The tracking bug in your pocket: Mobile phone surveillance in Germany

Procedures according to §§ 100 of the Code of Criminal Procedure (StPO) to determine the whereabouts and identification of mobile phones in Germany

In addition to telecommunications surveillance (§ 100a StPO) and online searches (§ 100b StPO), German police authorities use technical means within the framework of §§ 100 StPO to determine the location of mobile phones. These include the so-called „silent SMS“, IMSI-Catcher and cell site analysis. Customs and the secret services are also partially authorised to perform these tasks. Six-monthly parliamentary inquiries in the Bundestag document that the number of measures for federal authorities has remained at about the same level in recent years. According to the figures of individual states, the investigative methods under Sections 100 of the Code of Criminal Procedure are in some cases used much more frequently there than by federal authorities. Some measures for the localisation of telephone owners are in a grey area and have led to legal adjustments. A ruling by the Federal Court of Justice last year could be the reason why the figures for „silent SMS“ have suddenly fallen sharply. Some federal states are currently merging into „Joint Competence and Service Centres“ in the field of police telecommunications surveillance (GKDZ), which are being set up in Hamburg and Leipzig/Dresden. It is possible that with these centralised GKDZs, the number of measures for telecommunications surveillance within the framework of §§ 100 StPO will increase further.

„Silent SMS“

„Silent SMS“ are not visible on the mobile phone. As „locating impulses“ they generate connection data with the mobile phone providers without the users noticing this. The location data of the phones generated and stored by the „Silent SMS“ are queried by the authorities and used to create subsequent or real-time movement profiles. The Federal Criminal Police Office (BKA) sends „Silent SMS“ for danger prevention (§ 53 in conjunction with § 51 or § 52 BKAG) and for criminal prosecution. Real-time location data extraction is carried out in response to a court order in accordance with § 100i paragraph 1 number 2 StPO. The Federal Police (Bundespolizei) and Customs also obtain an order in accordance with § 100i StPO before the measure is implemented, as does the Federal Public Prosecutor General (GBA). The Federal Intelligence Service (BND) sends „silent SMS“ on the basis of the BND and G10 Laws, and the Federal Office for the Protection of the Constitution (BfV) and the Military Counter-Intelligence Service (MAD) also base their „silent SMS“ on this.

The authorities use the method to varying degrees. At the federal level, for example, „silent SMS“ are sent primarily by the BfV; the figures are always around 100,000 per half year. In the 2nd half of 2017, the number of secret text messages at the BfV rose to a peak of almost 180,000, while the figures for the Federal Police are significantly lower (2nd half of 2018: 50,654; 1st half of 2018: 38,990; 1st half of 2019: 20,152). A decrease was recorded last year in the number of silent SMS of the BKA. In the second half of the year, the authority sent 21,337, around a third less than before; in the first half of 2019 it was only 6,302.

In the police sector, the fluctuations can be explained by special investigation procedures. In 2016, for example, the Federal Police investigated one case of „gang and commercial theft to the detriment of Deutsche Bahn“. Nothing is known about the reasons for the peak of the BfV in 2017. However, the figures on the individual measures are only of limited significance and must be put into relation with the investigation proceedings and the persons affected by them. These are not always recorded statistically. For example, the numbers of „silent SMS“ may decrease significantly, but more people may still be monitored.

While the German government provides information on „silent SMS“ from the BKA and the Federal Police, no information is provided on the BND. The Ministry of the Interior developed a similar secrecy six years ago for the Ministry of Finance, whose customs crime and customs investigation offices also send masses of „silent SMS“. In 2012, the customs authorities generated almost 200,000 „locating impulses“, and in the following six months a further strong upward trend was observed.

Since this year, the Ministry of the Interior has also classified the figures for the BfV as secret. The reason given for this is that the information is particularly in need of protection, as „regular half-yearly replies […] can consolidate individual pieces of information into a comprehensive situation picture“. The semi-annual inquiries led to such a „condensation“, in this way conclusions could be drawn about the „technical capabilities“ of the secret service. This was explained in a letter of the Parliamentary State Secretary Günter Krings to the Parlamentarian of the German Bundestag Andrej Hunko in March 201. This may be true from the point of view of the authority. However, the information could also have been upgraded to „VS – For official use only“, which means that it would continue to be sent to the members of parliament by internal mail.

