The German Interior Ministry has officially opened ZITiS, a surveillance agency independent of both the police and the secret service. Critics say anyone with a smartphone is now vulnerable to state snooping.
Interior Minister Thomas de Maiziere opened a new cybersecurity agency in Munich on Thursday as part of a centralized attempt to tackle cybercrime and digital espionage via mass telecommunication surveillance, data encryption and mass data collection.
However, the German government's own data protection commissioner has complained publicly that she was not consulted as promised about the new "central office for information technology in the security sphere" (ZITiS).
Data protection commissioner Andrea Vosshoff told the Neue Osnabrücker Zeitung newspaper that she was unable to offer a "serious or valid assessment or evaluation of this project" even though the government had promised "official participation" last summer.
"Of course data protection is a central element of such a huge project," Vosshoff's predecessor Peter Schaar told DW. "It would be extremely unfortunate if the relevant data protection commissioner wasn't sufficiently involved."
Read more: Selling on the darknet? The BKA is buying
ZITiS is a serious investment: some 10 million euros ($12 million) will be poured into the new agency in the first year alone, with 120 positions created immediately. The government wants to expand that workforce to 400 by 2022. It is designed to be a technological resource for Germany's other security agencies, all of which come under the authority of the Interior Ministry.
The new agency's tasks will also include "digital forensics," which means developing methods for piecing together evidence from the internet. ZITiS will also research and develop new telecom surveillance strategies for other agencies.
No rules for a new agency
Frank Herrmann of Germany's Pirate Party called Vosshoff's public complaint "remarkable."
"The data protection authority should definitely be an address you would want to include, and as she says, that was agreed and it didn't happen," he said. "There are regulations that the state has to define exactly what it wants to do, so it can be checked that it is doing its work properly."
He also said he was particularly concerned that, because ZITiS was an independent security agency, it was not governed by any law. "We have a BKA law, we have a BND law," he said, referring to Germany's federal police and intelligence agencies.
"Those are all institutions that are regulated by laws that say what they can do and what they can't. None of that exists for ZITiS."
Read more: What is ransomware?
New crimes, new powers
In a statement issued ahead of the opening, de Maiziere emphasized how "a whole series of incidents with criminal, but especially terrorist, background in the course of 2016 placed our security agencies before technical challenges."
"We live in a digital age and the security forces must keep up with developments," the minister added.
The president of Germany's federal police, Holger Münch, also welcomed the help that ZITiS would bring, pointing out, at a cybercrime conference in May, that the police had registered 83,000 cases of cybercrime in 2016 alone, and estimating that this had caused 51 million euros worth of damage.
But there was also resistance from opposition parties. The Left party's Martina Renner called ZITiS "a danger for anyone who owns a smartphone or wants their privacy in the digital world to be respected."
Herrmann also said that ZITiS' purpose would actually create the opposite of what the state wants to do — make the internet more secure.
"The main task of ZITiS is to break into networks and to break encryptions — those are things that you can only do by exploiting security gaps," he said. "This agency's task is not to close these gaps, but to use them. But computer technology will only become safer if you close these gaps — it's actually quite sick. ZITiS should be shut down before it's opened."
Read more: EU agrees to joint sanctions on cyberattacks
The German police is already developing its own network-cracking skills: that was revealed in July by the independent news outlet Netzpolitik, which leaked an Interior Ministry document showing the German police was expecting to be able to read encrypted messaging apps such as WhatsApp by the end of the year.
New surveillance malware, known as Remote Communication Interception Software 2.0 (RCIS), can be used on mobile devices with Android, iOS, and Blackberry operating systems. RCIS circumvents the encryption built into services such as WhatsApp and Telegram by hacking the phones themselves and reading the messages "at source" on users' screens.
In June, the German government also passed a law to hand police the power to hack into devices belonging to anyone suspected of criminal activity — not just terror offenses.