Germany: Constitutional complaint against federal trojan
It’s been almost a year now since the „Bundestrojaner“ legal amendments have been passed by the German government. The amendments were added to allow authorities to install software and decrypt private internet use without consent.
Now a couple of organizations and individuals are bringing up a constitutional complaint. The reason: Not only are there huge security risks involved when dealing with state sponsored malware but instead of being only used in extreme cases, the Bundestrojaner could be deployed way too often and easily and therefore be a serious threat to privacy.
What is the Bundestrojaner?
The Bundestrojaner is a piece of software (or rather malware) that has been around since 2011 – that’s at least when the CCC discovered it. The tool is supposed to be used for telecommunication surveillance: to read emails and chats and wiretap phone calls made by the target via his or her computer or smartphone. This is being accomplished by taking advantage of security gaps that might exist outside of public knowledge.
The many concerns
Now you might wonder why the Bundestrojaner is such a big issue. There are a couple of reasons:
Security issues: As every malware the government one needs to abuse bugs and security holes in order to function. By intentionally not disclosing these vulnerabilities, but leveraging them instead, the law not only does a civic disservice to online users everywhere, it also increases the chances that these weaknesses will be used in turn by criminals.
In case you think this to be outlandish don’t forget WannaCry. The ransomware is the best example of government exploited vulnerabilities that were not disclosed – and criminals making “the best” out of it.
Privacy concerns: Just a year ago the Bundestrojaner could only be used in extreme cases, for example if someone was suspected of being a terrorist. This was changed with last year’s amendments. Now basically everyone who is suspected of a crime like for example drug dealing or counterfeiting money can fall victim to the malware.
In 2016 alone there were 40,000 cases that could have made use of the trojan. Once successfully infected you’d become an open book for whoever is looking into you: mails, skype messages, vacation pics and videos – there are no secrets anymore. Privacy-wise that’s a huge nightmare.
The constitutional complaint
The above issues have several parties worried when it comes to the Bundestrojaner. They feel like their concerns are big enough to bring them up in front of the “Bundesverfassungsgericht”, Germans supreme constitutional court: They are the association “Digitalcourage” which even has a petition running to help in their complaint, the “Gesellschaft für Freiheistrechte”, and a couple of politicians as well as journalists.
All of them have different goals. While Digitalcourage wants see the government malware completely gone, the GFF only wants to restrict its usage and make sure it’s only used in extreme cases and that security holes have to be reported.
Malware is malware, no matter who the author
Travis Witteveen, CEO at Avira, has a very clear statement concerning the sanction and use of government sanctioned malware: “Software, which uses system weaknesses to manipulate or exploit a system without user notification or acceptance, is considered malicious, regardless of the author.
Governments investing in the discovery of system weaknesses and not publishing them to the vendor of those systems or software are actually supporting criminality, not preventing it.
The German government should use the tax money more appropriately and in order to ensure privacy – not to create additional cyberthreats.”
This article is also available in: German