Thursday, March 31, 2016

Germany, where the structure of database is a critical security matter

German police are more data hungry than meets the eye. And they want to keep it that way.

Without the hard work of "all things digital rights" web site, residents of the quaint country in the heart of Europe would remain unaware of the proclivities of their lads and ladies in blue (mostly blue, other colors may apply).

For example, last October we wrote about the odd "force protection" databases many of the country's agencies are quietly feeding.

Just yesterday, netzpolitik reported on the investigation by an intrepid German reporter into another set of databases: on soccer fans. As it turns out, a database that came to light in Berlin a year ago is far from unique.

Police across the country access not just a known nation wide database but have additional repositories of their own.

Violence does happen at soccer matches, so nobody is surprised that police collect related data. To ensure the public understands this, the databases are called "Sports Violence Databases".

But they are not limited to persons sentenced for violence or investigated for suspicion of violent behavior at sports events. When state politicians made formal inquires - after police refused journalists' FOIA requests - it became clear that people who have never had a run in with police end up in these databases, too.

And, just as with the "force protection" databases, getting in is easy, getting out is hard. Not least because the majority of the databases have been unknown even to the state data protection commissioners, whose mandate includes keeping an eye on government databases.

Oversight powers are so weak that it is already considered a success when the retention period is shortened from five years to three years.

To the blogster, the best indication of pervasive disregard for transparency it that agencies routinely refuse to disclose the structure of a database, declaring that publishing it would endanger security.

Anybody who has ever dealt professionally with databases will confirm that such a statement by police may be true under one condition: if the designers of a database are utterly incompetent.

At the state level, this might not even be very far off the truth.

We do know that Germany has true nerds, the main programmer of a widely used pgp encryption software hails from near Cologne Germany. And in an article on Germany's federal IT security agency, the blogster saw one employee described as a young man wearing glasses held together by tape - if this doesn't say nerd, nothing does.

In reality, German governments have always been big on "security through obscurity", and this won't change anytime soon.

No comments:

Post a Comment