Journalists from abroad often ask:
“Why is there such a great awareness for data protection in Germany? What are the reasons for this?”
Activists from other countries keep asking, for instance during our annual European bar camp “Freedom not Fear” in Brussels:
“How did you manage to make the public interested in it? How do you manage to bear the frustration when politicians keep adopting new surveillance laws contradicting all common sense again and again? How do you manage to go on when citizens keep submitting to commerce in surveillance capitalism often without thinking?”
Last but not least we keep asking ourselves: “Why do we do it?”
We have to go back to thinking about these questions and answering them ourselves again and again. Some answers are related to our history, others are based on current events. Things are changing and we influence them ourselves. Eventually the background of our partners plays a role, too. I feel that in a German-Israeli dialogue this background is particularly interesting.
This text follows a chronological order, but it does not claim to provide a full and detailed list of all events related to data protection in Germany. It is a first-hand report on some experiences made by the data protection movement. One of the reasons for this is that I am convinced that learning about history from stories1 is a good way of learning. This article reflects my personal view.
This article was written for the German Israel Tech Dialogue, autumn 2020 (organized by „Böll-Stiftung“).
My personal motivation
This is why I’ll start by letting you know something about my personal motivation, the reason why I am engaged in data protection and civil rights. Thanks to very committed teachers I learned already while I was at school something about history and politics, rules and the culture of debates and about a state based on the rule of law; I learned also about totalitarianism, despotism and crime. I wondered how it was possible that the National Socialists (Nazis) gained power in Germany and what enabled them to oppress and persecute people and murder many millions. My decision: I want this never ever to happen again and I want to make my own contribution to preventing it from happening again.
Surveillance, registration and control of the population were main preconditions for segregating, deporting and killing people. For that reason the logical conclusion is: we must be active so that this kind of surveillance, mass registration and control cannot happen again. Not even in a democratic state.
Population Census 1933 and 1939
Let’s take a closer look at what happened in the 1930s. When the Nazis came to power in Germany in 1933 one of their first projects was to hold a population census as soon as possible. The Enabling Act deprived the parliament of its power and gave the Nazis unrestricted legislative authority. This is how a national law on a census of the German population was adopted on 12 April 1933 already. In June the census already began. It seemed to be really important for them.
Since we know how history continued the reasons why the census was held are obvious. They wanted to know how many men were fit for fighting so that they could prepare the war; they wanted to implement an “active” population policy for promoting the “Aryan“ offspring and they wanted to register certain ethnic groups, for instance Jews, for preparing their extinction.
The German experts for statistics were happy and knew that their hour had come. Friedrich Zahn, president of the German statistical society (“Deutsche Gesellschaft für Statistik“) stated at the time:
“By their very nature statistics are close to the National Socialist movement.“ 2
For the second population census performed by the Nazis information had to be provided on a second, separate card that was added to the household list. In that complementary card, the Nazis asked for the ethnic origin (“Was or is one of the four grandparents a Jew?“). The complementary card was to be handed to the census takers in a separate envelope to give the impression that the information was anonymous. As a matter of fact the information did not remain anonymous. False statements carried heavy penalties. These two censuses did not remain the only measures for registering the population: in 1935 the workbook (German: Arbeitsbuch) was introduced, followed in 1936 by the health register (German: Gesundheitsstammbuch); in 1938 followed compulsory registration at the place of residence and in 1944 the personal ID-number.
Hollerith Machines: IBM and the Holocaust
Let us now talk about technology. In the late 1880s the US engineer Hermann Hollerith had invented a punch card system in order to be able to faster record and process census data. He had been inspired by the train conductors who used to punch holes in the tickets when controlling them and actually used the positioning of the holes in the ticket for encoding information on the passengers (male/female, old/young) to make it more difficult to pass on the tickets to other people. The punch card company founded by Hollerith in 1896 was initially called CTR, in 1924 it changed its name to IBM. In 1911 Deutsche Hollerith Maschinen Gesellschaft, abbreviated as Dehomag, was founded. It used the Hollerith licenses. Dehomag obviously did excellent lobby work offering their technology for the censuses. Thomas J. Watson, head of the US company IBM did not flinch from a personal meeting with Hitler. There is a photograph of this visit to Hitler in June 1937. On the same day Hitler awarded him the “Order of the German Eagle with star“3 for his services to data processing in Germany (and for him using his role as president of the International Chamber of Commerce to play down the dangerous development in Nazi- Germany). Watson returned this order on 06 June 1940 only after having been exposed to strong public pressure in the US. All the time IBM profited from license fees paid by Dehomag – even during the war. Dehomag played a leading role not only in the population census. They were also involved in the administration of the concentration camps. All this history is comprehensively explained in Edwin Black’s book “IBM and the Holocaust”4. He had discovered a Hollerith Machine in the holocaust museum in Washington. This inspired him to engage in this research. It is quite obvious: such a fast and efficient complete registration of the population would not have been possible without the Hollerith/IBM technology.
There is a thrilling “What if” story showing what it would have been like if Charles Babbage had invented the computer 40 years before he actually did and if the Nazis had had real computers, databases and big data processing: in his novel “NSA” (in this case standing for “Nationales Sicherheitsamt” (national security office)) science-fiction author Andreas Eschbach describes it very impressively.
„Die restlose Erfassung“ by Götz Aly and Karl Heinz Roth - an important book that appeared on the occasion of the census in the 1980s.
„IBM und der Holocaust“ by Edwin Black on the involvement of the technology company IBM in the crimes of the Nazis.
The Evil: Turning People into Numbers
When considering these processes on an abstract level we should be able to see that not only the abuse but also the legal use of this kind of data is an issue.
