State Surveillance Tool Restrictions Set by Federal Constitutional Court
In a landmark ruling on August 7, 2025, the Federal Constitutional Court in Karlsruhe set new boundaries for the use of state Trojans (spyware) in Germany. The decision comes after two constitutional complaints initiated by Digitalcourage, a digital rights advocacy group based in Bielefeld, against the federal regulation and the North Rhine-Westphalia Police Act (PolG).
The court ruled that police may only use state Trojans for investigating particularly serious crimes, effectively banning their use for "everyday crimes" with a maximum prison sentence of three years or less. This significant limitation on the state’s power to conduct secret surveillance via remote access to digital devices is a response to civil rights concerns raised by Digitalcourage.
Rena Tangens, the political business manager of Digitalcourage, expressed satisfaction with the ruling, stating that it protects IT systems from being compromised unless serious crimes are suspected. However, she criticized the court for not addressing the fundamental problem of state trojans. Tangens emphasized that the use of security vulnerabilities by the state is a violation of its duty to protect digital security and called for an end to cooperation with dubious private companies like NSO Group.
The ruling also clarified that online state searches without invoking telecommunications secrecy protections are unconstitutional, emphasizing the need for proportionality and respect for fundamental rights. This decision brings legal certainty, as industry representatives like eco noted, ending the ongoing tension between investigative needs and IT security risks posed by keeping system vulnerabilities open for state use.
Police unions argued that the method remains essential to counter serious threats like terrorism, underlining the need to balance security and privacy. However, the court’s decision stresses restrictions and oversight on state spyware use, prompting lawmakers, including authorities like NRW's Interior Minister, to revise the legal framework to better protect privacy and IT security.
NRW Interior Minister Herbert Reul announced that the court had confirmed that restrictions on fundamental rights are permitted in case of a terror threat. Despite this, until a new regulation is in place, the existing regulation applies, so nothing changes in practice. The minister's specific reaction to the ruling is not detailed in the search results.
State trojans enable covert online searches of all data on a device via access to the entire IT system, a very far-reaching intervention. According to the Federal Constitutional Court, these secret online searches are not compatible with the Basic Law for formal reasons, as the legislator failed to demonstrate which specific basic rights an online search would infringe upon. The court set narrower limits on the use of state trojans in the federal regulation of the Criminal Procedure Code, deeming their use in cases of simple crime with a maximum sentence of three years or less as "disproportionate."
The podcast for politics in NRW discussed what the constitutional protection office should be allowed to do, while Digitalcourage moved to Karlsruhe due to concerns about restrictions on human fundamental rights in NRW. The NRW Police Act (PolG) allows the use of spy software for prevention, but within narrow limits for combating terrorism. The corresponding regulation in the Criminal Procedure Code was "struck down" due to a "lack of proportionality." Tangens emphasized that the benefit of state trojans is limited, but the risk is enormous.
In conclusion, the Federal Constitutional Court's decision marks a significant step towards protecting privacy and IT security in Germany. The court's ruling sets boundaries for the use of state Trojans, allowing authorities to monitor encrypted messages like WhatsApp, Threema, or Signal only when investigating particularly serious crimes. Lawmakers are now prompted to revise the legal framework to better balance security and privacy concerns.
The Federal Constitutional Court's decision on state Trojans signifies a response to civil rights concerns raised by Digitalcourage, establishing that police may only use state Trojans for investigating particularly serious crimes. Rena Tangens, of Digitalcourage, has criticized the court for not addressing the fundamental problem of state trojans, stating that the use of security vulnerabilities by the state is a violation of its duty to protect digital security.
The ruling also highlights the need for proportionality and respect for fundamental rights, making online state searches without invoking telecommunications secrecy protections unconstitutional. This calls for a revision of the legal framework by lawmakers to better protect privacy and IT security, as emphasized by NRW's Interior Minister, Herbert Reul.
