Category Archives: Security

Germany Automates Hackback and Disinformation Tools as AfD Nears Power

The German BMI has published a 691-page Referentenentwurf (5 July 2026, currently in interministerial coordination, with stakeholder comments requested) that rewrites German intelligence law from the ground up: a new BVerfSchG, a new BNDG, and a standalone statute for the Unabhängiger Kontrollrat (UKRat) for the first time, plus sixteen amendments to laws from the Vereinsgesetz to the Abgabenordnung.

It makes some very strange moves. I’ll go through a few here.

Whoever drafts this is drafting a toolkit on the assumption the AfD will never hold the Innenministerium. They are standing up a domestic deception-and-intervention license, with oversight consolidated into a single body whose pre-approval the agency head can defer on self-certified urgency. I said defer, yes, technically not a bypass, because the order lapses if unconfirmed. But come on people, in a covert fire-and-forget the whole oversight bureaucracy becomes meaningless: false information already injected and data deleted are galloping horses after a barn door was left open. The AfD are probably already strapping on their spurs in anticipation.

Germany currently has a Kremlin-aligned Nazi-adjacent party at or near the top of federal polls. The Weimar lesson for anyone paying attention, precisely stated, is not that the state was too weak or too strong, it’s that defenders of the constitution built instruments that were handed intact to its enemies. The Gestapo didn’t build the Prussian political police; it inherited it via Preußenschlag.

Vor allem die Polizeipräsidenten werden ausgetauscht. Hitlers SA- und SS-Mannen haben keinen Grund mehr, die preußische Polizei zu fürchten.

EN: (It is primarily the police chiefs who are being replaced. Hitler’s SA and SS men no longer have any reason to fear the Prussian police.)

The engineering failures of this document are what make the risks of inheritance catastrophic. A well-instrumented system constrains anyone and everyone using it. We always used to call it hard to use wrong, easy to use right. The BMI document is fail-open, like a loaded weapon handed out with the safety filed off and a rainbow colored “do no evil” sticker on it.

Look at the new “efficiency” claims, for example. On paper it looks like there is oversight because the draft extends pre-approval to more measure types and even keeps the BfDI’s name on a section header. However, oversight means redundancy, and there’s none of that. Three independent overseers (G10-Kommission, BfDI, UKRat) compress into a single one. The G10-Kommission, created in 1968 as the constitutional price of restricting Art. 10, is simply gone, its elimination booked as budget savings. Redundant, overlapping overseers are the spine of oversight, meaning the opposite of a waste: they are upstream investments that cross-check each other and can’t all be captured or starved at once, which prevents downstream costly disasters. When your internal and external auditor are the same person reporting to themselves, you are talking Enron (I managed a five-state Computer Risk practice at Arthur Andersen, I can tell you all about it). The draft has a single body funded at just €8.86M a year to control an apparatus spending €269M a year on BfV IT operations alone. Thirty to one, capability to control, as if to say control can be devalued when it’s the valuation lever on the capability. Penny wise, pound foolish.

Look at the history of Germany, for another example. The Trennungsgebot exists because of the Polizeibrief and the Gestapo precedent, where an agency both watched and acted, covertly, without judicial process. This document has zero mentions of Gestapo, Stasi, or the historical rationale for keeping separation. The draft cites only post-2013 BVerfG doctrine, as if the principle were a data-protection technicality rather than a lesson in history called “never forget”.

Perhaps the most peculiar move of all, even more than Germany refusing to acknowledge Nazi precedent, is that automated hackback is justified with “human review adds no relevant quality assurance.”

Ein Zwischenschritt menschlicher Bearbeitung leistet hier keine relevante Qualitätssicherung, verzögert aber Abwehr erfolgsgefährdend.

EN: (An intermediate step involving human processing provides no relevant quality assurance here, yet delays the response to a degree that jeopardizes success.)

That’s backwards, per the canon of hackback and per automation safety. Horseshit, in a word. Adversaries who map an automated response own it: learn the trigger conditions and you can redirect state countermeasures into friendly fire. The draft gestures at quality (accuracy, robustness, cybersecurity, criteria lifted from the EU AI Act while exempting itself from the EU AI Act) and has no quantification. No error tolerance, no attribution-confidence threshold, no third-party-harm analysis, nothing. The automated measures themselves, traffic redirection and data deletion, are placed in a shared-infrastructure category where misattribution costs hit innocent bystanders: “attacker” data wiped on a compromised host, and a victim’s server just got destroyed. These are very, very old talking points in hackback that get zero attention: we litigated this on my blog in 2013 and yet the draft adopts the losing side without the debate. The scope limitation to cyberattack contexts is in fact the shared infrastructure, contested attribution, and machine-speed response. That’s automation in the wild west where you want it the least.

Notably, the word Desinformation is used only to describe adversaries (e.g. Russia), never German measures. When the domestic intelligence service does it (§ 60(2)(1)(c), feeding false information through informants into networks to steer behavior) it gets branded “Schutzmaßnahme” instead. But it’s the same thing. This reminds me how way back before there was a Bundesrepublik, Nicolai’s Abteilung IIIb ran Desinformation as Aufklärung. When the euphemism appears here I see a domestic deception charter, license to perform disinformation, for the agency whose remit is observing political movements.