In their book “Die restlose Erfassung” Götz Aly and Karl Heinz Roth write:
“Is it not a fundamental attack against human dignity when persons are turned into abstract figures? Does this not tempt to realign or adjust – as statisticians call it – humans turned into profiles? Figures strengthen the power of the objective, the rationality of arbitrariness. Even without abuse.“
Those who have access to the data have power over the people. Reducing humans to figures makes those who have the power forget their scruples about categorising, manipulating, harming people.
Digression: Censuses in the Bible
By the way – turning humans into figures is not a new phenomenon. The census mentioned in the Nativity of Jesus5 is well known. And perhaps some know about the evil consequences of that census: the story from the Gospel according to Matthew describing how King Herod began to fear the new-born Jesus as coming king of the Jews and ordered that all children in Bethlehem up to the age of two were to be murdered6. Here, too, the census enabled a mass murder.
In contrast rather unknown is that 1000 years before yet another census had been performed under King David – as far as I am aware this is the oldest report in history about such a project. The text of the Bible leaves no doubt as to what a census is in the eyes of God: a mortal sin, hubris and folly. God sent the plague to Israel to punish David for his hubris. Many people died until King David asked God punish him personally since not the people of Israel but he had committed the sin of ordering the census7.
The Planned Census in the Early 1980s
With this background knowledge of history, it is not very surprising to find that the population of the Federal Republic of Germany opposed the census planned for 1981. In the 1980s, the people in Germany were very aware of what had happened during the rule of the National Socialists and also of surveillance by the totalitarian state of Stalin's Soviet Union and surveillance by the Stasi in the East of Germany, i.e. the GDR. George Orwell’s dystopic novel “1984” was a popular book – also because the 1984 was approaching. Not only left-wing groups opposed it because they did not trust the state; the opposition also gained a broad basis among a self-confident civic population. People felt: “Why should it be the state’s business to know where I live, how big my flat is? They might eventually want to know how much I earn or something like this!” and “How are they going to use this information?” and “What else will they be able to do with it?”. People feared to become “transparent citizens” and that this might be the beginnings of a surveillance state. This is why there was an appeal to boycott the census – an act of civil disobedience. Some people decided to lodge a constitutional complaint at the Federal Constitutional Court. In Germany, citizens may lodge a constitutional complaint within one year after a law was adopted. The Supreme Court for this kind of complaints is the Federal Constitutional Court at Karlsruhe.
Apart from the diverse activities and many press reports there were three main factors contributing to the rapid growth of the data protection movement: 1) Each and every one was affected by the census. 2) Something perceptible would happen: Census takers would come to people’s homes and questionnaires would have to be completed. 3) The data were to be processed by machines. People were afraid of this. In the early eighties people hearing the word “computer” did not yet envision their own PC but large mainframe computers – the “Computers of Others”8.
Milestone: The Census Ruling
On 15 December 1983 the Federal Constitutional Court passed its judgement on the census. It was a ground-breaking judgement with significance far beyond the census. It established the “fundamental right to informational self-determination”. The court derived this fundamental right from the general personal rights and human dignity, i.e. from Article 1 of the Basic Constitutional Law of the Federal Republic of Germany (Grundgesetz): “Human dignity is inviolable.” and Article 2 “Every person has the right to free development.”9 In explaining their judgement, the judges used mostly an easily understandable language so that not only lawyers but all citizens could understand it.
The most important sentences in the judgement on censuses explains why access to our data can restrict freedom:
“A social order in which individuals can no longer ascertain who knows what about them and when and a legal order that makes this possible would not be compatible with the right to informational self-determination. A person who is uncertain as to whether unusual behaviour is being taken note of at all times and the information permanently stored, used or transferred to others will attempt to avoid standing out through such behaviour. [...] This would not only restrict the possibilities for personal development of those individuals but also be detrimental to the public good since self-determination is an elementary prerequisite for the functioning of a free democratic society predicated on the freedom of action and participation of its members. From this follows that free development of personality presupposes, in the context of modern data processing, protection of individuals against the unrestricted collection, storage, use and transfer of their personal data. This protection is therefore subsumed under the fundamental right contained in Article 2.1 in conjunction with Article 1.1 of the Basic Law. In that regard, the fundamental right guarantees in principle the power of individuals to make their own decisions as regards the disclosure and use of their personal data.”10
The court made it clear that these limitations of our personal rights were not just personal matters but matters related to our democracy itself.
“Citizens who assume, for example, that attendance of an assembly or participation in a citizens' interest group will be officially recorded and that this could expose them to risks will possibly waive exercise of their corresponding fundamental rights (Articles 8 and 9 of the Basic Law).”
If somebody refrains from exercising her or his personal liberty rights like the right to freedom of assembly because they are afraid that it might have negative consequences for them at a later time, this will be detrimental not for this person alone but for the entire society. This is because then this person’s opinions, ideas, criticisms and proposals for improvement will not be contributed to the general pool. In consequence not only the dispute and constructive competition of ideas will not take place, but in the long term also the innovation of the society will be prevented. This is why data protection – or rather the protection of personal rights – is not just a private matter everybody can negotiate for her- or himself, but it is in the general interest and protects our democracy.
The effect of the court ruling on the Census Act went far beyond this particular case. It set high standards for the future treatment of data and influenced subsequent legislation.
There had been a first data protection act in the federal state (in German: Bundesland) of Hesse since 1970. Its author was Prof Spiros Simitis who is considered to be the “father of data protection” for that reason. In 1977 the Federal Republic of Germany got a federal data protection act. However, the 1983 court ruling on the Census Act made it clear that the stipulations included there did not meet the constitutional requirements – an update was needed.
