[liberationtech] German ISPs required to provide "back doors" (was: Re: Skype Co-Founder Launches End-To-End Encrypted 'Wire' App)

[Moritz Bartl]

On 03/12/2016 01:47 PM, Joseph Lorenzo Hall wrote:
>> Interesting that Germany is seen in such positive light.
>> Germany has a Patriot Act "light" legislation whereby if
>> the Wire app has more than 10000 users it can be obliged
>> by authorities to provide a 24/7 backdoor into their
>> systems. In this case compliance is easy if it can be
>> added to the binaries being distributed...
>> Not sure if this is accurate, however.
> Wow, Carlo, do you have any pointers to more about this German law?

tl;dr: It's not true.

This rumor has been around for quite some time, and is largely based on
misunderstanding and oversimplification. A very inaccurate article in
the quite popular and 'usually trustworthy' German computer magazine c't
contributed a lot to its spread. For a while I spreaded it, too, and it
is likely Carlo even heard it from me, so I feel partly guilty for this
now. :)

Disclaimer: I am not a lawyer, and I write this based on what I
remember. It's been several years since I last looked into this. There
are probably some subtle and maybe less subtle mistakes in my
explanations as well. Take with some salt. But, very few people seem to
have actually looked into it much deeper (or at least they didn't
publish about it). To the contrary, anything I could find that touches
this subject is definitely wrong in some aspects.

Basically in all countries (that I am aware of), the law discriminates
between Internet access providers and Internet content/service
providers. In Germany, the "telecommunications law" (TKG) applies to
access providers, and the "tele media law" (TMG) applies to services "on
the Internet" (eg. websites).

Historically, the communications law dealt exclusively with access
providers, which usually have some physical communications
infrastructure, like phone companies and traditional (cable) access
providers. Communications providers have to register with a regulatory
government agency, Bundesnetzagentur (pretty easy, you basically state
that you are an access provider, iirc it's free of charge). To give some
context, a lot of the law deals with the potential monopoly status of
access providers and grants certain rights to the government regulatory
agency to interfere; other parts of it regulate frequencies/numbers,
emergency service reachability requirements, public phone book, TV etc.
-- but it also defines the rights of law enforcement. Data retention,
for example, is part of the communications law.

At least in Germany, they later explicitly broadened the communucations
law to also apply to email and voice-over-IP telephony; in some way of
thinking, they do provide similar "communications" functionality. In
another way of thinking, they are clearly and simply services provided
"on the Internet", and for many people mail and SIP should rather be
under the scope of the "tele media law".

The tele media law that deals with services is a lot shorter and (from a
privacy perspective) is quite nice. At least on paper it _requires_
service providers to offer anonymous payment and access [0] (!) and
explicitly forbids to keep any user identifiable data unless required
for billing purposes. Which means for example that any default webserver
configuration is illegal in Germany, strictly speaking, since the logs
contain IP addresses (and IP addresses were finally declared "user
identifiable data" after back and forths in courts).

Telecommunications law TKG §113 deals with law enforcement inquiries.
§113(5) is the relevant paragraph for this discussion. [1] It requires
communications providers with larger customer bases to provide legally
sanctioned "secure electronic interfaces" for law enforcement. If you
are smaller, what they usually ask is that you collect and upload the
data manually somewhere (FTP). The thinking is that with a large user
base you can afford to buy a dedicated, certified secure storage box
that they can log in to and grab data from. I think this is especially
relevant now with data retention, but I have last looked into it before
mandatory traffic data retention was passed and I'm not too sure about that.

There is a technical specification that describes in a lot of detail how
data needs to be structured so it can be delivered. Not many Germans I
talked to were even aware that such a document exists; it is a quite
interesting read. [2]

The only certified box for this has primarly been developed for secure
government and military communications called "SINA box" (Secure
Inter-Network Architecture). [3] Also a very interesting box to look at
and study. Simplified, the box runs a hardened Linux kernel that
provides IPsec tunnels. There are differently rated boxes for the
different governmental security classifications.

For some weird reason, in most places the alleged minimum number of
customers you need to fall under the "you're big now and need to buy and
integrate this SINA box" category is stated as "10,000 customers"; some
even speak of "10,000 accounts". When you read §113(5), it clearly says
100,000 customers [1]. It's almost 4am and I did not hunt down whether
that was changed over time; sadly it is likely that somewhere someone
wrote 10,000 and everyone else copied it. The German Wikipedia article
on SINA boxes also (incorrectly) says 10,000.

In any case: I've talked to some ISPs and if I remember correctly what
you usually do is pay one of the few consultant companies that do this
to (help) install it. If you're halfway sane, you will isolate it
completely from any existing infrastructure, put it on a separate
network and only expose very narrow interfaces. Likely, this is how the
consultancy company does it for you (or suggests to do it anyhow). There
is quite some integration cost as you need to be able to feed data to
the box according to the specification. The box can be accessed by law
enforcement, _but_ they will only have access to its local data; data
that the communications provider already "gave up" and deliberately and
knowingly transferred to the box.

In summary, this is only a technicality. The legal requirements to hand
over data are not affected by whether you are small or large. All this
does is provide a potentially "safer" and "more automated" way to
transfer the data, that's all.

I've searched for this again, and thankfully finally a German mail
provider who advertises privacy and was confronted with these rumors
published a clarifying blog post (in German). Of course, they also speak
of a "10.000 user" requirement... [4]

[0] TMG §13(6) https://dejure.org/gesetze/TMG/13.html

[1] https://dejure.org/gesetze/TKG/113.html

[2]
http://www.bundesnetzagentur.de/cln_1431/SharedDocs/Downloads/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/OeffentlicheSicherheit/TechnUmsetzung110/Downloads/01DETRTKUEV62August2012pdf.html

[3]
https://www.bsi.bund.de/DE/Themen/Kryptotechnologie/SINA/Systembeschreibung/systembeschreibung_node.html

[4]
https://posteo.de/blog/posteo-zur-m%C3%A4r-von-der-abh%C3%B6r-schnittstelle

-- 
Moritz Bartl
Renewable Freedom Foundation
https://renewablefreedom.org/