“Bundestrojaner” in use, what next?

The German Ministry of Interior (BMI) has authorized the use of a new hacking tool for criminal investigations since January, according to recent reports by German daily Die Welt [1]. Like other previously deployed government Trojan programs, it is nick-named “Bundestrojaner”.  The new version, developed by Munich-based IT surveillance company FinFisher GmbH, enables criminal investigators from the German Federal Criminal Police Office (BKA) and state (Länder)  criminal police offices to access individual suspects’ devices and to surveil their real-time communication before it is encrypted by messenger programs such as WhatsApp. Officially, this surveillance procedure is referred to as “source telecommunication surveillance” (“Quellen-Telekommunikationsüberwachung”).

In summer 2017, the Bundestag had passed a law amending §100 of the German Criminal Code and extending the scope of application for surveillance measures and “source communication surveillance” in particular. But the law itself and government hacking more generally remain highly contested. Critics argue that it obstructs individuals’ privacy and harms IT security [2], [3]. The German Federal Constitutional Court might even rule parts of it unlawful. We’ll explore some of the reasons below.

Moreover, it is unclear how security agencies will deal with vulnerabilities in IT systems that they inevitably rely on for their surveillance activities. Leaving such vulnerabilities in place can pose high risks to individuals’ and societies’ safety.  The establishment of a Central Authority for Information Technology in the Security Sphere (ZITiS) last year has further heated up the debate about political and ethical issues in the context of government hacking (see DSI policy paper [4] for more information).

Hence, rules for government hacking are far from settled, and the incoming CDU/CSU and SPD “2.0” government will need to address a number of political, ethical, and legal challenges. (Update: The government coalition treaty draft, published on 7 February 2018, does not include any clear indications on these issues [5].)

Ambiguity about the “new” legal basis for surveillance by Trojan

Per federal (Bund) and state (Länder) law respectively, criminal investigators with a respective legal warrant can use hacking tools such as Trojans for “source telecommunication surveillance”, as well as for “online search” procedures in criminal investigations. Within “source telecommunication surveillance” procedures, investigators use a Trojan to gain access to a suspect’s device and then surveil his/her real-time communication (data-in-transit) at the “source”. This helps them circumvent encryption. “Online searches” are more invasive as investigators can search data stored on suspects’ devices (data-at-rest). Therefore, it is subject to narrower legal restrictions.

A landmark German Federal Constitutional Court ruling in 2008 determined that criminal police agencies should only use online search as an investigative measure in terrorist investigations or comparably severe cases. Remarkably, in its decision the Court established a fundamental right to the guarantee of the confidentiality and integrity of information and communication technology (ICT) systems, to preserve digital privacy. It derived this right from a constitutional personal right (Art. 2.1 and Art. 1.1 of the German constitution). In light of this reasoning, the Court decided that the surveilled subject’s privacy, its “core area of private life”, is to be exempted from surveillance, applying both to online search and telecommunication surveillance (for an overview of the Court ruling, see [6]).

As it turned out, it is technically very challenging to exempt a “core area of private life” with a tool as invasive as a Trojan. An earlier version of the “Bundestrojaner” which the BKA developed in-house and built to be compliant with these legal restrictions proved ineffective for practical investigations (for example, it only worked on Windows operating systems and could only surveil Skype conversations, so it was easy to evade). For criminal investigators, this often serves as an argument to loosen restrictions on the use of investigative hacking tools.

The 2017 law enables criminal investigators to use hacking tools for extended “source telecommunication surveillance” of suspects and conduct online searches in a much broader range of crimes such as drug trafficking, dealing of stolen goods, or tax evasion [7]. This broad span of applications has raised concerns that the use of a Trojan might become a standard procedure in thousands of criminal cases. Critics see that as an interference with constitutional and fundamental rights, privacy, and IT security. Civil rights organizations such as Gesellschaft für Freiheitsrechte (GFF) and industry associations such as IT security association TeleTrust are preparing constitutional appeals against the law [2],[3]. It is likely that the German Federal Constitutional Court will indeed impose narrower restrictions and revise parts of the updated version of the German criminal code. Hence, the debate is not over and the government and Bundestag will need to debate the arguments again, albeit the context will have changed until then.

Dealing with unknown IT systems vulnerabilities  

Another concern is that government hacking malware relies on the exploitation of unknown vulnerabilities in IT systems. This is a risky undertaking – if government agencies do not disclose vulnerabilities to IT manufacturers, these will remain open for criminals to exploit. Hackers with malicious intent could affect the security of thousands or millions of software users and/or of critical infrastructures, since IT is basically part of all infrastructures that our societies rely on today. This is one reason why the IT industry resists government hacking – it could significantly harm their products and their users’ confidence therein.  It is unclear whether ZITiS, which will supply law enforcement and police, as well as domestic intelligence agencies, at the state (Länder)- and the federal (Bund)-levels with know-how and hacking tools, will rely on the exploitation of unknown vulnerabilities in IT systems. But it is highly likely – a fact that both industry and civil society criticize.

