Laudator: Thilo Weichert – video recording
The BigBrotherAward 2022 in the “Authorities and Administration” Category goes to
the German Police, represented by the Federal Criminal Police Office (Bundeskriminalamt)
for the way personal data are stored in digital files and how they are used. Contrary to constitutional and European legal requirements, data in these files are not labelled, or not labelled appropriately. This entails the risk that the police or other agencies may, without justification, treat millions of people as dangerous persons (German “Gefährder”) or criminal offenders.
During the G20 summit in July 2017 in Hamburg, the independent press was supposed to report from the event. However, this coverage was curtailed. 32 press accreditations were rejected because according to the Federal government, “criminal offenders” were using them in an attempt to sneak into the inner circle of the summit. This included a 37-year-old photographer, who, although his certificate of conduct was impeccable, had a police record containing 18 entries, including “causing an explosion” in the category of “politically motivated crimes”: He had taken a photo while a firecracker exploded close to him. Some of the entries were 14 years old. An online journalist was rejected because an unfounded criminal complaint had been brought against him by a previously-convicted right-wing extremist. The other rejections of journalists also proved unfounded in hindsight.
The problem that these journalists had was that they had reported on political events, and had thus attracted the attention of the police. Police had registered them during the event, for example checked their press cards, and their data had been stored. Not a harmless process. The simple act of photographing a police officer can be stored under the label of “politically motivated crime” or “violation of the law concerning assemblies”, without any criminal charges, let alone a conviction. For years, these labels had remained in police databases, which are linked nationwide via the INPOL information system.1
The “sun-state” at the horizon
INPOL is operated by the German Federal Criminal Police Office (BKA) and connects federal and state police departments electronically. Its history can be traced back to the legendary BKA president Horst Herold, who made sure that the Office was massively extended and equipped with modern electronic data processing. The police was digitalised, centralised and made “smart”. It was Herold’s vision at the time that digital data analysis would enable police officers to arrive at the scene of the crime even before the perpetrator, and thus prevent the crime. He saw a “sun-state” on the horizon, in which crime would be almost entirely eliminated. The BKA was seen to be at the vanguard of digital police investigations.2
In 1981, Horst Herold was sent into early retirement. INPOL is still in operation today, after a number of modifications. There are now many additional linked databases at the BKA, such as the anti-terrorism file, and the file about right-wing extremism (Rechtsextremismus-Datei, RED), to which the German intelligence agencies are connected as well. Although INPOL is no longer young, it still serves as a backbone for more recent software. An the same time, the instruments available to security agencies to analyse digital data have grown tremendously, thanks to “big data”, “data mining” and so-called “artificial intelligence”. In fact the police now use digital research and analysis tools of the highest quality. Consequently it is now possible that a police officer’s entry in a digital process adminstration programme in Coburg contributes to the Federal government excluding a journalist from reporting about the G20 summit in Hamburg.
Dirty Data Laundering
Data protection efforts have not grown along with digitalisation, neither technically nor legally, as has been found by the Federal Constitutional Court (Bundesverfassungsgericht) has determined repeatedly. For example, in its ruling of 20 April 20163, the court found the 2008 law about the federal criminal police office (BKA-Gesetz), which regulates the interconnection of police data (the so-called “BKA-Gesetz”), is in many respects unconstitutional. One reason for the unconstitutionality was the lack of measures to prevent a change of the purpose for which the data may be used – I call this “data laundering”.
Here is how data laundering works: If I am subjected to telephone surveillance by the police, regardless of any actual criminal activity on my part, this presupposes reasonable suspicion of a serious offence. Thanks to digital interconnections, the data that have been obtained via telecommunications surveillance (Telekommunkationsüberwachung, TKÜ) can, in theory, be retrieved from the computer in any police vehicle during a routine traffic stop. Suddenly I will appear to the police officers as a potentially dangerous criminal offender.
To prevent such data laundering, a data set obtained from telecommunications surveillance must be marked as such. There must be clear indication in which function my name appears in the database: as a contact person, an offender, a victim or as a witness. If I have been the subject of an investigation which has since been discontinued, because the accusations have turned out to be baseless, my innocence has to be documented in the database and access to the data set must be prevented. My data must be labelled, so that I will not be wrongly detained, searched or arrested, or lose my accreditation as a journalist.
