TELECOMMUNICATION PROVIDERS TO ENSURE ACCESS OF SECURITY AUTHORITIES TO CUSTOMER DATA
In Summer 1996, the German Bundestag (Federal parliament) adopted the Telekommunikationsgesetz (TKG: telecommunications law). The TKG was widely hailed as a means to liberalise the monopolised German telecommunications market. However, it has gone almost unnoticed that the TKG includes a special paragraph 90, which states that all providers of telecommunication services must enable automated access by a "Regulation Authority" to their customer data. Telecommunication providers are becoming the state's suppliers of up-to-date data on its citizens, warns FIfF, the German organisation of computer scientists.
Under the TKG, service providers must see to it that the authority's access can take place without their own and their customers' knowledge.
The Regulation Authority is responsible for handling all queries from the police, the judiciary and the secret services concerning customer data (phone numbers, names, addresses, e-mail addresses etc). These elements of identification are considered necessary for intercepting the telecommunications traffic of the customer concerned.
Who is a "provider"?
It has long been unclear what the law actually meant by "provider". The answer can be found, at least in part, in a recent draft description of the interface requirements between providers and the Regulation Authority. In the draft the modalities for a secure data transmission of customer data is described in great detail. The two existing mobile telecommunications providers and the new competitors of the German Telekom AG (with the German state as its largest shareholder) are the first providers to have been asked to enable access to their customers' data, mainly because of their size. But the requirement of access will gradually be extended to small providers.
"Uncontrolled" access to customer data defined in draft "Interface Description"
In accordance with the requirements in the TKG, the technical definition of the access interface comprises not only the transmission of a telephone number but also of an e-mail address. This may become a sensitive issue, as soon as online-service providers also are obliged to allow access to their databases.
The draft "Interface Description" draws up a set of measures aimed at solving a problem that follows from the TKG requirement that the Regulation Authority must have access to customer data at any time without the knowledge of even the telecommunications provider. This requirement actually creates the need for an "uncontrolled" interface.
A back door for unlawful access
The problem with such an installation is that it provides a potential back door for unlawful access to and modification of provider databases.
To prevent this, the draft "Interception Description" lists a number of elaborate requirements:
The connections between providers and the Regulation Authority will be defined as a "closed user group" within Euro-ISDN. No traffic with other communication partners is allowed, and the installation has to be kept secret.
The providers must acquire at their, i.e. their customers' expense, an authentification and encryption device for the encryption of the data traffic in accordance with specifications of the Regulation Authority. The device has to be set up in a safe location and is initialised by a special chip card, personally delivered by a representative of the Regulation Authority. The device follows an access protocol and alerts to misuse: "On an unauthorised connection, alarm signals are sent to the Regulation Authority, which in turn notifies the security official [of the provider concerned]." An RSA encryption system is used for key management, session key exchange and authentification. In this system a new encryption key is created for every session.
By way of the Euro-ISDN connection, the Regulation Authority transmits a database request for customer data transfer to the provider via ftp (file transfer protocol). The provider in turn has to send the result separately to a "data retrieval office" (Abfragestelle) of the Regulation Authority. The requests are divided into three categories: "immediate" (response within 60 seconds), "urgent" (maximum 15 minutes), and "normal" (maximum 6 hours).
Access to e-mail addresses
Examples in the "Interface description" indicate where the security authorities’ main interest lies: incomplete data in fragments of names and numbers are to be completed by a full data set, made of the name, number and address. Significantly, while area codes are defined as numerals, telephone numbers are defined as a 100-character string. This is in accordance with the TKG and only makes sense, if there are plans to enable access to service providers other than just telecommunications providers. This is new evidence confirming the warnings of critics, most notably the German organisation of computer scientists, FIfF, that the interception regulation in the TKG might become applicable to even the smallest non-profit mailbox provider.
Supplying the state with up-to-date data on its citizens
The "Interface Description" presents itself as a "theoretical treatise" and "is meant to give an overview and an early opportunity to move into a planning stage". In other words, the providers are to get started with assessing their costs.
For customers the meaning of all this is not only that fees will increase, but also that henceforth telecommunications providers will have a new role to play: that of constantly supplying the state authorities with up-to-date information on its citizens.
Provider threatens to leave Germany
Telecommunications providers must now meet the following technical infrastructure requirements:
one line for the customers;
one for the surveillance of the customers (to be enabled at any time under a 1995 ordinance on the surveillance of telecommunications (FÜV: Fernmeldeverkehrsüberwachungsverordnung); and now
a third line for enabling access to customer data at any time and free of charge for the authorities.
After studying the draft "Interface Description", an international provider of telecommunications services has already threatened to move its network centre from Germany to other European locations. This would result in the loss of 1,200 jobs in Germany.
Surveillance versus data protection: the government has made its choice
Only a few months after the entry into force of the TKG, we now have in hand a technical description of the "third line". A strengthened version of the 1995 FÜV-ordinance, in accordance with the regulations in the TKG has already been announced for the upcoming months. On the other hand, we still do not know how long we will have to wait for another ordinance based on the TKG - the data protection ordinance. This indicates that when the issue is whether to secure or restrict citizens' rights in Germany, the authorities have established their priorities.
Ingo Ruhmann (Bonn)
The author is member of the board of FIfF. Contact: FIfF, Reuterstr. 44, D-53113 Bonn, Tel: +49/228 219548, Fax: +49/228 214924, e-mail: fiff@fiff.gun.de (Quotations in the above article are our translations from German)