Data Protection becomes Top Issue – The Civil Society is Active
This court ruling was a great success for the people opposing the census. The census 1983 was prohibited by this ruling. In 1987 a new census was carried out under framework conditions that complied better with data protection. For instance, the personal information was separated from the other questions and the questionnaire was revised. This was to ensure greater anonymity. The reason was that in 1983 there had been fears that by combining certain features it would be possible to relate supposedly anonymous data to a specific person. Yet, the doubts of the critics were by no means dispelled. Also in 1987 they still feared that civil rights might be restricted through the back door.
At that time the census takers were to go to the peoples’ homes and enter the information in the census sheets together with the people. Resistance grew. There were many different forms of actions. People spread tips on how to make the documents useless for evaluation by machines. People refused to open their doors to the census takers, covered their names next to the doorbell with the names used as standard name in samples of official documents like ID-cards and voluntarily ran the risk of being fined. Brochures with reasons why the census should be opposed were produced. In many places people protested in public against the census and there were many local action groups advocating a boycott of the census. In some cities the administration caved in and added the missing data by simply copying them from the existing citizens register. This kind of contradicts what taking inventory of the population is meant to be.
The public dispute about the census is also reflected in surveys held at that time. In December 1987 the Emnid-Institut published a survey that the threat by data abuse was ranking fourth among the fears of the people living in the Federal Republic of Germany – just behind the risk of war, unemployment and destruction of the environment.
In the 80s the civil society was extremely active. A large number of data protection, civil rights and internet organisations were founded in Germany. Among them Chaos Computer Club, Digitalcourage (at that time still called FoeBuD e.V.), Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung (FIfF), Deutsche Vereinigung für Datenschutz (DVD), Komitee für Grundrechte und Demokratie – all of them in addition to the already existing associations Humanistische Union (1961) and the International League for Human Rights (1914 / reconstituted in 1959). Each of these organisations had its own style and focussed on different aspects. At the same time they collaborated closely.
Computers and Hackers
What was even more important: during the 1980s personal computers became affordable. Many – especially young people – learned how to use them, experimented a lot and became really proficient programmers. The scene was vivid, mobile and very creative. In 1984 members of Chaos Computer Club hacked the account of the savings bank Hamburger Sparkasse in the Bildschirmtext (abbr. Btx., english: videotex) system operated by Deutsche Bundespost, in 1986 they hacked NASA (oh, yes 11). These hacks showed how insufficiently data were protected on the servers. A simple Atari computer and a modem was enough for a teenager to get a server under control and get access to the data on this server. Before computers were large mainframe computers and considered to be instruments of oppression, now the own personal computer became an instrument of liberation, self-empowerment and exchange with others.
Below I will describe the beginnings of Digitalcourage as an example showing what was typical for the scene in Germany and how important the mutual exchange was for the various people and groups involved in it – in particular for all those who were interested in politics and technology.
In 1985 some guys of the Chaos Computer Club were guests at gallery Art d'Ameublement in Bielefeld, run by padeluun and myself (Rena Tangens). They used a computer to produce a Mandelbrot image (a fractal graph related to chaos theory). This took one and a half days at that time. The first thing they did, however, was to open the telephone connection box and connect one computer with the telephone line via a DIY- modem in a coffee mug. They used the data link Datex-P to access and forage on other servers. One of them was the server of the Washington Post where we were able have a look at the next day’s news. In contrast to today this was not intended to happen at that time. But it was not illegal either because there was no law prohibiting it, yet, because the legislator was not yet aware that a hack like this was possible at all. We were fascinated! Fascinated on the one hand by the unlimited possibilities the networks promised and on the other hand by the shining eyes of the people who were present and watched the event. Something very thrilling was happening right there and then. A new world was opening up. We did not just want to explore it – we wanted to shape it, too. And we wanted to make it a better world.
The young people who were present 1985 in our art gallery formed the hard core of a group organizing the series of events called “Public Domain” and founding Digitalcourage (at that time still called FoeBuD) in Bielefeld in 1987. “Public Domain” meant that everybody was welcome, even if they had no computer expertise. On the other hand “Public Domain” also stood for “public affairs”, i.e. issues we should look into. In this environment comprised of technology, politics, science, and fun evolved a very communicative scene whose members loved experiments.
Building Independent Communication Networks
One of the most important projects we implemented together was creating our own network system – a bulletin board system called BIONIC commissioned in 1989. This bulletin board system could not be used only for exchanging personal emails, but also for exchanging public news in so-called boards sorted according to topics. This was the first time that is was possible for everybody to publish their own texts, write current news, connect with others and find active supporters. There was no editorial board, costs were minimal and there was no censorship.
Our network node used the Zerberus MailBox12 software. Soon the Bielefeld group was in close contact with the programmers of Zerberus. And these programmers were very open for new ideas. Zerberus implemented “Privacy by Design“ even before Ann Cavoukian published its concept, i.e. they provided data protection knitted into the fabric of the technology itself. Access to users’ personal mailboxes required the user's password. Thus not even the system operators were able to read the messages in the users’ personal mailboxes. Zerberus also implemented “privacy by default”, i.e. privacy-friendly standard settings . Other users, for instance, were not able to see who was online at the same time unless a user had enabled this feature intentionally. The users paid a small monthly fee for using the bulletin board server and thus jointly financed the cost for operating it. There was no advertising. And no spying on the users. The bulletin board systems Z-Netz and /CL were organized in a decentralized network. The users decided about their content, there was no censorship – but there were rules. Twice a year the German bbs operators met and during these meetings they discussed rules of behaviour – netiquette – contents and new boards and political subjects. Data protection was an important topic in these discussions because the bbsoperators knew it from their own personal experience. All this was exciting – we could feel the heartbeat of time and could make great impacts. This was because the technology we were helping to develop created the framework for others to become active and communicate. We wanted to use this power responsibly. We wanted the users to be responsible users of the technology and wanted to protect them – even from ourselves.
