The German government faces several legal challenges for using Trojan viruses to circumvent encrypted messages. Critics say the current surveillance laws are too broad and risk another massive ransomware attack.
On Tuesday, the data protection group Digitalcourage filed the first Constitutional Court complaint against a German law that permits the use of Trojan spyware by government authorities. Germany’s top tribunal is expected to receive more legal challenges to the government’s extended online surveillance powers.
The law, which came into effect just under a year ago, allows authorities to read encrypted messages by secretly installing spyware on computers or mobile phones using security exploits.
According to the plaintiffs, the laws violate several constitutional rights and “jeopardize security rather than guarantee it.”
In addition to Digitalcourage, the Berlin-based NGO Society for Civil Rights (GFF) and a handful of lawmakers from the business-friendly Free Democrats (FDP) are expected to file a similar complaint in the coming days, although they will call for a more detailed legal framework for the use of state Trojans, rather than demand that government hacking be scrapped altogether.
Has spyware become the new norm?
Germany’s Federal Criminal Police Office (BKA) formally only seeks to intercept encrypted communications or monitor online activity when investigating serious offenses, such as terrorism or organized crime. Officials maintain that the current laws grant authorities the same surveillance powers that have already existed for years and that messaging apps with end-to-end encryption, such as WhatsApp or Telegram, should be intercepted just like telephone conversations and traditional text messages.
“We cannot let the internet become a legal vacuum,” BKA chief Holger Münch told the German daily Handelsblatt this week. “We must protect citizens and companies. This means we must be able to investigate this space.”
Critics fear that the use of Trojan viruses has become the rule rather than the exception for Germany’s security services. The BKA provides very little public information on the spy software or its usage for security reasons, although Digitalcourage spokeswoman Kerstin Demuth told DW that the number of phone hacks last year was thought to be about 150.
This, Demuth said, is clear reason to be alarmed by the crimes being investigated through hacking. “We are complaining against the use of Trojans in criminal cases where it’s clear that no lives in danger,” she said, adding that in one case authorities even hacked a person’s phone after they were suspected of falsifying a certificate.
And, even in the case of suspected terrorism, Demuth isn’t convinced that the gains from wide-scale hacking are worth the potential risks to the basic right to privacy. “If you look at the instances of when there were terror attacks in Germany, the problems weren’t a lack of intelligence, but negligence when it came to evaluating and communicating information with other authorities,” she said. “We should look at fixing these human errors first and foremost.”
Ignoring security holes
Tuesday’s legal complaint doesn’t just highlight privacy concerns. According to the plaintiffs, authorities have managed to install Trojan viruses on users’ devices by exploiting security holes that are unknown to computer and mobile phone developers.
The GFF chair, Ulf Buermeyer, told DW that his complaint will call for new rules stipulating that authorities cannot use zero-day exploits, or software vulnerabilities that are unknown to the software’s developer.
“It is crucial that we have rules in place that state what kind of software holes can be exploited and which ones can’t,” he said. “Otherwise you end up putting thousands of IT systems at risk.”
Buermeyer refers to the May 2017 WannaCry ransomware attack, which paralyzed the UK’s National Health Service for several hours. It was subsequently revealed that the US National Security Agency had known about the exploit as far back as 2010, but refused to report it because it was also in the NSA’s interest that it remain unpatched.
“The risk is that the German state is going about surveilling new technologies just as it did older ones, even though the risks are far greater,” he said.
Big names back complaint
Two prominent backers of the GFF’s complaint are the journalists Hajo Seppelt, who exposed doping in Russian sports, and Can Dundar, who is wanted in Turkey for disclosing state secrets and is currently living in exile in Germany.
Both men claim to have been the targets of multiple hacking attempts by the Russian and Turkish authorities.
The plaintiffs hope that a stricter legal framework for government hacking and uncovering security exploits would make them, and everyone else for that matter, more secure.