It is easy for the police to access user data from the largest German Bitcoin exchange. Customers on the platform can expect far less protection than previously thought.
Stephan Jansen * is afraid. Since it became known that Germany’s largest online drugstore has served the data of its customers on a silver tray, he is worried about his freedom. “If I get problems with the police now, I lose my job, my flat … then I lose everything,” says Jansen, who works as a senior employee in the chemical industry.
Jansen, like thousands of other users, had ordered stuff from Europe’s largest drug shipping company, Chemical Love. The now turned off online marketplace sent more than a hundred kilos of designer drugs, psychedelics and medicines to customers all over the continent.
However, the fact that Jansen’s name is a concept of drug trafficking is not just a matter of negligent dealers and confiscated order lists. As motherboard searches show, Jansen could only have been in the company of the investigators by a company, which he had previously blindly trusted: the bitcoin marketplace on Bitcoin.de. In at least eight cases, the company behind it, Bitcoin Deutschland AG, passed on sensitive customer data to the police in Hanover. According to court records, which are available to Motherboard, the company passed the requested data to the police at the mere request. Neither a letter from the prosecutor’s office nor a judge’s decision were necessary.
“I am speechless,” says Jansen today about the handling of the customer data at Bitcoin AG. “I thought this is a serious company and that my data is safe there,” said the man from southern Germany.
Bitcoin.de could well have rejected the police request for information from Hanover. According to Johannes Caspar, Juraprofessor and data protection officer in Hamburg, there is a duty to collect data only if the prosecution or a court asks for information.
According to the Money Laundering Act (AMLA), there is no legal obligation to pass the data at the request of a police station, according to Caspar. According to this, financial companies are obliged to report suspicious monetary movements to the authorities – and not just as usual for firms in other economic sectors when the public prosecutor’s office is activated. However, the addressee of this suspicious transaction from the MLA is a special authority of the Ministry of Finance and not a police station. In addition, the obligation to report is only valid if the companies themselves are suspicious – and not on the accusation of investigators.
Bitcoin.de defends its data policy against motherboard with a “legal reporting obligation”, which leaves the company no choice, than the police inquiries positively answer. Only after renewed demand, from which legal basis the company derives a duty, and not just an authorization, the company spokesman emphasizes the years “trustworthy cooperation with different authorities.” Bitcoin Deutschland AG had so far received no police inquiry, which had no “justified interest”, according to Oliver Flaskämper.