1989: Protests first in Leipzig, then in many places of the GDR. And eventually, in November 1989, the wall really collapsed – not even the secret services had expected this. A peaceful revolution in Germany! People were enthusiastic (not all of them, of course). There was the hope that the best of both systems could be combined. But then re-unification of East and West Germany happened rather quickly. The Soviet Union collapsed. Historians called it the end of history. People were made to believe that everything was well now. No more cold war. Democracy everywhere.
This is the short version. Of course there would be much more to say and to dispute about this. One thing important in this context:The competition of the political systems disappeared. Capitalism that had been controlled by lots of rules and social systems now felt as the winner and abandoned all restraints – it became predatory capitalism.
Early in the Nineties the independent citizens' bulletin board networks flourished. Even in these early times they had already roughly 100,000 participants in the German speaking countries. From 1992 until 1996 Z-Netz and CL-net got company during the war in former Yugoslavia: Zamir Transnational Network. “Zamir” means “for peace”. Since the telephone lines between Serbia and Croatia had been interrupted for political reasons the Zamir network now provided connections between peace activists in various parts of Yugoslavia by means of long-distance connections via Germany. Zamir bulletin boards in Zagreb in Croatia, Belgrade in Serbia, Ljubljana in Slovenia, Pristina in Kosovo, and even in Sarajevo in Bosnia (which was under siege for three years) allowed people to communicate with each other and the world and to find missing relatives and friends. All Zamir bulletin boards ran on Zerberus software. The node providing the connection was the Bionic-Mailbox in our basement in Bielefeld. This entailed great responsibility and was one more reason to be very serious about data protection related to software and the operation of the network.
At the same time the World Wide Web developed. With its launch in 1993 and the graphic user interface it offered the web suddenly became interesting also for big business and advertising. AOL (America online) became the world biggest provider during the period from the mid-1990s until the first half of the 2000s and lead to a totally new network culture. For years free floppy discs and CDs with AOL-access software were now enclosed in many computer journals. The millions of new users had no idea how the network functioned. They had no idea of how easy it was to read emails or to log their online behaviour. There was no information, no personal responsibility, no rules of behaviour. You just had to log in. Click and go. Data protection? Who cares!
During the mid-1990s the Internet- or so-called dot-com bubble evolved. The share market overheated; tech start-ups were in a race to burn money. It did not matter what they actually did – venture capital companies bought anything. Money is power without responsibility.
By the end of the 1990s a market for privacy-friendly access software simply did not exist anymore. With the market gone it was also impossible to assure data protection as part of the software design itself. We had to find other ways of implementing our idea of a digital age world worth living in. We found this way through a journalist’s phone call.
The First BigBrotherAwards
1999 Christiane Schulzki-Haddouti wrote an article about the BigBrotherAwards in the UK for heise.de13 – an award for the greatest data protection sinners. As part of her research she called Digitalcourage and asked why there were no BigBrotherAwards in Germany and if we wouldn’t want to organize them. Spontaneously we said yes, we will do it. ‘We will do it’ was then the headline of her article – so we actually had to do it. The year 2000 saw the start.
Right at the beginning we had decided not to organize this event alone, but to include competent representatives of other data protection, civil rights and net organisations in the jury. Chaos Computer Club, FifF, DVD, and the international league for human rights were included – hackers, programmers, a well-known lawyer, and a vice data-protection officer of one of the federal states. With a mix of charm, daring and madness (at that time we never knew in advance if we would be able to fund the event – all of us were still doing this work as volunteers) we organized the first BigBrotherAwards to be held in Bielefeld. And the awards were such a success as if the public had been waiting for them. There were TV-reporters, lots of print media and even a staff writer of the French daily paper “Le Monde” had come from Paris. The headline of his article was “The Oscars for surveillance” – a motto that stayed with the BigBrotherAwards.
Since 2000 we have been handing out the BigBrotherAwards in Germany. They come in various categories: politics, authorities and administration, technology, consumer protection, working environment – other categories are created if and when needed. We also have an “award for lifetime achievements”.
Data Protection by Publicity – The BigBrotherAwards work
The BigBrotherAwards let people understand the abstract issues of data protection, surveillance and manipulation. They name names, i.e. politicians, institutions and companies who are responsible for violations of data protection, surveillance technologies and laws and unlimited data collection. They make information public that had been hidden before and they enlighten the public. The BigBrotherAwards made the public aware, for instance, that discount cards, scoring, road toll cameras, hidden IDs in colour copying machines, and mobile phone surveillance endangered civil rights and privacy. At an early stage they warned of the health card, the tax ID and data retention. They were very outspoken about the foreign nationals register, eavesdropping operations and anti-terror legislation. The BigBrotherAwards event delivers the media an occasion for detailed reporting. Each year the public TV channel WDR arranges a live broadcast and interview from the event.
How do we find our candidates? Every year the BigBrotherAwards receive several hundred reports and proposals for suitable winners. These proposals come from cheated consumers, employees who were spied on, admins, software developers, and civil servants. Sometimes the proposal comes as a brief email starting our research; sometimes we get an entire dossier. We follow the leads, observe the technical and political development and do in-depth research.
Whether companies or politicians – none of the award winners is happy about being chosen. One week before the event we invite them to join, but most of them do not come to receive the award. There were surprising exceptions, however: in 2002 Microsoft sent their data protection officer to the event to receive the award for lifetime achievements on behalf of Microsoft. In 2019 the editor-in-chief of Zeit Online joined the BigBrotherAward event to make a statement. Also Deutsche Telekom had the courage to come and collect the award in 2008. Actually Telekom asked us in confidence several months in advance if they would get the BigBrotherAward – “they could quite imagine that they had deserved it ...” (Telekom had spied on their own supervisory board using their phone connection data and had been found out).
