‘State trojans’: New German law enables police to hack into encrypted messengers

German police may now hack into messengers like WhatsApp using “state trojans” to intercept user communications before they are encrypted on their devices, according to a new law swiftly passed by the parliament.

The new legislation allows police investigators to use a “state trojan” to hack into a suspect’s mobile device, tablet, or computer, and get full access to their chat messages, video recordings, or other private data, German media reported.

The “state trojans” could make it easier to bypass the encryption employed by popular messaging services, including WhatsApp, as they can gain access to data straight from the source, well before it is secured by the messengers.

The Bundestag voted the bill into law during the second and third readings on Thursday, Spiegel reported. The ruling coalition of conservative CDU/CSU and the Social Democrats overwhelmingly supported the measure, saying it will ensure “more efficient execution of criminal proceedings.” The Greens and the Left Party rejected it, however. 

The new legislation will allow German law enforcement agencies to obtain a copy of a device’s hard drive or remotely search it in specific cases.

The use of the “state malware” will not be restricted to terrorism-related cases, however, German media reported. Surveillance of encrypted communications in cases involving suspected tax evasion, drug trafficking, and sports betting fraud is also expected to be considered legal under the new legislation.

Until now, German law enforcement could only wiretap a suspect’s SMS communications and regular phone conversations in specific serious cases. Looking at messages sent through encrypted services has been prohibited by law.

Facebook-owned WhatsApp updated its messenger service in April last year with “end-to-end” encryption, enabling a “lock” to secure communications between individual users or in a group chat.

Amid a heated debate on finding the balance between privacy and security concerns, Facebook CEO Mark Zuckerberg praised the update as an “important milestone for the WhatsApp community.”

Advocating the new surveillance amendment, the German government argued it would help authorities tackle rising security threats.

“We often see that criminals communicate using encrypted ways,” Interior Minister Thomas de Maiziere said, as cited by Rheinische Post. “Encryption protects a right for private communication. But it is not a carte blanche for criminals.” 

“This is how we facilitate efficient, cutting-edge law enforcement that's keeping us all safe,” Michael Frieser, domestic policy expert of the CSU party, said in the Bundestag on Thursday, according to Deutsche Welle.

However, critics within and outside government circles have doubted the law is constitutional.

“State-sponsored hacking is much worse than a big malware attack, because nowadays the entire private life is stored on mobile devices, including photos, contacts, SMS, emails as well as location and movement data,” said Jan Korte MP (Left Party) as cited by Spiegel

“The one who surveils computers and smartphones can also activate microphones and data storage, allowing him to know nearly everything on the target person,” Judge Ulf Buermeyer, head of the German Society for Civil Rights, wrote in a statement for Handelsblatt daily.

Opponents of the surveillance amendment have also lambasted the way the bill was pitched to the Bundestag. Hans-Christian Stroebele, member of the parliament’s Judiciary Committee for the Green Party, told Deutsche Welle MPs were informed about the amendment on very short notice and had almost no time to prepare for a meaningful discussion.

The amendment itself has been part of a large document proposing changes to German criminal law.

“One can't help but get the impression that this serious infraction of civil liberties was deliberately hidden in a regular adjustment bill to push it through quickly and without discussion,” the president of the German Lawyers Association, Ulrich Schellenberg, wrote in an email to the news agency.