In October 2011, German hacker organization Chaos Computer Club (CCC) analyzed a malware used by German government authorities. The product of the German company DigiTask was not just programmed badly and lacking elementary security, it was in breach of German law. In a landmark case, the Federal Constitutional Court of Germany ruled in 2008 that surveillance software targeting telecommunications must be technologically limited to a specific task. Instead, the CCC found that the DigiTask software took over the entire computer and included the option to remotely add features, thereby clearly violating the court ruling.
Netzpolitik.org ist unabhängig, werbefrei und fast vollständig durch unsere Leserinnen und Leser finanziert.
Since then, many German authorities have stopped using DigiTask spyware and started to create their own state malware. For this task, a „Center of Competence for Information Technology Surveillance (CC ITÜ)“ was established, sporting a three million Euro budget and a team of 30 people. Today, the Federal Ministry of the Interior is informing the Federal Parliament Bundestag about the centers progress and work. Members of the Finance Committee of the German Parliament are receiving a classified document, that we are now publishing. (text)
According to the document (in German only) dated December 7, the Federal Criminal Police Office plans to finish the development of their own surveillance malware until the end of 2014. There is no word on the progress or even how many developers have applied for the job, which seems to be frowned upon by many German hackers.
In the meantime, the Federal Police plans to continue using commercial software. In a „market survey“, they have assessed „three products as generally suitable“. The result:
The Federal Criminal Police Office has acquired, for the event a use is necessary, a commercial product of the company Elaman/Gamma.
The Gamma Group of Companies, a network of companies linked to offshore secrecy, is behind the infamous FinFisher/FinSpy IT intrusion software kit developed in Germany and used by authoritarian regimes across the world to spy on political activists. The software is highly sophisticated and can completely take over a veriety of devices, including Windows, OS X, Linux, iOS, Android, Symbian, Blackberry and Windows Mobile. A promotional video advertises the ability of „remote intrusion“ via fake updates from mobile carriers and Internet providers.
The experienced team behind FinFisher/FinSpy is less likely to implement „significant design and implementation flaws“, as the CCC diagnosed for DigiTask. But with strong clues that authoritarian regimes such as Bahrain, United Arab Emirates, Qatar, Ethiopia, Mongolia and Turkmenistan are using those products, the German state is sending a dangerous political message by using exactly the same software itself. In Britain, the Secretary of State put FinSpy software under export restrictions, requiring the Gamma company to acquire a licence to export these tools. In Germany, we are also calling for export restrictions to stop the sale of western surveillance technology to regimes known for their violation of human rights.
Besides this fundamental criticism, it also remains unclear if this spyware developed for international customers can meet the high standards set by the Constitutional Court for the use of such software in Germany. As discovered by the CCC, DigiTask was breaking the law by allowing to update installed malware and adding new features from remote. Although Gamma keeps its software secret, current research suggests that the FinFisher/FinSpy toolkit consists of a basic module (the trojan) that can also remotely load additional „feature modules“, for example a module for recording Skype conversations. Analysts who have looked at FinFisher parts told netzpolitik.org that they have not seen limits on what additional modules can be loaded or even a signature verification of additional modules. If this is indeed the case, this would clearly violate German law.
Since the CCC analysis showed that the current German state trojan was able to do more than allowed, it should be obvious that all future spyware must be verified before use. According to the document, both the Federal Commissioner for Data Protection and Freedom of Information and the Federal Office for Information Security are not able to audit the source code of the program to check if it complies with the legal requirements. For this reason, the German part of IT corporation Computer Sciences Corp was tasked with the review, which was supposed to be finished in December. The document does not mention the progress or results of such an audit.
There are also no mentions of a amount which the Federal Police is paying to Gamma, the terms of a sale or licensing, or whether German officials have already used the software. Gamma spokesperson and developer Martin J. Münch has not answered questions sent by netzpolitik.org.
CCC spokesperson Frank Rieger states:
With the purchase of Gamma FinFisher, the Federal Criminal Police Office has chosen a vendor that has become a symbol for the use of surveillance technology in oppressive regimes worldwide. FinFisher also consists of various components, which can be loaded when needed, thereby allowing the installation of spying capabilities that go far beyond the already questionable „wiretapping at the source„.
This is an edited English version of the original German article.