On the other hand, it has a larger constituency in government who oppose undermining encryption than most other western nations and a good negative example in the recent past (the Stasi). Just look at the recent legislation passed in the UK, and the statements of Theresa May on encryption or the recent lawsuits by the FBI against Apple. It may be our best hope in stopping legislation mandating backdoors to encryption, which would damage everyone.

The most important difference is the parliamentary sovereignty of the UK. The biggest protector of privacy here in Germany is the constitution, and the Constitutional court rules fairly assertively on issues of privacy and civil rights, so what PM's do or don't do is not that important.

The UK has no such safeguard due to governmental structure.

> Germany isn't the privacy paradise that some people in the international debates sometimes like to see in it.

In comparison with pretty much everyone else, it is.

> (I mean you simply can't decrypt properly designed crypto systems.)

Luckily most deployed crypto isn't properly designed :)

>Recently they created a new institution supposed to help decrypting messages.

Could you give me more info about it?

> Recently they created a new institution supposed to help decrypting messages.

BSI? They're not new

I guess GP was referring to ZITIS, not BSI.

BSI's job generally is ensuring IT security, not breaking it.

Even the weirder jobs they're tasked with, such as certifying backdoor software for LEAs, it's not about ensuring its operation as a backdoor, but that it only does the designated job (and in particular doesn't bring additional capabilities that are outside their charter)

I sometimes wish BSI had more teeth (e.g. when it comes to stuff like reviewing official backdoor trojans, it's annoying that we need private initiatives and the constitutional court every single time, although that keeps the topic hot), on the other hand it also has a strong whiff of incompetence and bureaucracy that I don't want to see with actual power.

Yes, I was referring to ZITIS.

> BSI's job generally is ensuring IT security, not breaking it.

Unfortunately that's also not true. The role of the BSI is very mixed and they have a role as both being offensive and defensive. Which is one of the problems. They're not trustworthy.

So which department shown on https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/BSI/Orga... has an offensive role?

The BND/BSI split as implemented in Germany is relatively unique precisely to separate offensive and defensive concerns. The biggest issue IMHO is that they both report to the same federal office.

Here's some (german) background info on the role. The BSI assisted the BKA in creating a trojan, but tried to hide it from the public: https://netzpolitik.org/2015/geheime-kommunikation-bsi-progr...

I worked on SINA components in the past, so I know first hand what they're capable of and what some parts of the German tech media claimed they're used for. (tl;dr: there's very little overlap between some of the more popular claims and reality)

I suspect something similar happened here: BKA and some contractors build the trojan software. BVerfG requires that these tools are limited in their impact, and lawyers would also have a field day in court with any case where the software was used, if it can be shown to create security issues and so the BKA requests a security audit from the BSI (that's part of their charter) and gets it. That might have meant some code (in form of patches) flows back, but given that it's the BSI we're talking about, I doubt it.

Unfortunately the BSI is chartered to do security reviews for federal software, so they can't simply refuse. Meanwhile BSI officials are paranoid because they know (from the SINA/ISP surveillance FUD) what public reception of such a job looks like and tries to do PR management (and fails, which surprises probably no-one).