The new "Law on the strengthening of security in the information technology of the federal government" Puts many new members of the family "Schnuffel and Co." Before: Among other things, the BSI.
"As a national security worker, our goal is to promote IT security in Germany – so that all the opportunities of the information society can fully benefit", the words of the Prasident of the Federal Office for Safety in Information Technology (BSI), Dr. Udo Helmbrecht on the entrance side of the BSI. In order to achieve this goal, a new law was only decided by the Federal Cabinet. However, this "Law to Starch the Security in the Covenant Information Technology" stobs for data protections on harsh criticism.
Many rough brother
Thus, the BSI according to §5 of the planned law receive the following determination:
The Federal Office may for the defense of dangers for the communication technology of the federal government 1. Log data, which evaluate and automatically evaluate when operating communications technology of the federal government, as far as this is necessary for recognizing, narrowing or eliminating disturbances or errors in the communications technique of the federal or of attacks on the Federal Information Technology, 2. Evaluating the data incurred at the interfaces of the communication technology of the federation, as far as this is required for detection and defense of malware.
Although §5 ensures that the data has been evaluated in any eventual and then immediately and without a trace, but the restrictions made for this procedure are very broad.
(3) A use of personal data beyond sales 1 and 2 is only permitted if certain facts consider the suspicion that 1. This includes a malicious program, 2. These were transmitted by a malicious program or 3. they can arise from them to a malicious program, and as far as data processing is required to confirm or refute the suspicion.
But that’s not enough – the planned BSI law looks quite many other rough brother in the arms of the family "Schnuffel and Co.", Because the provider of telemedia services should, according to the design, now get a fairly simplified possibility to save and analyze the data of their users. In Article 3, it is called in that the Telemedia Service Act is hungling and §15 of the following paragraph 9 is added:
If necessary, the service provider may collect and use usage data for recognizing, narrowing or eliminating disturbances of its technical equipment used for purposes of its service. Paragraph 8 sentence 2 and sentence 3 applies accordingly.
The said §15 regulates the treatment of usage data by the service provider, in particular, he lists the collection and use of data for billing purposes or market research, but the latter is only with the consent of the user. Who in paragraph 8, sentence 2 and 3 but now restricted or even allowing content to the new storage capability is suspected, is wrong. Only the time of data in the data as well as the informer of the user are regulated therein.
For vendors such as studiVZ, Google, Amazon and YouTube, there are so unprecedented possibilities to record and evaluate the behavior of their users, as fundamentals are sufficient to protrude malware and maintenance of their services.
An old acquaintance: crimes by telecommunications
Already in the data retention, they appeared: The offenses committed by telecommunications (TK offenses). Start it at the beginning, the stock data retention should help against terrorism or child pornography, so love these formulation privacy and burger rights. However, the use of the data data regarding these TK offenses was advanced by the Federal Scarf Court twice a bar.
On the detour of the planned law, the BSI is now receiving the power to evaluate the data of the users and to be active in TK offenses. The BSI may not only be the collected and analyzed data in severe crimes, terrorism, etc. For continuation protection and police forward, §5 (4), sentence 1 this is made possible for the TK offenses:
§5 (4) The Federal Office may submit the personal data referred to in paragraph 3 to the law enforcement authorities for the pursuit of a criminal offense of considerable importance or a criminal offense committed by telecommunications.
So what the Federal Scarf Court has not approved by his decisions at the VDS, should now be realized via the band.
Private core area? That decides the BSI
§5 of the new law contains a clause that critics lift the eyebrows lift. Thus, no longer a judge should decide whether to assign collected data to the core area of private life. No, the decision-making authority is clear here in the Federal Ministry of the Interior, which has not really been proven to be a glossy of data protection in recent years or has expressed his respect for the judgments of the Federal Scarf Court.
If there are any doubts, whether findings are to be attributed to the core area of private life design, the data in question must either be linked or incomplete the Federal Ministry of the Interior to Decline on its usability or unhesion.
While the results are to be documented, the documentation is only intended for privacy control and should then be deleted, but spat in the year following the year of the documentation.
Inform the burger? But why?
The obligation to inform the burger on malware and security is missing in the legislative draft. The privacy conference has aroused against the previous bill as well as the working area as the working area inventory data retention, which publishes a multiple pages long position paper and also calls to contact the members of the various committees in the Bundesrat, as well as to the Bundestag deputies.
However, one sees the last few years together with the legislation and distortions, so it can not be amed that the protest will show the responsible effect. The new BSI law will continue to grow the already rough Schnufelfamilie.