Others thought they could simply ignore the BBA. One of these was chemical company Bayer AG. They had been nominated for taking urine samples of their trainees for drug tests. They didn’t even bother to respond. However, several weeks later we got an invitation from the organisation of ethical shareholders. They transferred some Bayer shares to us. This made us shareholders all of a sudden and gave us the right to address the Bayer shareholders’ assembly. So this BigBrotherAward was delivered to the Bayer executive board not with 500 guests at the event in Bielefeld, but with 5,000 participants at the Bayer shareholders' meeting in Köln (Cologne).
Other BigBrotherAwards winners more or less openly threatened us with legal actions, e.g. Post AG, the Lidl supermarket company or the Turkish religious organisation Ditib which got the award for letting imams sent from Turkey spy on their community members. However, this kind of threats never kept us from awarding the winners. We will not be intimidated. We are protected by the public and by our financial independence. Digitalcourage does not receive state funding and does not accept sponsoring by big companies. We are financed mostly by private donations and supporting members. Therefore, nobody can just cut our funding. The by now (2020) nearly 3,000 members are not only important for our financial independence, they also show how many people in Germany feel that these things are important and thus giving Digitalcourage political weight.
The BigBrotherAwards are an important instrument for enlightening the public. Often they also have direct consequences for the award winners. For instance, after they had received the BigBrotherAward customer card company Payback was sued by the consumer protection association for collecting data through their customer card and had to recall all their registration forms and revise their data protection regulations. The mail order division of Tchibo initially protested against being awarded the BigBrotherAward. Several years later they tacitly terminated the criticized sale (they called it “letting”) of user addresses. After the Computer Science Corporation (CSC), who has close links to their parent company working for several secret services in the US, was awarded the BigBrotherAward the procurement guidelines for public authorities were revised so that companies having links with foreign secret services will no longer be awarded this kind of contracts. As a consequence, several federal states cancelled their contracts with CSC.
The BigBrotherAwards also have a preventive effect. We know that in companies they talk about us on the executive floor. Data protection officers in companies do use the BigBrotherAwards for leverage when they intervene against spying on customers or employees. (“If we do this, we might get a BigBrotherAward – this would damage our reputation.”)
After the decline of data protection awareness in Germany in the 1990s, the BigBrotherAwards gave it a new impetus. This is reflected by the results of an EU study comparing data protection awareness in several European countries14.
Now let’s go on with the chronology: in mid-2000 the dot-com bubble burst, heaps of venture capital had been burned. Google had a narrow escape and sought for other ways of making money. The concept of surveillance capitalism began to materialize.
Then came the attacks of 11 September 2001. They changed the world abruptly. The terrorists provided the agitators among the politicians with a welcome excuse to pull a lot of surveillance laws out of their drawers they had wanted for a long time – now they could push them through the parliaments. In Germany the most notorious person in this context was Otto Schily, minister of the interior, whose quickly presented package of surveillance laws was ridiculed as “Otto catalogue”15. From this time on the struggle against state surveillance gained much more urgency. However, many thought there was no way to fight it. “What can I as an individual do about it?” But this changed after some time.
padeluun and Rena Tangens with the Critical Shareholders in front of the entrance to the Bayer Annual General Meeting, 2003
Rolf Gössner gives the laudation for Federal Minister of the Interior Otto Schily for "Lifetime Achievement" at the BigBrotherAwards 2005
More about the BigBrotherAwards:
Show all award winners
Milestone: Winning Against Metro AG Inspires the Movement
In 2003, Metro AG received a BigBrotherAward for their “field experiment” with RFID-chips on the goods offered in a supermarket in Rheinberg near Duisburg. RFID-chips (Radio Frequency Identification) are tiny chips with integrated antenna containing information on the product and a unique serial number for every copy of the product. This information can be read by means of radio equipment. It is a risk for privacy since the reading of an RFID chip – other than a bar code – can be done without visible contact, thus without being noticed. How justified we were to issue the BigBrotherAward to Metro AG we found out several months later. In early 2004, we discovered that the group had hidden RFID-chips also in the Payback customer cards issued by that supermarket – without informing the customers. About 12.000 supermarket customers had a spychip in their wallets without their knowledge. We published this case in the media. The Financial Times reported about it and it even got into the stock exchange news about Metro AG. And we organized a demonstration in front of the supermarket. This was the first public protest against RFID- technology. The photos of this protest went around the world. In the end Metro AG withdrew the bugged card.
This success inspired many people. It proved that resistance was not in vain. The news magazin Der Spiegel wrote:
“It is an unequal fight – a handful of volunteering enthusiasts against companies worth billions – but they are successful.”
Indeed, at that time Metro AG was the world’s third biggest retail company. Digitalcourage had just slightly more than 60 members. Yet we won.
The Struggle against Data Retention
This success was extremely important for the data protection movement. It brought hope and made people become active. The next issue had been identified already: the retention of all telephone data as envisaged by the EU. During the Chaos Communication Congress held in late 2005, the working group for data retention (“Arbeitskreis Vorratsdatenspeicherung”, short: AK Vorrat) was founded. Various organisations and individuals were members of this working group and all used their expertise for fighting data retention – which is mass surveillance without cause. They provided information, studies, legal opinions, letters to politicians, public presentations and protests. The lawyers Patrick Breyer and Meinhard Starostik drafted a constitutional complaint against data retention. Together we collected signatures on paper and online in support of the constitutional complaint. It was like a miracle: more than 34,000 people signed a power of attorney for Meinhard Starostik and thus became co-appellants. On 31 December 2007 we submitted the complaint at Karlsruhe. It was the biggest constitutional complaint in the history of the Federal Republic of Germany.
