Bundestrojan: German police is cleared to use malware in spying on suspects

© Dado Ruvic
The German Interior Ministry has approved a measure allowing federal police to use a special Trojan virus to hack the computers and smartphones of their suspects, giving them almost unlimited opportunities to conduct surveillance on them.

The Trojan can already be employed this week, reports Deutschlandfunk radio.

The malware, which was specially developed by the German Federal Criminal Police Office, functions similarly to a typical virus used by hackers, according to Deutsche Welle. It allows officers to infiltrate a targeted device and access its files and also makes it possible for them to spy on a suspect’s communications, including e-mails or conversations conducted via phone or programs like Skype.

The Trojan opens “a back-door” to the targeted computer, allowing the operator to not only copy files from the computer’s hard drive, but also retrieve all of the user’s passwords, providing almost unlimited access to a person’s digital data.

It even can even facilitate on-line video and audio surveillance, as smartphones and laptops are often equipped with integrated microphones and cameras.

However, in 2008, the German Constitutional Court laid down strict rules for the use of online surveillance programs, prohibiting police from engaging in such activities without a court ruling, Tagesschau says in its report. Additionally, the use of online spying malware is only allowed in cases when there is sufficient legal basis and an immediate threat to people’s lives and health, or in the case of a threat to national security.

Even if all those conditions have been met, police can only take advantage of some of the abilities provided by the Trojan. According to the regulations, law enforcement is limited to accessing only “source and communications surveillance,” which means the officers can read e-mails and wiretap telephone calls, but are prohibited from copying files from a hard drive or setting up video or audio surveillance via the hacked device. They are not allowed to “steal” passwords either.

Police assert that the new Trojan has been specially programmed to facilitate only legal means of surveillance, although there is no way to independently verify these claims, as the nature of the malware remains top secret, Deutsche Welle reports. Police say the only way they can gain access to encrypted communications, which are often used by criminals or terrorists, is by using this kind of malicious software

However, IT experts are skeptical that hacking software could be created that would be effectively restricted in terms of functions and capabilities.

“There are really no fundamental differences between a Trojan that should only wiretap communications and the one that is designed, for example, for setting up video surveillance,” Frank Rieger, a spokesman of the Chaos Computer Club (CCC) – Europe’s largest hacker association, told Deutschlandfunk.

Another CCC expert, Falk Garbsch, told Deutsche Welle that any Trojan makes it possible for its operator to install additional software on the targeted computer that could open wider opportunities for the hacker. This software could be covertly deleted afterwards, effectively covering its tracks, he added.

In 2011, a group of hackers from the CCC including Rieger obtained and analyzed a Trojan that had been used by police in the German state of Bavaria. Although the authorities claimed the malware was being used only for communications surveillance, an analysis of the program demonstrated that the program could also provide broad access to the computer system and the data stored on the suspect’s hard drive.

In 2008, the Constitutional Court demanded that the technical capabilities of malware used by police be limited. However, Rieger and other cyber experts doubt that the federal police have fully complied with this order.

At the same time, Rieger stressed the urgent need for such restrictions.

“Reading what someone taps at a [computer] keyboard is like reading one’s thoughts,” he told Deutschlandfunk.

The move to allow the police to use the Trojan was also criticized by former Interior Minister Gerhart Baum, who called it questionable in terms of privacy protection. He said that “such governmental hacking” could violate fundamental civil rights and freedoms, Deutsche Welle reports.

The German Federal Criminal Police Office provoked additional public discontent when it admitted that, in addition to developing its own surveillance malware, it had purchased “a commercial product… FinFisher on the basis of reliability considerations as well as in order to improve [the software’s] relevant capabilities,” as reported by Der Spiegel.

FinFisher is surveillance software created by a German-British Elamann/Gamma company, which human rights organizations have repeatedly criticized for selling software to authoritarian regimes in Egypt and Bahrain.