What Does the Coalition Agreement Say About Cyber Security and Digital Civil Rights?

Digital Rights and the New Coalition Agreement

The new coalition agreement aims to strengthen digital rights and advance society in terms of cyber security. This step is necessary because surveillance of citizens has been steadily intensifying since September 11, 2001. The traffic light coalition has set itself the goal of stopping this trend and, where possible, reversing it. To bolster online rights, the agreement addresses a wide range of issues: from data retention and user verification to the use of state Trojans.

It is important to note that the coalition agreement focuses specifically on internet law. It is not about enforcing legislation that violates European law or reforming the Federal Intelligence Service. The coalition has stepped back from those ambitions. Instead, the new measures are designed to provide greater security for individuals and businesses alike, making the agreement an important foundation for the future legal landscape online.

What Is Coming: The Right to Encryption and Rapid Closure of Security Gaps

The right to encryption is a cornerstone of digital self-determination. The coalition agreement places strong emphasis on this topic and makes it a key priority. Equally important is effective vulnerability management, such as the kind achievable through professional pentests.

The agreement assigns this responsibility to the state itself, which must create the conditions for genuine, encrypted communication. One promising approach is to separate parts of the Federal Office for Information Security (BSI) from the Ministry of the Interior. This would ensure that security advice and vulnerability research remain in the hands of independent experts.

Another critical point is closing security gaps as quickly as possible. Government agencies that become aware of such vulnerabilities should contact the BSI directly. Independent experts could then conduct external audits of the affected IT systems. Crucially, the BSI should pass these reports on to the affected companies without delay.

Accumulating vulnerabilities and processing them slowly is categorically ruled out for effective vulnerability management. The stated goal of the coalition agreement is to eliminate potential attack surfaces as rapidly as possible. Purchasing security gaps and deliberately keeping them open undermines digital rights and should no longer be standard practice.

What Exactly Does the Coalition Agreement Say?

The coalition agreement takes a new approach to safeguarding digital rights. It aims to ensure data security as well as protection for businesses and individuals. To that end, it defines a range of fundamental areas of action designed to strengthen IT security and advance digitization in Germany:

• Digital Civil Rights and IT Security: The agreement seeks to strengthen online security and digital civil rights. This includes the right to encryption and effective vulnerability management. These are essential prerequisites for implementing security-by-design and security-by-default requirements. Manufacturers are generally liable for IT vulnerabilities that could cause problems in their products. This area of action also encompasses the cybersecurity strategy and IT security law.
• Data Use and Data Law: With a robust data infrastructure in place, the data collected offer significant potential for business, science, and civil society. It is therefore important to create better access, particularly for start-ups and SMEs. This requires excellent cloud security along with consistent data availability and standardization.
• Digital Society: The coalition agreement also aims to facilitate digital policy initiatives. These form the foundation for internet law and enable the desired freedom of communication. In addition, they support clear reporting procedures and the implementation of numerous research projects. Promoting data security and taking all necessary measures for end-to-end protection are essential in this context.
• Key Digital Technologies: A strong technology hub needs not only talent but also the legal foundations to drive innovation. Digital rights must go hand in hand with these new developments. Cooperation with other European countries is intended to ensure transparency and progress.
• All of these measures also support the EU AI Act. Crucially, a multi-level, risk-based approach is intended to safeguard civil liberties online. The goal is to foster innovation while minimizing discrimination, thereby strengthening digital civil rights in the long term.

White Hat Hacking and Security Vulnerabilities

The new coalition agreement calls for expanded IT security research to safeguard digital rights on a lasting basis. This would make it far easier to identify, report, and close security vulnerabilities in systems. Attack simulations such as pentests, which enhance security for businesses, would then be fully legal at all times.

Since such tests currently occupy a legal gray area, the so-called hacker paragraph in the German penal code needs to be updated. The same applies to independently uncovering security vulnerabilities. White hat hacking would thus become explicitly legitimate in the future and could be used without legal concerns to eliminate weaknesses.

The use of state Trojans is not intended to be stopped entirely. However, higher intervention thresholds are planned to protect the rights of all citizens online. In line with the requirements of the Federal Constitutional Court, online searches would remain possible under this framework.

At the same time, the coalition aims to establish a legal basis for the controversial hacker authority Zitis. This would enable parliament and the data protection supervisory authorities to exercise comprehensive oversight. The development of surveillance tools, however, would remain unchanged.

Digital Rights - the Road Ahead for Digital Civil Liberties

A key principle is guaranteeing the right to anonymity in the digital space, just as in the physical public sphere. At the same time, biometric recognition in public spaces and automated government scoring systems are to be rejected. Unlike the approach proposed in 2010, targeted data storage alone should provide sufficient efficiency. The extent to which this form of data retention is permissible depends, among other things, on a pending ruling by the European Court of Justice.

Importantly, data storage should always be event-driven, never arbitrary. Combined with strong cloud security and regular checks for IT vulnerabilities, such an approach would be entirely desirable.

Another promising concept for protecting civil rights online is the so-called login trap. It can serve as an investigative tool that identifies suspects in a manner that respects fundamental rights and is oriented toward freedom. This would support both democracy and data security in equal measure, without losing sight of proportionality.

Conclusion - the Coalition Agreement on Internet Law and IT Security Sounds Promising

The new coalition agreement marks an important step for digital rights. It is also set to include a uniform interoperability obligation at the European level. The goals are broad: safeguarding communications secrecy, strengthening data protection and IT security, and ensuring end-to-end encryption. This makes the envisaged framework an important milestone, and not just for digitization in Germany. The many promising approaches to better IT security law give reason to hope that the coalition agreement will live up to its ambitions in practice.