Old Systems – New Problems
This is exactly what the law requires. The Federal Constitutional Court has laid down clear rules on how police data may be used and passed on. Consequently the updated law on the Federal Criminal Police Office4 (BKA-Gesetz) stipulates that unlabelled data “must not be processed or passed on, until it has been labelled.”5
Similarly, the European data protection directive for police and the justice system, which entered into force in 2018,6 requires that when police store data these must clearly indicate whether a person is a convicted criminal, a suspect, a victim, a witness, an informant or a contact person. It must also be clearly discernible if the stored data are documenting proven facts – or vague suspicions, or personal assessments.
The problem is that the outdated police databases in many cases offered no provisions for such labelling or indicators. Shortly before passing the BKA bill in the spring of 2017, the federal parliament recognised this, too, and so introduced an interim rule in Paragraph 91 of said bill. This states that for legacy systems, the requirement for such labels can be temporarily waived. Otherwise “the ability of the police to function properly” would be impaired.7
Nevertheless, one might have assumed that efforts would have been made to extend the database to enable such labelling. That indications would be entered retroactively to satisfy the data protection demands of the Federal Constitutional Court. But that was, and still is, considered way too much effort for the police. The old systems were not retrofitted; instead, new systems are being introduced which continue to pose the risk of innocent people being treated as dangerous persons.
The Botched-up Data-House Construction
A particularly daunting example is the EASy GS system of the Bavarian police, in which, as of June 2021, data from 1,644 football fans have been stored, although no concrete accusations had been made against them, and with most of them suspecting nothing at all – solely based on an “individual prognosis” by the police.8 Thus, the mere suspicion that someone might, in the future, commit a crime, is sufficient for them to end up in the file.
The Federal Criminal Police Ooffice, meanwhile, points to the planning for “Polizei 2020”, a common federal/state “data house”, which is making slow progress. In 2018, a 31-page white paper about it was published by the Federal Ministry of the Interor.9 This mentions the requirement for labelling only a single time. However, much emphasis is placed on “ensuring the continued availability of the old data during the transformation process”. Nothing was said about protective measures, even back then.
In 2020, the Conference of Data Protection Commissioners criticized that the “data-house Polizei 2020” would need to be aligned with “legal data protection-related core requirements, as well”.10 A year later, the Federal Data Protection Commissioner deplored in his activity report the fact that the “technical land-use plan” for the “data-house” was aligned with police interests and was ignoring the legal framework.11
A Date with VeRA
Today, more than six years after the ruling of the Federal Consitutional Court, data labelling has still not been implemented. It seems unlikely that this is going to change in the near future. On the contrary: last year, a call for tenders for the “data-house” was published by the Bavarian State Criminal Police Office (Landeskriminalamt, LKA) for a “cross-procedural research and analysis system” (“Verfahrensübergreifendes Recherche- und Analysesystem”), beautifully abbreviated as “VeRA”:
“The core competency of this VeRA system is the direct access, merging and evaluating of data from various sources. The system shall be able to process existing police data repositories as well external data sources.”
“External sources” – that can be almost anything. For example, during dragnet investigations after 9/11, data from universities, the Central Register of Foreigners, and local registration offices were combined and compared, in order to identify so-called sleepers.
“Further features of the tendered system include especially the reconciliation of internal and external, structured and unstructured data repositories” – meaning data ordered according to certain properties such as place of residence or occupation, as well as plain texts – “in order to detect relations within the analysis software”.
Relations? Let’s use telephone connection data as an example: who had a phone conversation with whom, and when. Comprehensive communications and relationship networks can be extracted from that, irrespective of whether these networks exist for criminal, purely personal, or political reasons. VeRA will also uncover my amorous affairs, or my political network.
A final part in the requirements catalogue is “the execution of geographical evaluations within the system and the visualisation and export (including sources) of research results and of relationship connections between objects.”
That means VeRA also has graphically redacted maps, pie charts and connecting lines in its repertoire, just like an investigator in a TV crime thriller would draw on a flip chart.
In a word: the magic software VeRA can do almost anything that can be done with data.
The only reference to data protection in the extensive requirements catalogue is simply that “the VeRA system shall comply with current legal requirements, particularly data protection requirements.”12
Welcome to the Realm of Palantir
On 7 March 2022, the Bavarian state criminal police office proudly announced that the contract for VeRA had been awarded to the company Palantir Technologies GmbH, a subsidiary of US-based company Palantir. No other company had been able to fulfil the “very stringent tender requirements”. It is seen as evidence for the “highest standards of data protection and data security” that the VeRA implementation by Palantir will have “no Internet connectivity”. Once again, there is no mention of provisions for the comprehensive labelling of data sets.13
Data protection is probably rather less well-known at Palantir: the US parent company has been working for US intelligence agencies and the Pentagon, and has been repeatedly criticised by civil rights and data protection activists. Palantir was founded by controversial tech billionaire Peter Thiel, who financially supported right-wing politicians, including ex-president Donald Trump.