Germany just wrote state disinformation into statute. Germany. Of all places. Germany.

Back in 2012 I openly led hackback around the world, and I even gave a 2023 lecture titled “The Heaviest of Burdens: Hackback” at the National Security Seminar, William and Mary Law School. Somewhere around here I have the gun club t-shirt to prove it. I’m not the typical civil liberties voice here, in other words. As a long-time leading hackback advocate, although arguably a salty dog, this document smells like malpractice.

Fight the anti-constitutional party through the public, judicial instrument built for exactly this, Article 21, precisely so Germany never again needs a secret political police. Right? Is this thing on? In 1932 the judicial remedy failed because it arrived after the apparatus changed hands. The transparency of well-engineered fail-safe instruments is what survives hostile takeovers, while the rushed self-certified covert stuff like this always gets studied later as a blunt takeover instrument.

Santa Cruz City Defeats Sugar Industry in State Court

It’s a good day to be a kid in Santa Cruz, California. The city has won a court case rejecting an industry attempt to overturn a public vote.

“This ruling affirms the City’s authority as a charter city to implement a thoughtfully crafted local measure that addresses local health concerns, generates local revenue, and was approved by City of Santa Cruz voters,” said City Attorney Cassie Bronson. “We are pleased with the court’s well-reasoned analysis and appreciate the careful consideration given to the legal issues presented in this case.”

The Sugar-Sweetened Beverage Tax was approved by Santa Cruz voters to generate general revenue for the City, with an eye toward funding services and programs that contribute to community health and wellbeing.

The more harm to citizens, the more money the sugar industry made, which was being spent on doing more harm and blocking safety measures. The sugar industry basically argued that predators could not be regulated by victims. Santa Cruz applied a common sense general revenue tax, with proceeds directed toward services and programs that address the public harms from sugar.

To be clear, the sugar industry wrote state law and then sued the city with it, and lost. In 2018 the beverage industry qualified a statewide ballot initiative requiring two-thirds supermajorities for nearly all new local taxes, then withdrew it in exchange for California lawmakers passing a law to preemptively ban local grocery taxes until 2031, including a provision withholding sales tax revenue from any city imposing one even if a court found the tax valid. A 2023 state appeals court ruling struck this bonkers revenue-withholding provision as unconstitutional, which opened the door for Santa Cruz offering a Measure Z.

The plaintiffs against the city were a national association of sugar drink brands, joined by the California Grocers Association, California Hispanic Chambers of Commerce, California Alliance of Family-Owned Businesses, California Chamber of Commerce, and California Fuels and Convenience Alliance They filed suit in May 2025, after the American Beverage Association had poured almost $2 million into their eat-shit-and-die campaign against a tiny city’s local public health measure.

Early 1970s science predicted dangers from sugar consumption, yet the industry silenced critics and steamrolled the U.S. into mass consumption causing national levels of harm with skyrocketing costs of healthcare.

Yudkin, Professor of Nutrition and Dietetics at the University of London from 1954-1971, published Pure, White and Deadly in 1972 warning of sugar’s role in heart disease and metabolic harm. This is Yudkin’s book Contents from his 1986 edition:

The industry response to silence him is well documented: the Sugar Research Foundation secretly funded deflection research, as exposed in a 2016 JAMA Internal Medicine analysis of internal industry papers. The professional isolation of Yudkin himself is a matter of record in the publication timeline of his own book, out of print for decades before its 2012 reissue.

Santa Cruz voters simply moved in 2025 towards what should have been enacted in 1975.

California Bans Food “Sell By” Labels

Well, there goes my steep discount on perfectly fine food. I often get 30% off or more buying “sell by” dairy products. It’s a strike signal for me, yet for others it’s the opposite. Reducing confusion makes sense when you look at the colossal amount of waste it has generated. And my favorite part of this story is the conclusion.

With no federal regulations dictating what information labels should include, the stamps have led to consumer confusion — and nearly 20% of the nation’s food waste, according to the Food and Drug Administration. In California, that’s about 6 million tons of unexpired food that’s tossed in the trash each year.

Nate Rose, a spokesperson for the California Grocers Association, said some grocers have had to overhaul their labeling systems, but as a whole, the association has been supportive of the change.

The new labels will result in “a win-win where we can reduce food waste and consumers will find these decisions a little bit simpler,” he said, adding that shoppers will still find old labels in stores for months to come as grocers sell through the products that already have them.

He is talking about a stamped exact date as if it’s just a vague process that runs for months on its own. That alone exposes the complete mess of “sell by” label management.

German Court Hears Bavarian Police “Pre-Emptive” Search Case

Interesting to note a coalition of left wing groups brought the suit against the police powers, even though right wing politicians are who could be put under surveillance.

Judges in Karlsruhe opened a two-day hearing on Tuesday into the state’s 2017 and 2018 changes that expanded police powers in cases of a merely “impending threat.”

The law lowered the threshold for action in cases involving threats to state security, life and health. It allows police to use tools that include covert searches of phones and computers, undercover officers, drones, and surveillance to determine whether a concrete threat may emerge.