9 August 2002
The Wall Street Journal, Augsut 9, 2002
By IAN JOHNSON and DAVID CRAWFORD
Staff Reporters of THE WALL STREET JOURNAL
HAMBURG, Germany -- It took Joachim Broers only 20 minutes to decide he wouldn't cooperate with one of the most far-ranging police sweeps in history.
The letter from the authorities rolled off his fax machine the morning of Oct. 18. It asked Mr. Broers's employer, the utility Hamburgische Electricitaets-Werke, to hand over all of its employee files so they could be searched for terrorists linked to the Sept. 11 attacks.
Mr. Broers sympathized with the request. At 51 years old, he is a typical product of postwar Germany, with its close ties to American culture and values. One of his hobbies is playing the blues on an old Fender electric guitar. He identified strongly with the U.S. in the days after Sept. 11. But his job is to make sure the Hamburg power company respects Germany's stringent privacy laws, which tightly limit access to company and government data. One of his favorite sayings is that "liberty dies by inches." Now he felt that liberty was under threat from his own government.
The police request was audacious. The goal was to feed the files the German government keeps on each of its 83 million residents into a computer and check them against a basic profile of the hijackers. People who met the profile -- men 18 to 40 years old, originally from the Arab world or central Asia -- would be checked against personnel files from universities and several thousand companies in "strategic" industries, such as airlines, utilities and scientific research. People who came up positive would be investigated as potential terrorists in the largest computerized dragnet ever attempted.
A week later, after getting approval from his company's management board, Mr. Broers wrote back to the police to say the Hamburg utility wouldn't comply. Similar defiance from thousands of other companies sparked a battle that has raged in Germany for nearly a year.
According to previously undisclosed government records, only 212 of the roughly 4,000 companies approached by the police agreed to hand over personnel records, even though they were under intense pressure to do so. Some corporate privacy officers went a step further, backing lawsuits filed by young Muslim men who sought to deny police access to government data.
The privacy fight has deeply affected Germany's war on terrorism. The decision by so many companies not to hand over records denied police one of the main pillars of the profiling effort. The struggle with the corporations also cost police large amounts of time and caused them considerable distraction. Originally scheduled to conclude in the spring, profiling has dragged into the summer, and some of Germany's 16 states won't finish until October -- in large part because of delays related to the privacy clash.
Police say they have drawn up a list of nearly 10,000 Muslim men warranting investigation. But so far, no arrests have been made based on the list. "If we had had more data, we might have been more successful," says Michael Gellenbeck, chief counterterrorism detective in the state of Brandenburg.
In the nearly one year since the attacks on the World Trade Center and Pentagon, countries around the world have struggled to balance security and civil rights, with the pendulum in the U.S. and many other countries swinging toward security. For Germans, the balance has been especially hard to find. Their country unwittingly harbored at least some of the terrorists who plotted and led last year's attacks, so public and government pressure is strong to root out accomplices. Police have searched dozens of apartments and detained numerous people for questioning, although only one suspect -- identified without profiling -- has been formally arrested.
But the country's past makes many Germans especially sensitive about information being handed over to the police. In the Nazi era, government files were used to identify Jews and others sent to their death.
In the 1970s, German police pioneered computer profiling to hunt down members of the terrorist Red Army Faction. But that investigation caused a backlash that led to Germany enacting the toughest personal data-protection laws in the world. Those laws bar, with rare exceptions, any institution from disclosing any personal information without the subject's permission. "We never again want someone to go through our files and evaluate us," says Mr. Broers.
To protect against government intrusion, German law requires any company with five or more employees who handle other people's information -- for example, a company that has a personnel office with a staff of five -- to designate one person as responsible for Datenschutz, or data protection. Federal and state governments also employ privacy ombudsmen.
The U.S. doesn't have comparable legal requirements. European Union countries have watered-down versions that don't require companies to appoint privacy officers.
Another reason Germans are so privacy-conscious is the paradoxical fact that their government collects a great deal of information about them. Unlike U.S. residents, for example, Germans have to register with police their address and telephone number, the people they live with and various other details. Each time they move, Germans must update their household registration with the police. Without an up-to-date registration certificate, it is difficult to open a bank account, get a telephone number or register children for school.
Wealth of Data
This wealth of computerized data gave German police an option last year that wasn't available to many other police forces. While U.S. authorities had difficulty locating those who had entered the country from suspicious countries, German police could find foreign students by cross-checking household registration and university registrar lists. The police could figure out the address of every man between the ages of 18 and 40 who was born in a predominantly Muslim country and has studied science or engineering -- a rough description of Mohamed Atta and some of the other Sept. 11 hijackers.
There was a danger of focusing on the numerous law-abiding residents who also fit these criteria. But German police decided that using variations on the profile would be the most efficient way to penetrate Muslim extremist circles, to which authorities previously had paid little attention. Conventional detective work last fall revealed that a "sleeper" cell in Hamburg -- seemingly innocuous students waiting for instructions from Osama bin Laden's al Qaeda network -- had helped organize the Sept. 11 attacks.
Shocked by the carnage in the U.S., German industry initially responded sympathetically last October to the sweeping information demands of Germany's Federal Crime Office, known by its German acronym, BKA. Among those targeted: electronics conglomerate Siemens AG, drug maker Bayer AG and Lufthansa, the country's biggest airline.