Milestone: Demonstration “Freedom Not Fear!“
Resistance continued. We organized demonstrations under the slogan “Freedom not fear” (in German: Freiheit statt Angst)16. More than 160 organisations joined our call to demonstrate. They were not all classical civil rights organisations but very diverse, reaching from trade unions, physicians' associations, youth organisations, parties ranging from liberal democrats, through greens and pirates up to the Left, journalists’ associations, Amnesty International, the anti-capitalist block, and included charities like AIDS-Hilfe and the telephone crisis line of the protestant church. In 2008 approximately 50,000 people demonstrated for “Freedom not fear” in the streets of Berlin. This was more than those who had supported resistance against the census in the 1980s.
A great success: On 02 March 2010, the Federal Constitutional Court decided that the data retention act adopted by the federal parliament in 2007 was unconstitutional and void. This meant that the act was ineffective and any data that had already been collected had to be deleted. (Spoiler: Unfortunately, this did not prohibit data retention itself. It was still allowed under certain conditions. Which allowed government to pass a revised law for data retention in 2015.)
When the judgement regarding data retention was pronounced, we knew that we had a chance to get red also of ELENA17. ELENA (the electronic income slip) was a System for retaining detailed data of employees – also data retention. However, the deadline for filing a constitutional complaint ended on 01 April 2010, so there was little time. But at an activists’ congress in January we had already prepared for action. Meinhard Starostik, our lawyer, had prepared the complaint, the website for collecting signatures of supporters was ready, press releases were written – everyone was just waiting for the word “Go!”. We managed to get more than 22,000 co-appellants within a mere 14 days. For signing, the people had to do more than just click once on a website. They had to fill in a form, print the PDF-file generated on its basis, sign it and send it in an envelope by ordinary mail to Digitalcourage. The powers of attorney filled many physical folders. On March 31, an entire van full of boxes with ring binders with 22,000 pages saying “No!” went to the Federal Constitutional Court in Karlsruhe. This commitment of the citizens made a strong impression on the politicians. ELENA was actually abolished on the ground that it violated data protection without the need for proceedings at the constitutional court.
In 2011, we issue a BigBrotherAward to Facebook and described it as a commercial “gated community” operated for the purpose of spying on its users and manipulating them. In 2013 Goggle received a BigBrotherAward. We demanded: “Google must be broken up.” Some people of the tech scene get angry about this because they think Google is nice and useful. But Google is extremely powerful – too powerful. In some areas Google actually has a monopoly. There is no functioning competition anymore. Google does not just collect the most detailed information about every person, Google also decides by the search results it presents what people consider to be relevant; Google has deprived the newspapers of income from advertising which endangers their funding. Google has no democratic legitimation, and it is more powerful than many states. Google is a risk for democracy.
Digitalcourage on the way to the Federal Constitutional Court with attorney Meinhard Starostik (7th from left) to submit the constitutional complaint against data retention
Milestone: Edward Snowden makes Surveillance by US Secret Services public
In June 2013 Edward Snowden, a former CIA and NSA employee, turns into a whistle- blower. In Hong Kong he hands over confidential information about surveillance systems operated by the US secret services to the media, among them Glen Greenwald, a journalist writing for the British “Guardian”. He also grants Laura Poitras, a documentary filmmaker, interviews. He discloses his identity and describes what motivated him to make this decision. This had very severe repercussions for him. He had to flee his country and since then he has been living in exile. On his motives for becoming a whistleblower Edward Snowden said:
“I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under.”
His disclosures hit like a bomb. Bit by bit more details about this mass surveillance were published. People in Germany were very outraged. Many understood only then that they were watched all the time, that every one of their movements, all their communication and statements were monitored and could be recorded by the US services (and others belonging to the Five Eyes18). For many years, we had been warning that it was possible. Now it was no longer just a theoretical assumption – thanks to Edward Snowden we had evidence proving that mass surveillance by US secret services was a matter of fact, something that it was actually happening. We could say, “we told you so.” Yet, in this case, we would have preferred to be wrong.
Then it became public that also the German Chancellor’s mobile phone had been tapped. Angela Merkel said: “Eavesdropping among friends is totally unacceptable!” The federal government promised a thorough investigation and gave the impression that they intended to do something to end the mass surveillance of the German population. But: What happened in the end was ... nothing.
The Paradoxical Snowden-Effect
Initially more people joined the movement for civil rights and data protection. Many were outraged and wanted to become active themselves. But then time went on and the federal government did not make any serious efforts to try and make an end to surveillance by foreign secret services. They just tried to wait and let the storm pass. After the election for the federal parliament in autumn 2013, the Christian Democrats/Christian Socialists and Social Democrats took over the government forming a Great Coalition. The three parties that took a clear stance against surveillance were weakened (Greens and the Left) or no longer represented in the federal parliament (Liberal Democrats). The opposition parties had almost no more influence – a feeling of resignation began to spread. This was due to the psychological reason that it is traumatising to find that mass surveillance was not an abstract risk, but that one had been subject to surveillance for years. To get rid of this feeling people would say, “But CIA is not interested in me. And nothing actually happened. So it won’t be too bad.” or “It’s too late anyway.” Thus the feeling of discomfort is cut off and pushed out of sight. People do not want to think about it. The fact that the federal government remained idle, that controversies were not discussed, lead to an asymmetrical demobilisation19.
Influence of Awareness of Data Protection on the Use of Technologies
Others became more interested in tools supporting data protection in Germany. Already in the 1990s, Digitalcourage (at that time still FoeBuD) had supported the email encryption software PGP (Pretty Good Privacy) and published a manual in German for it. According to Phil Zimmermann, inventor of PGP, this made Germany the country with the second largest number of users. In 2013, after Snowden’s disclosures we created “digital self- defence”. We wanted to disseminate knowledge about tools supporting data protection and alternative platforms. The crypto-party movement evolved. Crypto-parties are events where people can bring their computers and smartphones and volunteers help them to arrange settings on these devices that provide better privacy.
