A hacker group says Berlin may have software to spy on citizens.
A number of other German states have followed Bavaria in confirming the use of a controversial software program to spy on people through their computers. The German justice minister has demanded an investigation.
Several additional German states have admitted to deploying spyware in order to investigate serious criminal offenses, according to regional media sources.
The interior ministers of the states of Baden-Württemberg, Brandenburg, Schleswig-Holstein and Lower Saxony said that regional police had used the software within the parameters of the law. In Lower Saxony, the software has been in use for two years, according to the public broadcaster NDR.
Authorities in Brandenburg, meanwhile, told the daily Berliner Morgenpost that they are currently using the spyware in a single, on-going investigation. Baden-Württemberg has also used such software to investigate “individual cases,” according to the Badische Zeitung.
The interior ministry in the western state North Rhine-Westphalia also admitted that police had used the software in two instances, both of which had been approved by a judge. The news agency dpa reported that both cases had involved serious drug crimes.
Officials in the southern German state of Bavaria were the first to confirm late Monday that their agencies have been using a spyware program since 2009. It remains unclear whether all four states had been using the same software or not.
Bavarian Interior Minister Joachim Herrmann said in a statement that they had acted within the law, and he promised a review of the software’s use. Computer security experts and German politicians say such software is likely in violation of the German constitution.
A hacker group accused the German government on Saturday of developing and using the software to spy on its own citizens. Justice Minister Sabine Leutheusser-Schnarrenberger called on the federal and state governments to launch a joint investigation into the matter.
“Trying to play down or trivialize the matter won’t do,” said Leutheusser-Schnarrenberger while at the same time warning against blanket judgments. “The citizen, in both the public and private spheres, must be protected from snooping through strict state control mechanisms.”
Germany’s Interior Ministry said Monday no such program was being used at a federal level.
The Chaos Computer Club (CCC), a well-known German hacker group, on Saturday announced its analysis of the so-called “Bundestrojaner,” or “Federal Trojan,” had revealed that this “lawful interception” program goes far beyond what normally would be allowed under German law.
“The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs,” wrote the organization in an English-language post on its website. “Significant design and implementation flaws make all of the functionality available to anyone on the Internet.”
The spyware could even be used to plant evidence on a computer. “Functions clearly intended for breaking the law were implemented in this malware,” the CCC asserted.
The CCC, which came across the software through an anonymous tip, alleges the Trojan was developed by German police forces for intercepting personal data from computers, including those of private individuals.
Earlier Monday, Constanze Kurz of the CCC told German public radio that the group was “quite sure” the German government had developed the malware.
“We have no doubt, otherwise we wouldn’t have gone public with it,” she said.
The CCC’s analysis showed that the Trojan can log keystrokes, take screenshots, record Skype conversations and even activate webcams or computer microphones to survey private happenings inside a person’s home.
What’s worse, the CCC said, is that poor data encryption protocols in the Trojan could allow the software to be used by third parties.
Hypponen's security firm has 'no reason' to doubt the findings.
‘No reason to doubt CCC findings’
After the Federal Trojan’s source code was published, several Internet security companies confirmed the CCC’s conclusions.
“We have no reason to doubt CCC findings,” said Mikko Hypponen, chief research officer at F-Secure, an Internet security company in Helsinki.
“[The CCC] has a long history of trustworthy research,” Hypponen told Deutsche Welle, adding “I think it’s more likely than unlikely” the German government developed the malware.
“There are some details in the code that make it stand out from criminal software,” Hypponen said.
Graham Cluley, senior technology consultant for Sophos, a British computer security firm which also analyzed the software, points out that the malware “appears to connect to an IP address which we believe to be based in Dusseldorf or Neuss.”
After the CCC’s announcement, F-Secure decided to add this particular Trojan to its lists of known malware. Hypponen says about half of the Internet security industry currently blocks the malware.
The German Constitutional Court in 2008 established barriers to implementing such software, requiring that interception of Internet-based phone calls only be done with a warrant and court order.
Due to its high level of functionality, implementing this particular software would likely violate the German constitution.
In its Web post, the CCC chided the German government for its alleged constitutional violations: “Law enforcement agencies will overstep their authority if not watched carefully,” the group wrote.
Given Germany’s history during the Nazi and Communist periods of totalitarian government and out-of-control police powers, the allegations have been seen as particularly serious.