, but you don’t. And that’s a healthy feeling.”
Data Protection Commissioner Dix is in favour of encryption. He wants more state money to inform the public, and says it should “definitely be taught in schools.” He doesn’t encrypt emails himself, though: “It’s too complex.”
Interestingly, Germany’s domestic intelligence agency, the Bundesverfassungsschutz
(BfV), wrote in their annual report 2013 that “closed fora and encryption programs are mostly useful as communication tools for potentially violent extremists.” Does using encryption services then make you a target? Potentially. After Angela Merkel, the second German proven to be spied on by the NSA is Sebastian Hahn, a 27-year-old computer science student in Bavaria, for hosting a Tor server.
There is a point in doing it anyway, though. The more of a default procedure it is and the more people encrypt, the less suspicious it will be to spying eyes. The encryption software pioneer Philip Zimmerman compared it in 1991 with using envelopes for your correspondence, instead of writing everything on postcards.
How can we be sure that we will hold on to our privacy and not become transparent citizens? In the optimistic words of cryptoparty organiser Schmidt: “We don’t earn money, we just know it’s the right thing. Passion is in the centre of the movement. Governments have no passion.”
Originally published in issue #130, September 2014.