MUNICH — It didn't take an Edward Snowden to figure out that American espionage service providers had access to confidential information about German citizens. It's been known for years that the Computer Sciences Corporation (CSC) works for American secret services.
It's also known that a former CSC subsidiary was involved in the abduction of German citizen Khaled el-Masri, who was turned over to the CIA and subjected to abuse and degradation before the agency finally admitted his arrest and torture were a mistake.
Nevertheless, German CSC subsidiaries have in past years received more than 100 contracts from state and federal governments in Germany, as Süddeutsche Zeitung and public broadcaster NDR reported last fall. The operative rule at the time was that only companies that were found guilty of crimes could be excluded from public contracts. So far, no CSC employee has been prosecuted for the abduction of el-Masri. Per se, working for the U.S. intel agencies is not punishable. So Germany's federal government tied its own hands over the issue.
But according to research conducted by NDR and Süddeutsche Zeitung, Germany's black-red "grand coalition" government has now tightened the rules for awarding sensitive public IT contracts. In cases of doubt, suspicious companies will now be excluded from such contracts. And companies now have to sign documents to the effect that no contracts or laws oblige them — nor can they be coerced — to pass on confidential data to foreign secret services or security authorities.
The new rule would seem to be aimed primarily at American companies. These companies, as numerous Snowden documents reveal, regularly pass on information to the U.S. spy agencies. At the NSA, a separate Special Sources Operations department deals with cooperation with "strategic partners," as agents call such companies. The companies say they are merely following the laws of the respective country, and so far this explanation has been accepted.
But since April, any company that cannot guarantee that foreign services or authorities will not obtain any of their data is being excluded from federal contracts in Germany. A spokesperson for the Ministry of the Interior said that the aim of the new rule is to prevent "the flow of data worth protecting to foreign security authorities."
Will there be a loophole?
But whether CSC also will be excluded from sensitive federal contracts is open to question. In January the German federal government let it be known that it saw "no reason [to change] our contract-awarding procedures" as far as German CSC subsidiaries were concerned. And yet CSC is part of the American shadow army of private firms that deliver low-cost and untransparent projects for the military and secret services.
The company was part of a consortium that was awarded the contract for the Trailblazer Project, which was supposed to develop a gigantic data vacuum to suck up information — very similar to the NSA's current spy programs. "Data are the next battlefield," reads one company prospectus. And CSC is apparently delivering the requisite arms for the battle.
It was CSC subsidiaries that, among other projects, tested the German Federal Criminal Police Office's "state Trojan" and supported the Ministry of Justice when it introduced electronic files at the Federal Supreme Court. CSC was also awarded contracts pertaining to the German government network through which coded communications from the ministries and various authorities flow. And CSC advised the Ministry of the Interior on the introduction of electronic passports, and is involved in the De-Mail project, which aims to securitize email traffic.
In April CSC won a (negative) "Big Brother Award."
The powers that be at CSC point to the fact that the German subsidiaries "have no contractual relation to the U.S. government." Business with American secret services is conducted by "a separate, independent business arm headquartered in the United States." But just how separate can the business of subsidiaries of the same firm really be? In any case, all company emails apparently go through the mother company's server.