With the classification as „VS – Secret“ the answer may only be viewed by Members of Parliament and other specially authorised persons in the Secret Department of the Bundestag („Geheimschutzstelle“). The Scientific Services of the Bundestag emphasize that such restrictions on information are subject to the constitutional requirement of proportionality. The Government must therefore seek milder, equally suitable means instead of classifying the previously openly communicated information as „VS secret“. The Classified Information Instruction („Verschlusssachenanweisung“) also stipulates in § 15 sentence 3 that a lower classification level or another means equally suitable for confidentiality must take precedence.

A glance at the 16 Länder shows a clear increase in the number of „silent SMS“ sent there. In 2015, for example, the Berlin police force still created around 138,000 secret text messages, and in 2018 the number more than tripled. In Schleswig-Holstein, around 45,000 „silent SMS“ were used in 2016, this number was already reached in the first half of 2018. A similar increase can be seen in Rhineland-Palatinate and Brandenburg. There the method is referred to as „0-SMS“. Further requests based on the Freedom of Information Act on the number of „silent SMS“ were in vain. Federal states such as Bavaria have not enacted such a law, while Saarland and Saxony-Anhalt demand deterrent charges even for non-disclosure. Most ministries keep details of the state offices for the protection of the constitution under lock and key. Where they are communicated, the figures are comparatively low. From this it can be concluded that among the 17 domestic secret services at Federal and State level, the BfV is primarily responsible for secret location. It is not always known the number of investigative procedures for which „silent SMS“ are used in the Länder. Only some authorities have to record the frequency (e.g. daily or hourly) at which a person is secretly tracked. In the state of Brandenburg, the frequency of the measure could only be quantified „on the basis of the accounts“.

Cell site analysis

For the geolocation of mobile phones, the police, prosecutor and customs authorities can carry out non-individualised radio cell enquiries (the BND, the BfV and the MAD have no legal basis for this). In this case, the police inquire from the network operators which mobile phones were used in a specific radio cell during a specific period. Cell site analysis are ordered by the court at the request of the public prosecutor’s office. § Section 100g, paragraph 3 of the Code of Criminal Procedure (StPO) allows the measure for investigations into serious crimes or crimes that endanger the state or because of the smuggling of foreigners and violations of the Narcotics Act. According to an amendment to the law in 2017, a cell site analysis can also be carried out after a break-in.

A mobile radio cell is determined by the transmission mast, which covers a certain radius. In urban areas, it is only a few hundred meters in size, in rural areas a cell can cover many kilometers. Using the traffic data, the police and customs can then query the corresponding user data. Even without a data retention law, companies keep the traffic data of their customers for several weeks. They are generated with every phone call, every SMS sent or received, as well as during Internet use of the device (even when it is working in the background). The time of an outgoing or incoming connection, its duration and the phone number of the communication partner are logged. According to the Dresden Local Court, the authorities also receive information on the angle of radiation of the telephone located in the respective radio cell.

For the federal police, the cell site analysis have not always been properly logged, by mid-2015 they are said to have been „less than 50“. On average, the Federal Police carry out around 40 interrogations per half-year; in the second half of 2018 this figure has doubled conspicuously. The method is used extremely rarely by the BKA; the figures are always in the low single-digit range. Therefore, one „peak in the 2nd half of 2017 with 149 measures is noteworthy. The cell site analysis by the BKA are also ordered in investigation proceedings by the State Prosecutor, the German Ministry of the Interior refers to past investigations for „unconstitutional sabotage“ and „formation of a criminal organisation“. The 16 State Offices of Criminal Investigation also carry out cell site analysis for the Prosecutor, in recent years this has been done by Bavaria, Berlin, North Rhine-Westphalia and the Bochum police headquarters, for example.

Cell site analysis are carried out significantly more frequently in the Länder. In 2012, the police in Saxony queried radio cell data in 104 procedures, in 2017 there were already 427 procedures. In 2016, investigators in Berlin ordered queries in 491 operations, and the police received 112 million traffic data records. In addition to serious crimes such as gang theft, robbery, murder, and causing an explosion of explosives, there are also measures for breach of the peace, fraud, and coercion. In 2017, the police subsequently identified 2,222 phone owners.


Mobile or stationary IMSI catchers simulate a radio cell into which the mobile radio devices in the vicinity automatically log in because of the signal strength of the device. Law enforcement agencies and intelligence agencies use IMSI catchers to assign a phone to an observed target person. The device numbers (IMEI) and card numbers (IMSI) are determined. Further information can then be requested from the telephone providers, including inventory data on the owners, traffic data or the content of text messages. Some IMSI catchers also allow you to listen in on calls. According to the Ministry of the Interior, this function is not used by the federal authorities.