In the German federal states of Hesse and North Rhine-Westphalia, police have in the past already gained experience with Palantir software. Criticism about procurement and functionality of such software has lead to an investigative committee in Hesse in late 2018, and, let’s not forget, earned the conservative minister of internal affairs Peter Beuth a BigBrotherAward. It is thus not surprising that, on the occasion of the award of the VeRA contract, the Bavarian state data protection officer Thomas Petri spoke of a massive encroachment on the basic rights of millions of people.14
Clear and Present Danger
The BigBrotherAward in the “Administration” category, however, is not primarily awarded to the Bavarian State Criminal Police Office – but to the Federal Criminal Police Office. The reason can be found in Paragraph 31, Section 1 of the law that regulates its activities: “The Federal Criminal Police Office, as the central agency for the police information network, must monitor compliance with the regulations for cooperation and for the operation of the network system.” Therefore it is the Federal Criminal Police Office which bears the overall responsibility for “Polizei 2020”. It bears overall responsibility for INPOL as well as for numerous other systems, for which the labelling requirement is still not implemented, and ultimately also for the data-mining system VeRA. It is responsible for the fact that constitutionally required measures are not implemented in the police data network, so that the risk of an unjustified use of police data against us, the citizens, remains.
Congratulations for the BigBrotherAward 2022 in the category “Authorities and Administration”: German Federal Criminal Police Office.
1 Many data sets are stored by the BKA illegally, DatenschutzNachrichten (DANA) 4/2017, p. 206 f.
2 Transatlantik 11/1980, 38; see. Weichert, Informationelle Selbstbestimmung und strafrechtliche Ermittlung (informational self-determination and criminal investigations), 1990, p. 6 ff.
3 BVerfG U.v. 20.04.2016 – 1 BvR 966/09 u. 1 BvR 1140/09, NJW 2016, 1781 ff. = NVwZ 2016, 839 ff. = DVBl 2016, 770 ff. = EuGRZ 2016, 149 ff. = K&R 2016, 395 ff. = CR 2016, 796 ff. = WM 2016, 1133 ff. = BB 2016, 1089 ff. = AnwBl 2016, 516 ff. = DÖV 2016, 530 ff.
4 BGAK v. 01.06.2017, BGBl. I S. 1354; zuletzt geändert durch G.v. 25.06.2021, BGBl. I S. 2099.
5 § 14 Abs. 2 BKAG.
6 Directive (EU) 2016/680 v. 27.04.2016, ABl. EU v. 04.05.2016, L 119/89.
7 BT-Drs. 18/12141, 6.
8 Patrick Kleinmann, Geheime Fan-Datenbank in Bayern: 1644 Fragezeichen, 18.08.2021, https://www.kicker.de/geheime-fan-datenbank-in-bayern-1644-fragezeichen-868760/artikel.
9 Bundesministerium des Innern, Polizei 2020 – White Paper, https://www.bmi.bund.de/SharedDocs/downloads/DE/veroeffentlichungen/2018/polizei-2020-white-paper.pdf?__blob=publicationFile&v=5.
10 DSB-Konferenz, Entschließung v. 16.04.2020, Polizei 2020 – Risiken sehen, Chancen nutzen!, https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DSK/DSKEntschliessungen/99DSK-Polizei2020.pdf?__blob=publicationFile&v=2.
11 Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, 29. Tätigkeitsbericht 2020, 2021, Kap. 6.1 (S. 55 f.), https://www.bfdi.bund.de/SharedDocs/Downloads/DE/Taetigkeitsberichte/29TB_20.pdf?__blob=publicationFile&v=5.
12 Germany – Munich: Database software package, 2021/S 011-023694, Contract notice, 18.01.2021, https://ted.europa.eu/udl?uri=TED:NOTICE:23694-2021:TEXT:EN:HTML&src=0.
13 Bayerisches Landeskriminalamt, Noch erfolgreichere Polizeiarbeit – Zuschlag für neues Recherche- und Analysesystem der Bayerischen Polizei: Höchste Ansprüche an Datensicherheit und Datenschutz, PE v. 07.03.2022, https://www.polizei.bayern.de/aktuelles/pressemitteilungen/025971/index.html.