The government will need to establish clarity here: one option is to decide to only exploit known vulnerabilities. Since many systems remain unpatched even after vulnerabilities are known, there are chances that security agencies would still get inside the system. Since there are additional other ways to gain access to IT systems apart from exploiting unknown vulnerabilities, this might be a practicable solution and definitely preferable from an IT security perspective. However, investigators argue that the sophisticated criminals will keep their systems’ security up to date so they need to be a step ahead and use unknown vulnerabilities.

The exploitation of unknown vulnerabilities bears significant and potentially systemic security risks (think of an unknown vulnerability in a widely used operating system, i.e. WannaCry). This is why it should be decided on a case-by-case basis within a clearly structured process which weighs IT security concerns against investigatory goals [8]. While the U.S.’s inter-agency Vulnerabilities Equities Process (VEP) might provide some guidance, for example when it comes to the inclusion of multiple stakeholders with different interests, such a legislative process needs to be adapted to the German national context. Most importantly, it will require a legal basis and transparent legislative procedure. Following the precautionary principle, vulnerabilities that would have a very serious impact on human life or the economy if exploited by criminal actors should always be disclosed to the technology’s manufacturer. The IT industry should be an active participant within an overarching national vulnerability handling process and also establish its own transparent vulnerability management programs.

Institutional responsibilities and democratic oversight

Overall, the conduct of governmental hacking will require effective democratic oversight mechanisms, enforced by qualified personnel. In theory, oversight is already in place – ZITiS is not an operational agency and reports to BMI. The BKA is overseen by BMI, the federal domestic intelligence service (Bundesverfassungsschutz) is overseen by a parliamentary control commission. However, it has been found that in practice, the control commission’s oversight competencies more generally need to be strengthened. The criminal police offices and intelligence agencies at the state level, which will also deploy tools developed by ZITiS, are in turn overseen by their own public prosecutor agencies and parliaments.

But in order to avoid fragmentation and increase effectiveness, judicial and/or parliamentary oversight should be expanded cross-institutionally and include adequate technical, legal, and ethical expertise. If know-how and resources for the exploitation of IT systems are developed in a centralized manner, transparency and oversight mechanisms should not be scattered across multiple law enforcement agencies, ministries, and parliaments at different levels of government.

*On February 8,  this article was updated to reflect current political developments in more detail.

References

[1] F. Flade, “Minsterium gibt neuen Bundestrojaner für Einsatz frei,” Die Welt, 02 02 2018. [Online]. Available: https://www.welt.de/politik/deutschland/article173121473/Verdeckte-Ueberwachung-Ministerium-gibt-neuen-Bundestrojaner-fuer-den-Einsatz-frei.html.
[2] L. Scherfig, “Berliner Morgenpost,” Berliner Morgenpost, 01 02 2018. [Online]. Available: https://www.morgenpost.de/politik/article213291339/Verband-Staatstrojaner-gefaehrdet-IT-Standort-Deutschland.html.
[3] R. Pinkert und H. Tanriverdi, “Polizei spioniert Handynutzer mit Trojaner aus,” Sueddeutsche Zeitung, 26 01 2018. [Online]. Available: http://www.sueddeutsche.de/digital/ueberwachung-polizei-spioniert-handynutzer-mit-trojaner-aus-1.3842439.
[4] M. Schallbruch, “Crypto-debate: Strategies for responsible behavior of law enforcement and itnelligence agencies on matters of cryptography, vulnerabilities, and tools,” DSI Industrial and Policy Recommendations, 2017.
[5] “Entwurf – Koalitionsvertrag zwischen CDU, CSU und SPD,” 07 02 2018. [Online]. Available: http://www.tagesspiegel.de/downloads/20936562/4/koav-gesamttext-stand-070218-1145h.pdf.
[6] W. Abel und B. Schafer, “The German Constitutional Court on the Right in Confidentiality and Integrity of Information Technology Systems – a case report on BVerfG, NJW 2008, 822,” SCRIPT, Bd. 6, Nr. 1, pp. 106 – 123, 2009.
[7] “Artikel 3 – Gesetz zur effektiveren und praxistauglicheren Ausgestaltung des Strafverfahrens,” Buzer.de, [Online]. Available: https://www.buzer.de/s1.htm?g=%C3%9CbwR%C3%84ndG&a=3.
[8] M. Schallbruch, S. Gaycken und I. Skierka, “Cybersicherheit 2018-2020: Handlungsvorschläge für CDU/CSU und SPD,” DSI Industrial and Policy Recommendations series, Nr. 1, 2018.