One year later: German police unable to develop ’state trojan‘

One year after the Chaos Computer Club found and analysed an illegal trojan virus used by German police, the so-called „state trojan“, and one year after the German Federal Minister of Justice, Sabine Leutheusser-Schnarrenberger had promised „total transparency and clarification(DE) German police still don’t have an alternative to relying on software by private companies for the infiltration of computers.

Recent answers of the interior ministry to questions by Jan Korte (DE), MP Left party, clearly state that the ministry one year later is still lacking the capacity to do as promised: to develop a software for lawful interception that complies with a decision by Germany’s Federal Constitutional Court.

(Questions and answers in German, pdf)

The original „state trojan“ by Digitask did far more than what is allowed by German law:

The Chaos Computer Club (CCC) has recently received a newer version of the „Staatstrojaner“, a government spyware. The comparison with the older version, already analyzed by the CCC with the actual Sniffer-code from December 2010, revealed new evidence. Despite the claims of the responsible parties, the Trojan can still be remote-controlled, loaded with any code and also the allegedly „revision-proof logging“ can be manipulated. (CCC, 26 Oct 2011)

Also see Several German states admit to use of controversial spy software (Deutsche Welle).

The German minister of the Interior, Hans-Peter Friedrich, then promised that the software was going to be produced in-house (DE).

The new replies by the ministry prove him wrong:

The software by DigiTask GmbH that was used in the past for computer surveillance (lawful interception) is not currently being used by federal public authorities anymore.

The software that will be used for computer surveillance will be developed by a competence centre established within the Federal Criminal Police Office. It will be safeguarded that the source code will be audited regarding its range of functions by qualified experts. It will also be accessible for the relevant authorities for data protection (among others the Federal Commissioner for Data Protection).

For the time until the afore mentioned in-house development is completed the Federal Criminal Police Office is preparing a commercial interim solution. The source code of that software has to undergo extensive audits with respect to the demands by the Federal Constitutional Court. (my translation, A.R.)

In a reply to the second question by MP Korte the ministry states that it doesn’t know whether software by DigiTask or other commercial developers designed for lawful interception is being used by state police forces in Germany. Further details are classified and only accessible to MP Korte.

The spokesman on domestic policy of Angela Merkels conservative party in parliament, Hans-Peter Uhl, commented (DE):

The development of a software by the Federal Criminal Office is presumably going to take months if not years. We may even have to ruefully admit that we lack the capability completely.

 

 

Coverage in German media:

 

German police monitors Skype, GoogleMail and Facebook chat

The German government a while ago answered questions about expenditures by the federal ministry of home affairs for private service providers – hardly noticed by the English speaking world. The parlamentary enquiry („Minor interpellation“) no. 17/10077 by Jan Korte, MP of The Left party, has now been translated into English.

Download the document in English (pdf) or German (pdf).

The answers were far more detailed than one would expect.

There’s 43 pages (this includes questions), 20 of which are tables that list who was contracted, how much money was paid, what for and how each paid item was used. Even though 12 out of 30 answers were defined as classified information – e.g. questions regarding Germany’s domestic and foreign intelligence services or the Federal Office for Information Security (BSI) –  there’s still some interesting news to be found.

The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers used by German police. We know how much money was spent by the Federal Police on border control biometrics, on passenger information systems and telecommunications surveillance. Digitask, a company whose reputation was clearly damaged after its trojan virus was found and analysed by the Chaos Computer Club in 2011, seems to still be a regular contractor of German authorities. Altogether more than a billion Euro was spent on private services by German police and other public authorities in the realm of the ministry of home affairs in the years 2002 – 2012.

The translation into English, commissioned by MP Korte, leaves out the 20 pages that contain tables with data who was paid how much for what exactly. If your preferred translation website can’t be of help, let me know and I’ll do my best. I noticed one mistake in the translation of question no. 10: „Federal Agency for the Protection of the Environment (BfV)“ should instead be the domestic secret service „Bundesamt für Verfassungsschutz BfV“.

 

 

Picture: Toban Black, Flickr, CC licence