Matthias Monroy

With the temporary exception of the Federal Police, all German police agencies and secret services are now allowed to hack into computers and telephones. This is an extremely deep invasion of privacy

On 10 June, the Bundestag massively expanded the use of state trojan horse programmes. A bill on the “adaptation of the law on the protection of the constitution” was put to the vote, which the MPs adopted with 355 votes of the ruling coalition factions CDU/CSU and SPD. According to the bill, the domestic intelligence service will now also be allowed to penetrate foreign computer systems with the help of spy software. The parliamentary groups DIE LINKE, FDP, Bündnis90/Die Grünen and AfD voted against; the SPD voted five against and three abstained.

The bill “to modernise the legal basis of the Federal Police” was also passed by the CDU/CSU and SPD against the votes of the opposition. This would have allowed the Federal Police to infiltrate computers and mobile phones, just like the Office for the Protection of the Constitution, without the persons concerned having to have committed a crime. A week ago, the upper house (Bundesrat) overturned this new law for various reasons, so the next federal government will have to deal with it again. The renewed Constitutional Protection Act, on the other hand, remains valid.

Online searches and source tapping

Until now, only the police authorities and the customs investigation service were allowed to use trojan horse programmes for criminal prosecution. The Code of Criminal Procedure (StPO) allows their use in § 100b as a so-called online search, the prerequisite being a prior court order. The authorities can then access the entire computer of the target person, search the file system and copy documents, photos or videos. In the case of state police forces, this intervention must be permitted in the respective state police laws. In some Länder this is already the case, others are currently renewing their police laws accordingly. The Federal Criminal Police Office (BKA) also conducts online searches; according to the BKA law, this may also be done in cases of terrorism for so-called danger prevention.

Allegedly, online searches are only actually carried out in very few cases. More common, however, is the use of so-called source telecommunication surveillance (“Quellen-TKÜ”), which is regulated in criminal law in § 100a StPO. It is only intended to monitor ongoing communication on the user’s device, i.e. to take screenshots of chat histories or to enable the interception of audio and video telephony. With the source tapping, in principle the same trojan programmes are used as are used for online searches. Therefore, the permission according to § 100a StPO is misleading, because it otherwise regulates the well-known interception of communication on the wire. The use of a state trojan, on the other hand, is a “clandestine digital burglary of an IT system”, as the Chaos Computer Club described it five years ago in a statement on the BKA law.

The Federal Supreme Court had already formulated it in exactly the same way in 2006. First, the 3rd Senate ruled that the online search of an accused person without his knowledge was considered to be covered by section 102 of the Code of Criminal Procedure. The section regulates house and flat searches. The 1st Senate subsequently overturned the assessment, since an open search is carried out in the presence of the person concerned or witnesses, but an online search is carried out without their knowledge.

Secret access or unsuspecting download

Infection with a state trojan can occur in several ways. The authorities can gain surreptitious access to the home of the target person and download the malware from a USB stick onto the respective computers or mobile phones. The method is also known to be used at border controls, where the persons concerned are separated from their luggage for a short time. Another common method is to send an email with a disguised malware program in the attachment. In this case, however, the recipient must be tricked to click on the file in question.

It can therefore be easier to lure the target person to manipulated websites. There, the devices used for surfing are infected with a so-called drive-by download without any action on the part of their users. However, this is only possible if the authorities exploit a previously unknown security hole in the operating system. The whistleblower Edward Snowden, together with journalists, had revealed that secret services invest a lot of money to buy such “zero-day exploits” on the black market. However, the state should actually ensure that vulnerabilities are closed in order to protect its citizens’ operating systems, email programmes or browsers from hacker attacks. The fact that these are not reported to the manufacturers for repair, but are used to plant state trojans, is therefore one of the main criticisms of many civil rights organisations and companies in the field of computer security.

Not only secret services and police forces in supposedly democratic countries profit from “0days”. Manufacturers of trojan programmes, including the German companies FinFisher GmbH and Rohde & Schwarz, are known to sell to countries such as Bahrain, Egypt and Turkey. There, the trojans can be used against journalists, human rights defenders or other undesirable persons. With the new Constitutional Protection Act, however, this also applies in Germany. Now that the state trojan has been released for all intelligence services, the secret investigative tool can also be used there to monitor political opinions.

