In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this.

That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods in the knowledge, that they have been stolen. Data is amongst these goods, for sure. It is highly questionnable whether actions of the attorneys based on such data are legal - I doubt this and I'd expect that the German Federal Constitutional Court will accept this once the first law suits about this are brought to him. Thus it might end up with that any penalties against this fiscal fraud aren't permittable being based on invalid evidence (or evidence derived from invalid evidence, because the data will allow the attorneys to request the account detail from the swiss banks - it just provides a list of accounts as a foundation for follow-up queries). It might also occur that several of these accounts aren't about fraud - and again, that it might show up to be illegal to do such mass queries based on too little evidence. And: Buying stolen goods (in case you know that they have been stolen or that you have to assume that they were stolen) is under penalty. Thus, the people deciding on doing that are definitely acting against the law and might be penaltized. That will be up to the courts to decide about.

But there is another interesting point about that: The German government recently strengtened the laws regarding the responsibility of organizations to avoid data leakage. On the other hand, they are considering to support people who steal data, e.g. showing that at least some form of data leakage appears to be positive. That is contradictory. And: Where is the borderline? Will it be tolerable to do this with data which might unveil corruption in governmental institutiony by unveiling data about financial transactions? Will it be tolerable to sell lists of specific types of criminals being released to freedom after their imprisonment to local newspapers, so that they can information the neighbourhood about potential dangers? And for what type of criminals? The problem is: Like in most situations, there is not only good or bad, but something in between.

But, most importantly: A state can't act against its principles and laws without becoming condemned as not trustworthy. There are so many situations in which a state has to decide between principles and thing which might be desirable. It might be desirable to raisen the imprisonment in some cases beyond what law allows to - but it isn't done. And if you look at the discussions about to what degree a state can and should monitor its citizens to protect against terrorism, we all are familiar with that discussion. And, honestly: The terrorism thing is at another level than the tax thing, and even there we have to carefully thing about the fine line between the expected protection of citizens by the state and a surveillance society which ends up like Orwell has described a pretty long time ago.

Overall, even while tax fraud is illegal and has to be prosecuted and penaltized, the question is whether the German Government should ignore fundamental principles in that case. From my perspective, there can be only one answer: No. It might be popular - it is about wealthy people (jealousy), it is about being a honest tax payer (anger),... From the governmental perspective, it is about the permanent lack of money. But especially in Germany, over the last years many principles of data privacy have been spoilt, especially for a better tax control. We are far closer to a surveillance society than most people have feared in the 70s or 80s of the last century, when there were a lot of debates about that.

Thus, there are too many reasons not to buy that data. The credibility of the government, the trust in laws (if the state can ignore them - why should the citizen act according to them?), the contradictions regarding Data Leakage Prevention and Privacy Laws, the legal issues (can a citizen be penaltized for doing something the government isn't penaltized for?). Even while it might hurt to know that there is tax fraud (which we all knew before) there have to be other solutions for that problem than buying stolen data.

Another point to note: That case highlights once again the insider problem - data leakage prevention has to start inside the systems, and even then some people with sufficient access rights might be able to steal data. Thus, some solutions at the diminishing perimeter don't really help - it's about authorization strategies and policy management as holistic approaches to reduce that risk.