German authorities plant spyware on citizens’ computers

Dirk Engling, of Chaos Computer Club, shows the control software for the Trojan spyware allegedly made by the German authorities (R) monitoring the traffic on a remote computer (L). The club cracked the spying software that could allow German authorities to peer through webcams. The news has sparked outrage among politicians and media commentators.

BERLIN, Germany — It’s the stuff of modern nightmares.

A seemingly innocuous email plants malicious spyware on your computer, allowing strangers to not only access your private communications but also to spy on you in your own home.

The fact that such invasive technology was deployed by officials in Germany has caused uproar here.

While the monitoring of internet telephone communications is allowed by German law in serious cases, it has emerged that software deployed by some law enforcement agencies was capable of much more intrusive snooping, raising serious concerns about the potential for a “Big Brother” level of surveillance.

The use of so-called “Trojan horse” software by authorities in a number of German states came to light after the Computer Chaos Club, a hacker group, published details of their examination of spyware planted on a laptop in Bavaria.

Related: Does Stuxnet virus herald the age of cyber warfare?

It found that the software — developed by a private company called DigiTask for the Bavarian police — was capable of much more than just monitoring internet phone calls. It could take screenshots, remotely add files and control a computer’s microphone or webcam to monitor the person’s home. However, the authorities insist that they did not deploy these functions. Investigations are ongoing.

Graham Cluley, a senior technology consultant with British computer security firm Sophos, which also analyzed the software, said that the spyware could “automatically update itself over the internet, so new functionality can be added. It can be used to install new software onto the computer, so people could actually alter the contents of a suspect’s hard drive.”

The scandal has led politicians and security experts to look at whether the country’s already stringent privacy laws need firming up.

Privacy advocates had already raised concerns about the potential for state intrusion back in 2007, when the Interior Ministry said that it was developing software to monitor suspects’ internet communications.

The following year the Federal Constitutional Court, the highest in the country, made a ruling that placed narrow limits on the use of such software, including stipulations that it could only be used to monitor Internet telephone communications. The 2008 ruling stated that the integrity of people’s computers was a “fundamental right” and could only be infringed upon with a court order.

Yet evidence now suggests that some state law enforcement agencies went beyond those constitutional limits when they deployed Trojans that had wider functionality.

“There are very strict guidelines regarding the use of this kind of software in those situations,” Cluely told GlobalPost. “It appears to us that if this piece of software was being used for that purpose then it goes beyond those guidelines.”

“The Trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the Constitutional Court,” the Computer Chaos Club wrote on its website.

The Interior Ministry in Bavaria confirmed that law enforcement officials there have been using the spyware since 2009 and insists the application is legal. Other states, including Baden-Wurttemberg, Brandenburg and Lower Saxony, also admitted using Trojans.

Once the scandal broke, Federal Interior Minister Hans-Peter Friedrich demanded that the states halt the use of the spyware. He has since declared that the BKA, the federal criminal police, have only used Trojans in accordance with the constitution. However, he has said that in future the software will be developed by the authorities themselves rather than outsourced to private companies.

Meanwhile, Justice Minister Sabine Leutheusser-Schnarrenberger, a member of the Free Democrat Party, which has traditionally seen citizens’ privacy as a core issue, has indicated that she is considering new laws to ensure that privacy is safeguarded. She has already called for an inquiry into the use of the software by the authorities.

Peter Schaar, the Federal Commissioner for Data Protection and Freedom of Information, has voiced his concerns about the legal “gray area” that surrounds the use of this kind of spyware. His spokesperson Juliane Heinrich told GlobalPost that the current legal situation was obviously not adequate. “It has to be improved, and this can be done by the justice minister, who is responsible for the criminal code,” she said.

The police also want more clarity about what it is legally permissible. The Federation of German Criminal Police (BDK) has said that Germany needs cabinet-level oversight of internet issues. “It is high time for a federal internet minister who solves the pressing problems of the digital age,” BDK head Andre Schulz told the Neue Osnabrücker Zeitung newspaper.

Marco Buschmann, a Free Democrat member of parliament, sees it as a fundamental problem that the authorities were using software capable of this functionality, even if, as they claim, it was never activated.

“The authorities have to operate within the framework of the law and our constitution,” Buschmann told GlobalPost. “And the problem is that software was found that theoretically could do more than the constitution allowed.”

Aside from questions about the legality and ethics of using this type of spyware, the application could also prove self-defeating for law enforcement, critics say. The fact that the software allows files and programs to be remotely downloaded means that any evidence found on a suspect’s laptop could be disputed.

“It is naturally counter-productive for the prosecutors, as this evidence would be without any value,” Meinhard Starostik, a lawyer who specializes in data issues, told GlobalPost. “A criminal could say: ‘The police planted that on my computer with the Trojan.’”

It is not only the software itself that has raised concerns, but also the suspects upon which it was used. Some investigations were probing relatively minor targets. In one case, for example, investigators placed a Trojan on the computer of a suspect they thought was illegally importing anabolic steroids.

Cluley was surprised to learn that it was being used to monitor low-level criminal activity. “I would expect this kind of thing to be used on serious organized crime or in terrorist investigations,” he said.

Buschmann says that while suspected criminals and terrorists need to be investigated, people’s freedoms also need to be protected. “That includes the freedom to use my computer without worrying that it could potentially be spied on, whether by the state or by criminals.”

Germans have a reputation for being sensitive about privacy issues, due in large part to totalitarian systems of the past. The 12 years of Nazi rule were followed, in East Germany, by a communist system whose notorious secret police, the Stasi, routinely spied on citizens.

“These two dictatorships were sustained by the surveillance of their own citizens,” Buschmann said. “No one is claiming that today we have a surveillance state, but we are very sensitive to these issues because of our experiences.”

Privacy attorney Starostik agrees that their history has made Germans particularly cautious when it comes to the issues of state surveillance and of date privacy in general. He argues that the fact that Trojans have the potential for such levels of spying means they should not be used by the authorities, even for monitoring internet communications.

“This example shows how dangerous it is when one allows the state the possibility of such wide-ranging invasions of privacy,” he said. “When one has such a tool then the temptation is too great to overstep the limits.”