A look into networks of suspects with one click: That’s what new software is supposed to make possible, first for investigators in Bavaria, then possibly in other German states. Data protectionists are alarmed – also because of the provider. Munich is now taking an unusual approach.
One name, one click, one network: If experts from the Bavarian State Criminal Police Office are investigating a serious crime, they will in future be able to find everything the police know about the suspect in just a few seconds. Car accidents, addresses, parents, previous crimes: The Inter-Procedural Research and Analysis System (VeRA) is supposed to search all police data and display connections as a network. Because of different data formats, investigators have had to do this themselves, sometimes with a printer, paper, needle, and thread. This wastes valuable time.
But it will take at least until the beginning of next year before the VeRA in Bavaria searches for the first time. That’s because data protectionists are alarmed about the new police program – and the state government wants to ensure that the provider of the five-million-euro software can’t siphon any sensitive data.
The program could be used in other states and federal levels through a purchase option in the contract. Baden-Württemberg and Bremen are considering a purchase, and Hamburg is interested. Mecklenburg-Western Pomerania does not want to rule out an investment. Hesse and North Rhine-Westphalia already use similar software from the same provider under different names (Hessendata and DAR).
But by the end of the year, the Fraunhofer Institute for Secure Information Technology in Darmstadt, Hesse, will first review the program’s source code. “This is not a normal procedure,” says Michael Lutz, VeRA project supervisor at the Bavarian Ministry of the Interior. “We wouldn’t have to do that. But the program won’t go live until we’ve done everything humanly possible to prevent a data leak.”
The Origin of Palantir
Skepticism about the vendor, Palantir Technologies GmbH, stems from two sources. As a startup, the company’s U.S. parent received money from the U.S. foreign intelligence agency, the CIA, which later became one of Palantir’s customers. In addition, the company, named after the seeing stones in the “Lord of the Rings” trilogy, was founded by controversial tech billionaire Peter Thiel. He, in turn, helped finance the election campaign of former President Donald Trump and other US politicians, some of whom are far to the right politically. In the past, current German Interior Minister Nancy Faeser had also criticized a Palantir contract – at the time as vice chairwoman of the Hessian SPD state parliamentary group. A spokeswoman for the Interior Ministry did not answer whether this attitude has changed. She said it had “not yet been decided” whether the Federal Criminal Police Office and Customs would buy the new Palantir program. States such as Rhineland-Palatinate, Lower Saxony and Brandenburg, on the other hand, have made it clear that they will not buy the software for the time being. Fears such as those voiced by Martina Renner, the domestic policy spokesperson for the Left Party in the Bundestag, that Palantir could use the program to divert data to the U.S. are “in the realm of myth-making,” emphasizes VeRA project supervisor Lutz. After all, he says, one of the ways the company earns its money is by processing data for security agencies. Leaks would make this business model impossible.
However, according to the top data protection official in Bavaria, a change in the law is also necessary for the use of VeRA. “Based on the current law, this is not possible,” says Thomas Petri, the state commissioner for data protection. “This is a significant encroachment on fundamental rights. The legislature has to legitimize it.”
Purpose Limitation Principle
He was concerned that VeRA was accessing large amounts of data that had never been collected. The Federal Constitutional Court, he said, has stipulated that police may only use data collected for a specific purpose as a matter of principle.
“This software is designed to override that purpose limitation principle,” Petri said. “Legislators must ensure that the software is only used in existential emergencies – for example, through a judge’s proviso.” Otherwise, VeRA could eventually also automatically read out data from car accidents during investigations after burglaries so that police can investigate more quickly. According to the Bavarian Ministry of the Interior, VeRA will only be used in investigations of serious crimes – for example, terrorism and murder, but also gang theft and child pornography. This would also mean that there would regularly be a valid reason to use the data for another purpose. Investigators should then be able to search not only for connections between crime suspects, however, but also for data and networks of “victims, witnesses and other participants” “if the legal requirements are met.”
According to Petri, Hesse, and North Rhine-Westphalia, where police already use Palantir software for investigations, have changed their laws for its use. “But there, I made it clear that these changes are not enough for me,” Petri stressed. After the contract was awarded to Palantir, Bavaria’s Interior Minister Joachim Herrmann (CSU) announced that VeRA would not be used until the Interior Committee of the state parliament had “expressly approved” it. However, an amendment to the law would have to be passed in the plenum. The Ministry of the Interior in Munich believes that data protection is guaranteed with VeRA. According to project supervisor Lutz, investigators would have to enter the legal basis on which they use the software for each inquiry. “That’s all logged.”