However, there is often a lack of simple and user-friendly alternatives. For instance, there are no secure messenger services which we can recommend without reservations. The development of this kind of alternative services has to be promoted. We also need alternative search engines urgently since Google has a de facto monopoly in Germany. We have a concrete proposal for re-establishing competition; we propose to create a European search index20. This concept is now included in the policy recommendations of WBGU21 to the federal government and the EU presidency22.
Milestone: The European General Data Protection Regulation
A shift occurred in the European context on a completely different level. As early as 2012, Viviane Reding, the EU-commissioner responsible for Justice, Fundamental Rights and Citizenship, had started a fundamental revision of the European data protection legislation. The result was not to be an EU directive but an EU-regulation. An EU-directive has to be implemented in the national legislation in each of the EU member states, while a regulation will be immediately effective in all member states. For Viviane Reding the background was clear: the data protection laws existing to that date were no longer adequate considering the state of technological and economic development. What the EU needed was something like a “Lex Google” and “Lex Facebook” to be able to better respond to the new threats to personal rights created by the large digital companies. Of course these companies would not remain inactive in the face of this. Yet, I guess nobody imagined how fierce the battle of lobbyists would become that raged in Brussels for years. The US Chamber of Commerce sent lobbyists to Brussels. The digital companies spent enormous amounts of money on lobbying, media activities and public relations. They tried very hard to make data protection seen as bureaucracy, barriers for economy and anachronistic. Through EU MPs who had a liking for them, they submitted lots of proposals for amendments of the draft GDPR 23. There were more than 3,000 proposals for amendments as a matter of fact. It was something like a “denial of service attack” where you try to make a system collapse by overloading it since no EU MP would be able to read all these texts within a reasonable time before voting.
It is thanks to Jan Philipp Albrecht, the very committed EU green MP who was the rapporteur of the LIBE-committee (Committee on Civil Liberties, Justice and Home Affairs), and his team that the GDPR was adopted still within this legislative period. By an enormous effort that reduced the 3,000 proposals to 100 subjects and through superb diplomacy and tough negotiating they actually performed the miracle. If you want to get an impression of how democracy can work in the EU when it is at its best, you should watch the film “Democracy – Im Rausch der Daten“24 where these events are documented. The GDPR has been effective since May 2018.
Of course, the GDPR is a compromise and data protection movement criticizes a number of aspects, but a very important good solution included in it is the so-called marketplace principle. This means that it does not matter where a company has its seat – what matters is where it wants to do business. A company that wants to do business with EU citizens has to comply with the data protection rules applying in the EU. The second important aspect is that in case of non-compliance fines are so high that paying them can be really painful for a company. This gave data protection top priority.
Before these rules were introduced, lobbyists created fears that Europe might be left behind if we had strict data protection regulations here and that nowhere else in the world anyone would care about them. But the opposite happens. Other countries are using the GDPR as model and create similar data protection laws for themselves – one of them is California. The data protection officer of a credit card company told me during a conference that they were against the GDPR initially. Now that it is effective legislation they would comply with it, of course, and not just in Europe alone but everywhere in the world. They do this because they do not want to have different rules for different countries. Not all is well for data protection in Europe, yet. We still have a lot of work to improve the law, and many more court proceedings will be required to enforce privacy rights.
Now our activities focus ever more on the monopolies of the internet companies. Germany intends to modernize its law on competition so that it is better able to deal with the novel requirements posed by digitalisation. One of the first changes is that not only the sales figures but also access to data is to be used for determining whether a company is controlling the market. We consider the law on competition to be a potential tool for limiting the power of the data collecting companies and together with Oxfam, experts for cartel law and green entrepreneurs we have produced a critique of the draft law.25.
We set our hopes in Margrethe Vestager, the EU Commissioner for Competition, who has proven already in the past that she is courageous and able to assert herself.
Shoshana Zuboff’s book “The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power” published in 2018 is a fundamental work. She criticizes the appropriation of mass data by the companies which collect information on any activity of people as if it was unclaimed property. They use this information and make enormous profits with it. In doing so they intentionally ignore laws and create facts.
Media, in particular newspapers, were weakened because Facebook and Google took over their advertising market. Facebook and Google make payments to media, institutes where journalists are trained and NGOs. The beneficiaries of these payments of course deny that they feel influenced by the money, but it would be naive to believe them.
When the basis of their business model is at risk, the platform companies are not amused at all. In 2015 Google stopped using its slogan “Don’t be evil”. Currently Google does not even try any longer to pretend they were friendly – neither vis-à-vis critical employees nor vis-à-vis persons who criticize their business policy. They play hardball now. One example: The influential Washington think-tank “New America Foundation” had a working group for “Open markets”. In a blog post Barry Lynn, the chairman of this working group, supported the decision of Margrethe Vestager, EU commissioner for competition, to order Google to pay a fine of USD 2.4 billion. A little while aftert hat, he was sacked27. Background information: Google is one of the sponsors of the New America think-tank. In consequence, the entire Free Markets working group left the think-tank and set up business outside it.
Another case: In May 2019 it became public knowledge that Richard Allen, a lobbyist for Facebook and former Tory MP, had blackmailed members of a high-ranking EU expert group28. This group studied the issue of disinformation and intended to demand so-called sectoral inquiries for determining if platforms control markets. Sectoral inquiries are generally accepted instruments of cartel authorities. In order to prevent that this demand would be entered in the joint paper of the expert group, Allen used coffee breaks to talk to representatives of various nongovernmental organizations and threatened to cut their funding, if they voted in favour of sectoral inquiries. Obviously the threat was effective – sectoral inquiries did not make it into the paper. This shows how dangerous it is for NGOs to collaborate with big companies. They become dependent on their money.