Since 2002, IMSI catchers have been permitted as the use of „technical means“ for certain purposes within the framework of § 100i Code of Criminal Procedure. The Federal Police use them exclusively in criminal investigations, the BKA also uses them to avert danger. While the Federal Police have used IMSI-Catcher between 19 and 61 times per half year, the number for the BKA is between one and 24 operations. In 2014, the BfV conducted 13 investigations with IMSI catchers, the customs criminal investigation offices 51. Customs does not have its own IMSI catchers and uses the administrative assistance of other federal or state authorities.

The new, fifth generation of mobile telephony (5G) enables connections with end-to-end encryption. The encryption of the openly transmitted IMSI and IMEI is currently intended to provide more security. In a few years, the IMSI catchers used under 3G and 4G will therefore become unusable.

The Government is currently examining what „technical and legal adjustments“ the new 5G standard, which has yet to be adopted, should contain. The European Telecommunications Standards Institute (ETSI) is responsible for this. In the planned Release #16, it would be possible to ensure that the encryption of the transmitted IMSI or IMEI data, which is decrypted at certain points in the network providers, must be removed for a query with a court order. ETSI cooperates with the global 3rd Generation Partnership Project (3GPP), an institution of the United Nations International Telecommunication Union (ITU), which also operates a working group for official interception measures. The German government participates in both working groups together with the BKA, the Federal Office for the Protection of the Constitution and the Federal Network Agency. Presumably in order to increase the pressure on the standardization committees, the Ministry of the Interior has also sent the new hacker authority („Central Office for Information Technology in the Security Sector“, ZITiS) since July this year.

For the Ministry of the Interior, the introduction of 5G comes at an inopportune moment, as the BKA has only started research to improve its IMSI catchers in 2017. Under the name „Catch“, the European Commission is supporting a four-year project within the framework of the EU Internal Security Fund with 338,580 euros; no other partners are involved. Multiple measurements are to make the location of mobile phones under 3G and 4G more accurate. Finally, the research project is also justified by the „self-protection of the deployed police officers“, since the police officers would always have to „act in the vicinity of the target person“. The Federal Ministry of the Interior does not provide further explanations.

Civil rights and transparency

The use of telephones as tracking bugs is legally controversial and difficult to contain. This is particularly evident when sending „silent SMS“. Telecommunications surveillance may actually only be carried out as a „passive activity“. However, the generation of a communication process by means of „silent SMS“ is an active activity which does not originate from the persons affected by the measure. Tobias Singelnstein, Professor of Criminology at the Law Faculty of the Ruhr University Bochum, has been criticising this for several years. Last year the Federal Court of Justice (BGH) ruled on this and partially agreed with Singelnstein’s view. The use of „silent SMS“ and the collection of location data generated from it can therefore not be based on § 100a of the Code of Criminal Procedure, since the location data generated does not arise within the framework of telecommunications. According to the BGH, a „silent SMS“ lacks „a human-induced exchange of information“.

Nevertheless, the court has stated that the „silent SMS“ may be used in cases of suspected crimes of „considerable importance“. This power of intervention results from § 100i para. 1 no. 2 StPO. The provision regulates the use of technical means to determine the location of a mobile telephone and was tailored to IMSI catchers when it was passed in 2002. However, it is unclear whether the ruling raises the hurdle for the use of location impulses in practice. In this regard, the Federal Ministry of the Interior writes that after the ruling, the Federal Police was ordered to obtain an order according to § 100i StPO. In the second half of 2018, no significant changes in practice were recorded, but in the following six months the measures taken by the Federal Police and the Federal Criminal Police Office were more than halved, possibly as a result of the BGH ruling.

In contrast to „silent SMS“, masses of uninvolved persons enter the police grid via a cell site analysis. In the area of left-wing social movements, this first became apparent in 2011, after the State Criminal Investigation Office in Saxonia carried out cell site analysis during demonstrations. In investigations against an alleged anti-fascist group, the police received a total of 1,145,055 traffic data records on 330,00 people whose telephones had logged into the interrogated radio cells. Among them were not only demonstrators, but mainly inhabitants and visitors of the respective districts. In Dresden, the State Criminal Police had used three different procedures to obtain the names and addresses of 58,911 persons. With the help of the software, 1,210 persons and telephones were filtered out in a data mining procedure, which could belong to „mobile phones, storage media or written documents seized or confiscated during investigations“. A comparison of radio cell queries with other events revealed a further 844 suspicious phone owners at at least four of 17 „event or crime scenes“.