The group representing 740 utilities, including Mr. Broers's employer, endorsed cooperation. Dieter Diacont, security chief of the Association of German Electric Works and a 61-year-old ex-state police officer, says he told member companies to turn over files on some 160,000 employees. "You will be responsible if sleepers are found within your staff and you didn't seize the opportunity to find them," he recalls telling the utilities.
But many companies were skeptical. They feared bad publicity if they obstructed the investigation, but they also were wary of employee lawsuits if they gave personnel files to the police, according to industry officials. The issue is still sensitive, and most targeted companies, including Lufthansa and Siemens, refuse to comment on their role. At the Hamburg utility, Mr. Broers says he doubted that profiling would do much good. He reasoned that police could better use their time staking out radical mosques and hangouts of militant Muslims.
His company had been a pioneer in standing up for privacy when in 1979 it refused to hand over customer records to BKA officials hunting the Red Army Faction. The Hamburg utility's resistance triggered a nationwide backlash against profiling and helped force the resignation of the BKA's then-chief, Horst Herold, a profiling pioneer.
The earlier battle inspired Mr. Broers as a new employee at the company to take up privacy protection as his profession. He became an expert in the field and helped draft Germany's 1990 national privacy law, which codified the categories of data that are protected. He says he concluded that the law allowed the BKA to obtain employee records only when investigating a specific person. The BKA hadn't identified suspects. Was every young Muslim man to become a suspect? The notion made him uneasy.
"What happens," he says, running a hand through his thinning red hair, "is that everyone becomes scared due to a crisis, so they agree to these kinds of extraordinary measures. Then it takes a very long time to roll back the state's power." The utility's directors agreed with Mr. Broers on the limits on the BKA's authority to trawl through company records for unnamed suspects.
Mr. Diacont's office at the trade association, which coordinated power-industry responses, was flooded with refusals to cooperate with the BKA. Power companies, he says, "were going crazy," worried they could be sued by employees.
In response to defiance from utilities and other industries, the BKA retreated, telling targeted companies in late October that cooperating with profiling would now be voluntary. Companies could determine for themselves if they might be infected by Muslim extremism and invite the BKA to search their files.
Some power companies complied. Energie Baden-Wuerttemberg AG had hesitations about handing over information on its 45,000 employees but felt that it had no choice, a company official says. "We had to abide by the law," he adds.
The electric companies weren't the only ones resisting the BKA effort. The police agency sent form letters in October to Germany's leading scientific research institutes, arguing that the "unprecedented brutality and unscrupulousness" of the Sept. 11 attacks justified broad profiling. "To use every chance to discover these criminals and the criminal circle, we rely on your participation," the BKA added.
One institute, which relies on government contracts and asks for anonymity, politely rebuffed the BKA. "We have concerns about passing on the personal data of our employees without their agreement," the institute told the BKA. Several others, such as a geological-research center in Potsdam, also refused.
The BKA was also battling privacy officials employed by some state governments. Some of these officials advised Muslims who opposed profiling to sue the BKA to deny it access to their household-registration and university files. "It's annoying when you're a suspect because of your race or religion," says Firas al-Khalas, a Muslim computer student who lives in the eastern German city of Cottbus. Mr. al-Khalas, who says he is from the Mideast but won't identify the country, sued in state court in Brandenburg.
The suits -- 16 in all -- led to a series of crucial defeats for the BKA. On Jan. 15, a local court in Berlin ruled that computer profiling violated state privacy laws. That was followed on Feb. 6 by a similar state court decision in the state of Hessen. Two days later, the supreme state court in North Rhine Westphalia, Germany's most populous state, struck down profiling for all but foreign students, although police there had already completed much of their work.
Two of the rulings were reversed on appeal, but Hessen's was not. Frankfurt, which is in Hessen and is both Germany's financial capital and home to a thriving radical Islamist scene, was exempted from profiling.
The suits slowed the momentum of the profiling effort and attracted negative publicity. They also caused some companies to think twice about cooperating, according to industry officials.
By late spring, police had collected all of the data they were going to get. Except for Hessen's six million residents, police gained access to all residency files and most university files. But the BKA acknowledges that the 212 companies that complied amounted to only about 5% of those targeted. Bayer, which employs 49,000 in Germany, was one of those that refused.
By and large, the companies that participated have close government ties. Police documents show that most of those cooperating -- 177 -- were utilities. Lufthansa, which is government-owned, also provided files to the BKA. It couldn't be determined whether Siemens cooperated.
By summer, months after the effort was supposed to have been completed, the computer programs had been run and police had drawn up their list of nearly 10,000 young Muslim men. Names were distributed to state police forces for individual investigation.
In Brandenburg, which has 2.5 million residents, a search of government residency files produced 27,000 initial "hits," says Mr. Gellenbeck, the state's chief counter-terrorism detective. Additional "filters," such as whether subjects had received flight training or worked for a sensitive research institute, reduced the number to 188. State police then conducted weeks of interviews, wiretaps and stakeouts to investigate the suspects, says the detective. None of them turned out to be terrorists. Similar procedures in other states reached similar results.
Police say the profiling effort was worthwhile. It "helps me decide where to allocate my manpower so we don't waste time investigating the wrong people," says Andreas Croll, head of an investigative unit with the Hamburg police.
Mr. Broers and other privacy advocates counter that the lack of arrests demonstrates that profiling is an intrusive distraction. Corporate resistance, Mr. Broers says, helped protect the civil liberties that separate democracies from authoritarian states that foster terrorism.
Write to Ian Johnson at email@example.com
Updated August 9, 2002
Copyright © 2002 Dow Jones & Company, Inc. All Rights Reserved