Addiction and Manipulation
Typical for surveillance capitalism are the efforts of the platform companies, in particular Google, Facebook, YouTube, Instagram, Tiktok, Netflix, to keep the people spending as much time as possible on their platforms. This is why the user interfaces, the offers and settings are psychologically designed in such a way that they cause addiction. Smartphones work like slot machines: just have a quick peek if there is a new message or a new photo. There is always the promise that there might be something nice. The attention span gets ever shorter, many people are no longer able to read longer texts or to remember things instead of just looking for them at Google. People who only use Google Maps as guide lose the ability to read maps. People long for confirmation by others. This makes “Likes” so important and this is why it is such a catastrophe if they don't get them. Photographs of others have to be liked within 24 hours otherwise there is the risk of being downgraded. This creates social pressure – you have to be online and accessible all the time. The “endless scroll” keeps people scrolling because they try to reach the end of the page which never comes. Typically default settings are on Autoplay, so when one video is finished, the next video will start automatically; this keeps people watching longer. Eventually the algorithms are designed in such a way that they generate as much activity as possible on the provider’s own platform. For instance, after a search result was shown YouTube keeps proposing videos with similar subjects but with a trend towards ever more radical content. It doesn’t matter if the people agree with this more radical video or get angry because they do not share the views presented in it – it will definitely make them spend even more time on YouTube. All these tricks aimed at influencing our behaviour have a terrible effect that goes beyond surveillance. They keep people from doing other, more useful, healthy and creative things, they influence their opinion and often they lead to the users’ radicalisation. The more confused and radical the stories are, the more people who are getting fed by the algorithms will end up in a filter bubble – not just with an opinion but with their own personal truth.
All these things have a very negative impact on our society. It is high time to defend ourselves against them. These companies will not change their behaviour voluntarily because it is part of their business model. We need laws forcing them to change. We must do this before it is too late.
To come back to the question I asked at the beginning: the awareness for data protection in Germany certainly is based on this country’s experience of two dictatorships. Since the 1980s we experienced many changes and several successful campaigns of the data protection movement which inspired also others in Europe. On the other hand surveillance capitalism and the unrestrained power of the internet companies keep requiring incessant struggle for freedom and democracy. We have to keep fighting for civil rights. If we do not use these rights, they will be taken away from us. And we must not trade these rights for a mess of pottage29.
- George Orwell: Nineteen Eigthy Four (1948)
- Aldous Huxley: Brave New World (1932)
- John Brunner: The Shockwave Rider (1975)
- Götz Aly, Karl Heinz Roth: Die restlose Erfassung (1984; German only)
- Edwin Black: IBM and the Holocaust (2001)
- Daniel Solove: Privacy and Power (2001)
- Heribert Prantl: Der Terrorist als Gesetzgeber (2008; German only)
- Christian Bommarius: Das Grundgesetz – eine Biographie (2009; German only)
- Andreas Eschbach: NSA (2018; not translated – yet)
- Marc-Uwe Kling: Qualityland (2018)
- Shoshana Zuboff: The Age of Surveillance Capitalism (2019)
Sources and further informations
1 Dieter Baacke, Theodor Schulze: “Aus Geschichten lernen“ (German only), Weinheim, 1993.
2 Quotation based on Götz Aly, Karl Heinz Roth: “Die restlose Erfassung. Volkszählen, Identifizieren, Aussondern im Nationalsozialismus“, Frankfurt am Main, 2000 – Friedrich Zahn was president of the “Deutsche Statistische Gesellschaft“ from 1926 until 1943. After the Nazis took power he wholeheartedly supported their government.
3 Deutscher Adlerorden mit Stern to Thomas J. Watson (Wikipedia).
4 Edwin Black: “IBM und der Holocaust. Die Verstrickung des Weltkonzerns in die Verbrechen der Nazis“, Berlin, 2002.
5 Luke 2, 1-20.
6 Matthew 2,1-16.
7 1 Chronicle, Chapter 21.
9 Fundamental Rights in the German Constitution (Wikipedia)
11 NASA (Wikipedia)
12 Please note: The German term ”MailBox” has the english meaning of ”bulletin board system”, short bbs.
13 The Heise publishing house now issues the journal ”c’t”, Germany’s most important computer journal; they also publish ”iX” and ”Technology Review”. heise.de offers online news and the magazine Telepolis.
14 EU study comparing data protection awareness in several countries as from 1991 (PDF).
15 Based on the company Otto Versand which was well-known in Germany and used to distribute huge mail order catalogues.
16 In English: „Freedom not Fear“. The English translation later became the title of the bar camp held every year in Brussels where activists from all over Europe are meeting.
17 ELENA-proceedings (Wikipedia; German only).
18 Five Eyes (Wikipedia).
20 Vorschlag zu einem Europäischen Suchindex (PDF; German only)
21 WBGU – German Advisory Council on Global Change (German: WBGU – Wissenschaftlicher Beirat der Bundesregierung Globale Umweltveränderungen)
23 GDPR (Wikipedia; German: DSGVO).
24 Movie: „Democracy – Im Rausch der Daten“ (Bundeszentrum für politische Bildung; German only).
25 Commenting: Digitisation Act (PDF; German only)
26 Google fined record €2.4bn by EU over search engine results (The Guardian).
27 Google Critic Ousted From Think Tank Funded by the Tech Giant (New York Times).
Google-funded thinktank fired scholar over criticism of tech firm (The Guardian).
29 Rena Tangens: „Tausche Bürgerrechte gegen Linsengericht“, 2004 (German only).