What is worse: intelligence services gathering data without any legal basis or secret services operating within a legal framework that allows them to obtain vast amounts of personal information? This is the key question regarding Germany’s surveillance apparatus, as a new law regarding its foreign intelligence agency, the Federal Intelligence Service (BND), was passed through parliament on Friday 21 October.

Following the 2013 uncovering of the mass-scale surveillance by America’s National Security Agency, including details of the tapping of German chancellor Angela Merkel’s phone, there was a sense in German public debate that secret services were out of control. In early 2014, a parliamentary committee was established in the national chamber of the Bundestag to investigate the scale of surveillance activities of foreign intelligence in Germany. Attention soon shifted to the role of the BND, after former NSA employee Thomas Drake called the agency “an addendum appendix of the NSA” in his testimony to the committee in July of that year.

While the German government began the process to reform the legal framework of the BND, the governmentally-appointed officer for data protection and freedom of information took a closer look at the work of the service’s telecommunications unit in the southern town of Bad Aiblingen.

What it found was remarkable: across 60 pages, the expert report from March 2016 listed legal breaches by the BND. Although the intelligence service had been “repeatedly and heavily obstructing my work”, the officer was able to gain a picture full enough to pinpoint 18 “serious transgressions” and submit 12 official complaints, which, according to the investigative tech-blog Netzpolitik.org, is a record unrivalled by any governmental office in Germany to receive at one point in time.

Netzpolitik.org also made public the “top secret” labelled report in September.

Surveillance-critical civil society in the country may have been hopeful to see the intelligence service face consequences for past transgressions and future limitations for its activities. They were in for a surprise, though, as the BND law put forward in June this year proposed to legalise all surveillance activities that had thus far been taking place and further expand their scope additionally. The new law allows the foreign secret service thus-far illicit in-country surveillance.

In theory, any German-to-German communication would have to be excluded from surveillance, but two independent reports by experts, including one by Chaos Computer Club, found that online traffic does not carry a clearly discernible nationality. The constitutionally stipulated freedom of privacy of communication suddenly appears less convincing. It also follows that any non-EU national is not considered bearer of fundamental rights enjoyed, on paper, by anyone living in Germany, as all electronic communication including at least one foreign-based party can now be analysed and stored for up to six months, including all metadata. This will include foreign journalists and the sources they are in contact with. The previous 20%-rule, whereby the BND was limited to only intercept and analyse so much of the traffic available, was lifted altogether. The extended competencies were not left without a new and grand mission: surveillance can now take place to reap “insights into foreign and security policy [which] may be of relevance”.

Senior investigative journalist David Crawford spoke to Index on Censorship about an opportunity missed in the sense that the “legislative process had not been used as a forum what intelligence services should do but…to legalise practices that were already going on”. A “silent consensus” across the grand coalition seemed to exist and it appears that policy-makers close to the intelligence services had successfully dominated the reform process and delivered a law tailor-made for the BND.

Although the result may be unsatisfactory Crawford said that, in the German context, it was generally “positive to write down the rules of behaviour” for a practice that have been ongoing for decades and employed by more resourceful intelligence services worldwide. While especially the aspect of information sharing between foreign secret services appears worrying to Crawford, the investigative journalist points out that this professional group never had any “real protection, they are treated like any citizen” under German law. Thus, he emphasised that no journalist should pass the responsibility for safeguarding his or her sources to the state law or EU regulations: “It is up to the person to get the training they need, to put a lot of thought into how they can do this without somebody getting hurt”.

While extensive electronic surveillance by multiple states has to be reckoned with, regardless of a legal basis for the practices, the journalist should employ the right kinds of “tricks of the trade” to make sure that any whistleblower who helped uncover a story will, under no circumstances, suffer: “a lot of the time it is just going out meeting people, not using the phone, not even using the mail…I figure out a way to meet them, knocking on people’s doors or meeting them in a supermarket or somewhere, where you are unlikely to be monitored and they would feel a lot more comfortable talking…Use less technology, use a pencil, cite documents rather than announcing you have a whistleblower.”

According to Crawford, the lack of investigative journalism in general and the unawareness of some journalists engaging in serious investigative projects may be at the root of a sloppiness with the more time-consuming methods that the job requires in a reality of surveillance.

However, civil society activists maintained a responsibility of ethics reflected in legislation and protested with petitions and a solemn vigil on the evening prior to the final vote. As the law was being passed on the morning of Friday 21 October, the former liberal justice minister Sabine Leutheuser-Schnarrenberger announced constitutional charges against it. Meanwhile, the German intelligence service has other legal cases pending against it: the worldwide largest data transmission exchange business based in Frankfurt, DE-CIX, is seeking to get a “judicial review for the practices of telecommunication surveillance” for its customers. Another lawsuit filed by the German branch of Reporters Without Borders in June last year is based on the office for data’s annual report for 2014 and is seeking to defend all journalists and their sources against the transgression of the privacy of communication as an attack on press freedom.