It is also problematic that the user data behind traffic data from cell site analysis is provided by network providers without a court order. This gives rise to the fear that in proceedings such as the one in Dresden, all names, addresses and other data of hundreds of „suspicious“ telephone owners will end up in the investigation files. According to the annual report of the Federal Network Agency, the numbers of this inventory data information, which is referred to as the „public authority telephone directory“, have once again increased sharply. In 2018, 13.94 million requests were processed. Almost 750,000 of these automated information procedures originated from the BfV, and in over 11,000 cases the secret service requested the telephone numbers of a specific person the other way round. The BKA does not keep any statistics on this.

Those affected by radio cell queries are usually not informed about the collection of their traffic or user data. In the view of the police, only those against whom the measures were directed have a right to be informed. But even these suspects or accused have not received such notification from the LKA Sachsen, for example. Only the state of Berlin has meanwhile introduced a so-called cell site analysis transparency system (FTS). About 10,000 interested parties have stored their mobile phone numbers in a file there. If this number was then recorded during a radio cell query, the owners will be notified once the investigations are complete in the event that their traffic data is processed.

„Joint Competence and Service Centres“

Several federal states are currently merging into „Joint Competence and Service Centres“ in the field of police telecommunications surveillance („„Gemeinsame Kompetenz- und Dienstleistungszentren“ auf dem Gebiet der polizeilichen Telekommunikationsüberwachung“, GKDZ). Initially, the Conference of Interior Ministers of Hamburg, Lower Saxony, Mecklenburg-Western Pomerania, Schleswig-Holstein and Bremen had decided in 2008 on an initiative to establish a „TKÜ-Zentrum Nord“. A second GKDZ will be established in Leipzig and Dresden, with the participation of Saxony, Brandenburg, Thuringia, Saxony-Anhalt and Berlin. The GKDZs are to reduce construction, investment and operating costs in the participating states, and are to be financed on a pro-rata basis according to the Königstein Key. Further details are regulated in a state treaty. Both centres are scheduled to become fully operational in 2020.

According to a presentation by the Saxon State Ministry of the Interior, the aim of the institutions is to „centralise police surveillance tasks as far as possible“. The „Strategy and Research Centre for Telecommunications“ (SFZ TK), in which the Federal Criminal Police Office, the Federal Police and the Federal Office for the Protection of the Constitution are organised in a „cooperation platform“, was involved in this.

As „central service providers“, the GKDZ are to carry out all forms of operational telecommunications surveillance. The presentation of the Saxon Ministry of State shows that servers are operated to extract the telecommunications data intercepted by the network providers. The data collected via these interfaces is stored in the GKDZ. For this purpose, servers with a „storage capacity in the petabyte range“ are purchased. As far as technically possible, the centres are also to procure the „analysis of encrypted communication and, if necessary, its decryption“. Which technical tools will be used for this remains open.

However, the centres will presumably also take over the deployment of „silent SMS“ or Trojan programs. This is confirmed by the response of the Berlin Senate to a request from the Pirate Party. How this „technical service“ will be implemented will only be defined in a later „detailed planning“. Currently, „silent SMS“ are sent to criminal investigation departments or secret services with the help of commercial software, for example from the Swiss company Vadian or the German company Syborg. Other authorities, such as the GBA and the customs authorities, make use of facilities provided by federal and state police authorities. In some federal states, „silent SMS“ are not sent by the authorities themselves, but by private service providers.

It is to be feared that measures for telecommunications surveillance under §§ 100 StPO will continue to increase under a centralised GKDZ. Hartmut Aden had formulated further criticism of the centres two years ago in a statement on the draft law of the Saxon state government. Cross-state structures such as a GKDZ are not fundamentally more economical than individual facilities in the federal states, he said.

For example, the „coordination and travel requirements“ are increasing; as a complex authority, Aden expects the GKDZ to have „considerable administrative work“. There is also no evidence as to why telecommunications surveillance of all things is chosen as a transnational field of cooperation. This is always carried out on behalf of one of the countries involved, Aden does not expect any cross-connections between the cases to be processed. The knowledge gained there continues to end up in the decentralized police transaction processing systems of the state police authorities.

Finally, the responsibility for and control of the data collected in a telecommunications surveillance system is also unclearly formulated in the State Treaty. It was possible that the Länder would continue to be responsible for interception measures and that only their evaluation would be carried out in the GKDZ. However, the State Treaty did not contain any provision on who was liable for illegal data processing. Although the decentralised responsibility of all data protection officers of the participating Länder provides for data protection monitoring, there is no clear provision in data protection law for an „overall view“. In individual cases, this could lead to „fragmented and therefore inadequate control“.

Image: Mikaela Shannon on Unsplash

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.