State Constitutional Court imposes restrictions on state malware utilization
In a landmark decision, the German Federal Constitutional Court has ruled that state Trojans, spyware used by police to remotely access and monitor devices, cannot be used for "everyday crime" offenses punishable by up to three years in prison. This significant limitation on their use comes as a response to concerns about privacy invasion and the potential risks to IT security.
The court emphasized that such intrusive surveillance is only justifiable for particularly serious crimes due to the severe privacy invasion involved. The ruling also declared the current legal framework for secret online searches partially unconstitutional on formal grounds, requiring the legislature to revise it promptly to meet constitutional standards.
The court further highlighted concerns about law enforcement cooperating with private third parties to deploy such Trojans, implicitly warning against working with firms like the NSO Group, known for selling spyware like Pegasus to authoritarian regimes.
Digitalcourage, a data protection advocacy group from Bielefeld, welcomed the decision. Their legal representatives hailed the court’s restrictions as "correct and important", as it ensures that the state's hacking powers are limited to serious cases, safeguarding fundamental IT security rights. Frank Braun from Digitalcourage saw this as a victory in preventing the use of these Trojans in minor cases and praised the acknowledgment of the high IT security risks involved.
NRW Interior Minister Herbert Reul announced that the court had confirmed that restrictions on fundamental rights are permitted if there is a threat of terrorism. Reul interpreted this as a success for the police, as it allows for the continued use of state trojans in such cases.
The court's decisions come after the then federal government of CDU/CSU and SPD amended the Criminal Procedure Code in 2017 to allow the use of state trojans. The decisions raise barriers for the use of state trojans, which allow authorities to monitor encrypted messages on platforms like WhatsApp, Threema, or Signal.
Rena Tangens, the political managing director of Digitalcourage, criticized the Federal Constitutional Court for not addressing the fundamental problem of state trojans, stating that the state keeps them open for its own use. Until a new regulation, the existing regulation remains valid, so nothing changes in practice.
The podcast "18 million. The podcast for politics in NRW" discussed this issue, delving into the decisions made by the Federal Constitutional Court and the reactions from various parties involved. The podcast is available online and will remain so until July 31, 2030.
References:
[1] Digitalcourage (2025). Federal Constitutional Court restricts use of state Trojans for everyday crimes. [Online]. Available: https://digitalcourage.de/en/news/federal-constitutional-court-restricts-use-of-state-trojans-for-everyday-crimes/
[3] Federal Constitutional Court (2025). Decision on the use of state Trojans. [Online]. Available: https://www.bundesverfassungsgericht.de/entscheidungen/details.html?entnum=1 BvR 2097/2018
[4] Federal Constitutional Court (2025). Decision on the legal framework for secret online searches. [Online]. Available: https://www.bundesverfassungsgericht.de/entscheidungen/details.html?entnum=1 BvR 2183/2018
The ruling from the Federal Constitutional Court in Germany limits the use of state Trojans only for particularly serious crimes, considering the privacy concerns and potential IT security risks involved. This decision, debated in the "18 million. The podcast for politics in NRW," also addresses policy-and-legislation related to crime-and-justice and general-news, as it revises the legal framework for secret online searches and sets restrictions on state trojans.
