A year ago this week, Edward Snowden started his leaks revealing that the NSA conducted mass surveillance of citizens across the globe on a scale and with a technological sophistication few had dared to imagine.

Germany has been at the forefront of pushing back against the violation of privacy rights of citizens by US spying. Last November, Berlin introduced a resolution on the "right to privacy in a digital age" at the United Nations. It decries the "negative impact" of "extraterritorial surveillance and/or interception of communications (…) on the exercise and enjoyment of human rights".

Call for global oversight

Thorsten Benner

The resolution calls on states to "review their procedures, practices and legislation" and to "establish or maintain existing independent, effective domestic oversight mechanisms capable of ensuring transparency, as appropriate, and accountability for State surveillance of communications, their interception and collection of personal data".

This January, responding to pressure (also from globally operating US digital economy companies), US President Barack Obama announced the "unprecedented step of extending certain protections that we have for the American people to people overseas."

He directed the director of national intelligence and the attorney general to develop these safeguards, "which will limit the duration that we can hold personal information, while also restricting the use of this information."

Better informed about NSA than BND

Almost half a year later, no measures to this end have been announced making the German government increasingly impatient. During his visit to Washington in May, German Interior Minister Thomas de Maizière stressed that he "would of course like to see concrete actions" on safeguards for foreigners. What de Maizière did not reveal is that Germany does not fare any better on this front.

Thanks to Snowden we know a lot more about the NSA than we do about the surveillance capabilities and practices of Germany's foreign intelligence agency, the Bundesnachrichtendienst (BND). However, what has since come to light about the agency gives reason for grave concern as a new study (in German) by the Berlin-based Privacy Project, three recent legal expert testimonies (in German) as well as information revealed during a lawsuit (in German) against the BND by attorney Niko Härting make clear.

The BND is authorized to collect "signals intelligence" from 196 territories (including the US, France and the UK). It uses keywords to filter Internet traffic. In 2010 alone, this led to 37 million messages being singled out and then "manually treated" (i.e. read) by intelligence officials. To this end, it routinely taps into data routed through the world's largest commercial Internet exchange point in Frankfurt. A significant part of that data is then traded with other intelligence agencies such as the NSA. Oversight mechanisms holding the BND to account are very weak.

Lack of legal and political oversight

Germany has no judicial review and solely relies on an under-resourced parliamentary control panel and an intelligence review board, the so-called G10 Commission whose members are appointed by the parliamentary control panel. While the G10 Commission has to endorse every single measure targeting German citizens, it does not concern itself at all with the mass surveillance of non-Germans.

Berlin justifies this by the fact that the protections of the German basic law do not extend to activities outside German soil (and for foreign data traffic routed through Germany). Leading lawyers regard this reading as unconstitutional also in light of the fact that Germany's Constitutional Court has ruled that protections afforded by the basic law are not tied to territory alone but the exercise of authority by the German government.

In addition, the government's legal reasoning violates the spirit of the UN resolution on digital privacy that was tabled by Germany. It also pulls the rug from under the feet of the German diplomats who have been increasingly vocal and effective advocates of digital rights, most recently at the NETMundial summit in Sao Paulo in April.

Reputation bomb

Germany's weak control of its intelligence agencies and the utter lack of safeguards for the rights of non-citizens is a ticking reputational time bomb that can explode in Germany's face any time.

The main parties in parliament and their leaders in government (especially Chancellor Angela Merkel and Vice Chancellor Sigmar Gabriel) should not wait for this or a ruling by the German Constitutional Court before they make good on their coalition treaty promise of "better parliamentary control" of the intelligence services.

There is a lot more to be done beyond the modest increase in staffers supporting the work of the parliamentary control panel that has already been agreed. There should be a public hearing of intelligence officials (like in the US or recently also in the UK). The parliamentary control panel needs to pay much more attention to global data collection activities of the BND and also direct the G-10 commission to take a closer look at these.

Everyone's a foreigner

There must be far stricter legal constraints on the bulk collection of data. To that end, the German government should press the BND to publicly justify the proportionality of its actions and whether there really is no alternative to participating in the "arms race" with other intelligence services toward ever more encompassing surveillance technologies (as evidenced by the recent BND decision to invest 300 million euro into real time surveillance of social networks).

What's more: Germany ought to clearly spell out what safeguards it affords to non-citizens (also with regard to the use of data acquired from other intelligence services). This is no easy task. But it is absolutely critical in order to move beyond the current practice where for all intelligence services non-citizens are (in the words of German journalist Georg Mascolo) "vogelfrei", i.e. beyond any protection of the law.

This is the only way out of the surveillance trap: In the digital world we all are foreigners most of the time since our data constantly travels through different jurisdictions. We shouldn't have to wait for a German Edward Snowden to come forward to lift the veil on the BND and shame the German government into action.

Thorsten Benner (@thorstenbenner) is director of the Global Public Policy Institute (GPPi) in Berlin.