FECL 50 (March/April 1997):
Under the TKG, service providers must see to it that the authority's access can take place without their own and their customers' knowledge.
The Regulation Authority is responsible for handling all queries from the police, the judiciary and the secret services concerning customer data (phone numbers, names, addresses, e-mail addresses etc). These elements of identification are considered necessary for intercepting the telecommunications traffic of the customer concerned.
It has long been unclear what the law actually meant by "provider". The answer can be found, at least in part, in a recent draft description of the interface requirements between providers and the Regulation Authority. In the draft the modalities for a secure data transmission of customer data is described in great detail. The two existing mobile telecommunications providers and the new competitors of the German Telekom AG (with the German state as its largest shareholder) are the first providers to have been asked to enable access to their customers' data, mainly because of their size. But the requirement of access will gradually be extended to small providers.
In accordance with the requirements in the TKG, the technical definition of the access interface comprises not only the transmission of a telephone number but also of an e-mail address. This may become a sensitive issue, as soon as online-service providers also are obliged to allow access to their databases.
The draft "Interface Description" draws up a set of measures aimed at solving a problem that follows from the TKG requirement that the Regulation Authority must have access to customer data at any time without the knowledge of even the telecommunications provider. This requirement actually creates the need for an "uncontrolled" interface.
The problem with such an installation is that it provides a potential back door for unlawful access to and modification of provider databases.
To prevent this, the draft "Interception Description" lists a number of elaborate requirements:
1. The connections between providers and the Regulation Authority will be defined as a "closed user group" within Euro-ISDN. No traffic with other communication partners is allowed, and the installation has to be kept secret.
2. The providers must acquire at their, i.e. their customers' expense, an authentification and encryption device for the encryption of the data traffic in accordance with specifications of the Regulation Authority. The device has to be set up in a safe location and is initialised by a special chip card, personally delivered by a representative of the Regulation Authority. The device follows an access protocol and alerts to misuse: "On an unauthorised connection, alarm signals are sent to the Regulation Authority, which in turn notifies the security official [of the provider concerned]." An RSA encryption system is used for key management, session key exchange and authentification. In this system a new encryption key is created for every session.
3. By way of the Euro-ISDN connection, the Regulation Authority transmits a database request for customer data transfer to the provider via ftp (file transfer protocol). The provider in turn has to send the result separately to a "data retrieval office" (Abfragestelle) of the Regulation Authority. The requests are divided into three categories: "immediate" (response within 60 seconds), "urgent" (maximum 15 minutes), and "normal" (maximum 6 hours).
Examples in the "Interface description" indicate where the security authorities’ main interest lies: incomplete data in fragments of names and numbers are to be completed by a full data set, made of the name, number and address. Significantly, while area codes are defined as numerals, telephone numbers are defined as a 100-character string. This is in accordance with the TKG and only makes sense, if there are plans to enable access to service providers other than just telecommunications providers. This is new evidence confirming the warnings of critics, most notably the German organisation of computer scientists, FIfF, that the interception regulation in the TKG might become applicable to even the smallest non-profit mailbox provider.
The "Interface Description" presents itself as a "theoretical treatise" and "is meant to give an overview and an early opportunity to move into a planning stage". In other words, the providers are to get started with assessing their costs.
For customers the meaning of all this is not only that fees will increase, but also that henceforth telecommunications providers will have a new role to play: that of constantly supplying the state authorities with up-to-date information on its citizens.
Telecommunications providers must now meet the following technical infrastructure requirements:
- one line for the customers;
- one for the surveillance of the customers (to be enabled at any time under a 1995 ordinance on the surveillance of telecommunications (FÜV: Fernmeldeverkehrsüberwachungsverordnung); and now
- a third line for enabling access to customer data at any time and free of charge for the authorities.
After studying the draft "Interface Description", an international provider of telecommunications services has already threatened to move its network centre from Germany to other European locations. This would result in the loss of 1,200 jobs in Germany.
Only a few months after the entry into force of the TKG, we now have in hand a technical description of the "third line". A strengthened version of the 1995 FÜV-ordinance, in accordance with the regulations in the TKG has already been announced for the upcoming months. On the other hand, we still do not know how long we will have to wait for another ordinance based on the TKG - the data protection ordinance. This indicates that when the issue is whether to secure or restrict citizens' rights in Germany, the authorities have established their priorities.
Ingo Ruhmann (Bonn)
The author is member of the board of FIfF. Contact: FIfF, Reuterstr. 44, D-53113 Bonn, Tel: +49/228 219548, Fax: +49/228 214924, e-mail: fiff@fiff.gun.de (Quotations in the above article are our translations from German)