Infecting a computer with spyware in order to secretly siphon data is a tactic most commonly associated with criminals. But explosive new revelations in Germany suggest international law enforcement agencies are adopting similar methods as a form of intrusive suspect surveillance, raising fresh civil liberties concerns.
Information released last month by the German government shows that between 2008-2011, representatives from the FBI; the U.K.’s Serious Organised Crime Agency (SOCA); and France’s secret service, the DCRI, were among those to have held meetings with German federal police about deploying “monitoring software” used to covertly infiltrate computers.
The disclosure was made in response to a series of questions tabled by Left Party Member of Parliament Andrej Hunko and reported by German-language media. It comes on the heels of an exposé by the Chaos Computer Club, a Berlin-based hacker collective, which revealed in October that German police forces had been using a so-called "Bundestrojaner” (federal Trojan) to spy on suspects.
The Bundestrojaner technology could be sent disguised as a legitimate software update and was capable of recording Skype calls, monitoring Internet use, and logging messenger chats and keystrokes. It could also activate computer hardware such as microphones or webcams and secretly take snapshots or record audio before sending it back to the authorities.
German federal authorities initially denied deploying any Bundestrojaner, but it soon transpired that courts had in fact approved requests from officials to employ such Trojan horse programs more than 50 times. Following a public outcry over the use of the technology, which many believe breached the country’s strict privacy laws, further details have surfaced.
Inquiries by Green Party MP Konstantin von Notz revealed in January that, in addition to the Bundestrojaner discovered by the CCC, German authorities had also acquired a license in early 2011 to test a similar Trojan technology called “FinSpy,”manufactured by England-based firm Gamma Group. FinSpy enables clandestine access to a targeted computer, and was reportedly used for five months by Hosni Mubarak’s Egyptian state security forces in 2010 to monitor personal Skype accounts and record voice and video conversations over the Internet.
But it is the German government’s response to a series of questions recently submitted by Hunko that is perhaps the most revealing to date. In a letter from Secretary of State Ole Schröder on March 6, which I have translated, Hunko was informed that German federal police force, the Bundeskriminalamt (BKA), met to discuss the use of monitoring software with counterparts from the U.S., Britain, Israel, Luxemburg, Liechtenstein, the Netherlands, Belgium, France, Switzerland, and Austria. The meetings took place separately between Feb. 19, 2008, and Feb. 1, 2012. While this story has been covered in the German media, it hasn’t received the English-language attention it deserves.
Both the FBI and Britain’s SOCA are said to have discussed with the Germans the “basic legal requirements” of using computer-monitoring software. The meeting with SOCA also covered the “technical and tactical aspects” of deploying computer infiltration technology, according to Schröder’s letter. France’s secret service and police from Switzerland, Austria, Luxemburg, and Liechtenstein were separately briefed by the BKA on its experiences using Trojan computer infiltration.
Interestingly, at a meeting in October 2010 attended by police from Germany, the Netherlands, and Belgium, representatives from the Gamma Group were present and apparently showcased their shadowy products. It is possible that the Germans decided at this meeting to proceed with the FinSpy trial we now know took place in early 2011.
If nothing else, these revelations confirm that police internationally are increasingly looking to deploy ethically contentious computer intrusion techniques that exist in a legal gray area. The combination of the rapid development of Internet technologies and persistent fears about national security seem to have led to a paradigm shift in police tactics—one that appears, worryingly, to be taking place almost entirely behind closed doors and under cover of state secrecy.
The use of highly intrusive surveillance technologies in any context demands some level of democratic scrutiny. How many police and government agencies are sanctioned to use hacking and Trojans as a means to surveil their citizens, how frequently does it happen, on what grounds, and with what oversight? The fallout from Germany’s Bundestrojaner scandal may have shed some much-needed light on this murky world, but still we are left with many more questions than answers.