Comments on the inclusion of state trojans in the Constitutional Protection Act and the Federal Police Act:

• In February, SPD party leader Saskia Esken had still assured that she would not support the state trojan for the Federal Police “in any case preventively, i.e. not below the threshold of the Code of Criminal Procedure”. By her own admission, Esken also did not want it to be used by the Office for the Protection of the Constitution. The SPD politician received support from the Jusos, who publicly asked “why, in this political phase shortly before the end of the legislative period, we should still agree to a compromise with the CDU/CSU parliamentary group that would cause massive damage to our party […]”. In the end, Esken stayed away from the vote – allegedly due to illness – and wrote on Twitter, “I continue to think the decision to use state trojans is wrong, especially in the hands of secret services”.
• In the run-up, numerous organisations and experts had criticised the deep encroachment on fundamental rights and thus unconstitutional. In a joint open letter, internet companies such as Google and Facebook, together with German providers, the Chaos Computer Club, industry associations and other companies, spoke out against state trojans for the Federal Police and the Office for the Protection of the Constitution. The signatories rejected the planned active duty to cooperate in spying on their own customers and demanded the introduction of technologies for secure encryption.
• In the Bundestag debate on the vote, FDP interior expert Stephan Thomae accused the CDU/CSU and SPD parliamentary groups of “surrendering civil rights without necessity” and warned of an increased security risk if IT security gaps are exploited for state trojans. Konstantin von Notz, a member of parliament for the Greens, also stated that “what they are doing here is a massive security problem”. Irene Mihalic, the Green Party’s spokesperson on domestic policy, accused the SPD of “pomposity”, saying that the parliamentary group had “completely fallen over”.
• The Left Party MP André Hahn criticised the Constitutional Protection Act as unconstitutional; that internet services should actively assist in infecting the computer systems and terminals of their customers, Hahn called a “forced aid to state hacking”.
• The conservatives justified the general attack on secure telecommunications with the adaptation of the constitutional protection “to technical conditions”, as CDU MP Mathias Middelberg put it. “A good day for security in Germany,” commented CSU MP Michael Kuffer.

Timeline on the German use of trojans:

• In 2005, the then president of the Federal Office for the Protection of the Constitution (BfV) asked Interior Minister Otto Schily (SPD) to be allowed to use state trojans. At that time, online investigations are said to have already been carried out by means of secret official instructions.
• In 2006, North Rhine-Westphalia is the first federal state to introduce trojans for the secret service; two years later, the Federal Constitutional Court (BVerfG) upholds a constitutional complaint against it.
• In 2007, the Bavarian state government announces a draft law on online searches in the area of law enforcement, but it fails in the Bundesrat. In the same year, the BKA is said to have contacted the US FBI to learn about state trojans.
• At least since 2008, Bavaria has been using a state trojan from the company DigiTask from Hesse.
• In 2008, the BVerfG postulated a “fundamental right to guarantee the confidentiality and integrity of information technology systems”. According to this, eavesdropping on or reading internet communication is an encroachment on the inviolable secrecy of correspondence as well as the secrecy of post and telecommunications.
• In 2008, the BKA initiates a trojan roundtable with police forces from Baden-Württemberg, Bavaria, Switzerland, Belgium and the Netherlands.
• By 2009, state and federal authorities allegedly conduct online searches 35 times a year.
• In 2011, the Chaos Computer Club publishes an analysis of the source code of a software for source tapping under the acronym “0zapftis”. The malware originates from the Hessian company DigiTask and is referred to as the “Bavarian trojan”, as the underlying infection is said to have occurred in 2009 during a baggage check by the LKA Bavaria.
• In 2012, the BKA buys an annual licence for trojans from the British company Gamma/Elaman via the German intermediary FinFisher.
• In 2014, the BKA has two trojans programmed by itself for online searches and for source tapping as well as a “temporary solution” from the British-German company Gamma International.
• In 2016, the BVerfG judges the use of state trojans to be unlawful according to the BKA law. The online search could be permitted for the office, but it had to refrain from capturing highly personal information or filter it out afterwards by “independent persons”. The source tapping by the BKA, however, is found constitutionally unobjectionable.
• In 2016, the BKA completes its own development, “Remote Communication Interception Software” (RCIS), which can intercept Skype on Windows. A year later, “RCIS-Mobile” followed, a version for smartphones and tablets.
• In 2017, the Bundestag renews the BKA law as required by the BVerfG and defines “covert interventions in information technology systems” more concretely.
• Also in 2017, the Bundestag allows a legal basis for online searches for all police authorities with the newly created § 100b StPO. This includes “all devices controlled by a microprocessor”. With the new version of § 100a StPO, the Bundestag legalises the interception of “ongoing communication” on the terminal device with the help of source tapping.
• In the same year, the Federal Ministry of the Interior launches the Central Office for Information Technology in the Security Sector (ZITiS). Without a special law establishing it, it is to support the Federal Police, BKA and BfV in the development of “technical tools in the fight against terrorism, cybercrime and cyber espionage”.
• Since 2018, the BVerfG has been dealing with several constitutional complaints against the amendments to the StPO on the use of state trojans. Among others, the Digitalcourage association, the Society for Civil Liberties, the German Lawyers’ Association, the Federal Association for IT Security and members of the FDP and the Pirate Party are suing.
• In 2019, the BMI presents the draft law that was passed a fortnight ago, according to which all intelligence services are now allowed to conduct source tapping.

Image: Agê Barros on Unsplash.