German government refutes Windows 'backdoor' claims

German government refutes Windows 'backdoor' claims

Summary: The German government says Windows 8 and TPM 2.0 chips, used in conjunction, can increase security but have the potential to reduce a user's control over software and hardware. The common-sense advice for government IT experts has been distorted by some observers into wild claims of "backdoors" or spying by the U.S. National Security Agency, or the Chinese.

TOPICS: Windows

The German government on Thursday publicly denied a German newspaper report about an alleged "backdoor for the NSA."

The same newspaper has now acknowledged that the German authorities have rejected its initial reporting.

"The so-called Trusted Computing is a back door for the NSA," wrote Zeit's Patrick Beuth on Tuesday, in reference to recent reports about the U.S. government's mass surveillance programs. According to a translated version of the Zeit article, Beuth wrote: "The operating system contains a back door in their [the German government's] view, [and] cannot be closed. This backdoor is called Trusted Computing and could have the effect that Microsoft can control any computer remotely. And thus the NSA."

Except, that's not true. 

Reports began to spread — albeit a little away from the mainstream media — following the German publication's story on Tuesday suggesting that a small "trusted computing" chip embedded in many modern computers can aid the U.S. government's surveillance efforts. As a result, the report claimed — citing an internal document from Germany's Office for Information Security (BSI) — that the latest version of Windows in certain circumstances could not be trusted in a government setting.

On Thursday, the BSI published an opinion walking back on the report's claims [PDF], while offering advice to the federal and civilian IT community on the matter.

The Zeit report suggested that German officials are specifically concerned about the Trusted Platform Module (TPM) technology. These hardware chips contain encryption keys that are used to verify the integrity of operating system and application files, preventing physical computer tampering and some types of malware, most notably rootkits.

These TPMs, which were developed by the Trusted Computing Group, a coalition of tech firms founded about a decade ago — including AMD, Cisco, HP, IBM, Intel, Microsoft, and others — require a compatible operating system in conjunction to work. 

Simply put, the TPM stores encryption keys in hardware, until the software does something with it, and prevents operating systems being tampered with, by malware, such as a rootkit, or by a hacker who wants to modify the system for legitimate purposes.

The new specifications, dubbed TPM 2.0, will be activated by default, according to the BSI. While older versions of Windows use the older TPM 1.0 specification, Windows 8's security contains TPM 2.0 technology. The article's author wrote that Windows 7, as an existing alternative to Microsoft's latest operating system, can "be operated safely until 2020," the piece notes, referencing the time which Microsoft will no longer support the software, and will no longer issue security updates. Windows XP faces a similar fate this coming April.

According to an internal document from the Ministry of Economic Affairs (BMWI), dated in early 2012, that the German government will lose "full sovereignty" of its machines, concluding that, "the security objectives 'confidentiality' and 'integrity' is no longer guaranteed."

This is not the first time Microsoft and the NSA have been accused of collaborating on secret backdoors.

In 1999, similar allegations surfaced over an encryption key found in corporate versions of Windows, called NSAKEY. Claims were made that the U.S. government included code to assist state surveillance, a belief that is only held today in the farthest fringes of conspiracy swamps. Microsoft strenuously denied the claims.

And then it unravels a bit.

"In the light of the Snowden revelations accordingly, it little imagination required to see TPM 2.0 and Windows 8 as a backdoor for NSA, just waiting to be opened," the author writes.

He uses just a "little imagination" to jump to a rather dangerous conclusion. He also notes that he "must assume" that because these TPM chips are developed in China, the Chinese government can compromise the chips — in much of the same way the NSA presumably can.

While it's not entirely clear from the article, the German government's general feeling is that it could be a barrier towards a wholly secure solution. The piece references a review by the BSI, stating that it was not possible to receive an "unconditional, complete confidence" in the platform.

No security solution is 100 percent secure. Not one. In fact, by stating this — whether it be an internal review, or a public statement — is good, honest practice on the part of the German authorities. 

The article points to an "update," citing the BSI's opinion, published a day after the Zeit article was published, on Wednesday.

In the opinion (translated), the BSI "warns neither the public nor the [German] government prior to any deployment of Windows 8."

"The BSI is currently facing, however, some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware that has a TPM 2.0," it added.

The German federal agency notes that certain groups of users can use Windows 8 and a TPM chip that offer an "increase in safety."

It does, however, also reiterate that the use of Windows 8 in combination with a TPM 2.0 is accompanied by "accompanied by a loss of control over the operating system and the hardware used." It explains that for federal users and computers running critical infrastructure — such as water, electricity, and gas networks — may face "new risks." These computers should be one of, if not the most secure devices running in a country, as they control infrastructure critical to life and well being.

"Generally it should be possible [for] IT users to maintain a self-determined and autonomous dealing with information technology," the opinion read, which any IT professional will know is good, solid advice on the part of any reliable information security person or agency.

The opinion also explains that should Windows 8 or the TPM chip malfunction or become damaged in some way, it can lead to the conditions that "prevent further operation of the system."

The BSI is, essentially, talking about "bricking" computers. And it's right to. If there is a malfunction, it could lead to Windows 8 stopping working, and a situation where data may be lost. Worse, it could lead to the computer or hardware being "permanently withdrawn from use."

The opinion does state (translated): "In addition, the newly established mechanisms can also be used for sabotage by third parties."

We thought this was a little vague, so we sought independent clarification from the BSI.

BSI spokesperson Tim Griese said in an email to ZDNet: "There might be errors or bugs, originating from the OS vendor or the hardware vendor or even from the IT user itself, that by accident lead to a situation where the IT system is practically and permanently unusable. Such a situation is unacceptable for any user, as you might agree."

He added: "And if such a situation can occur by accident, it can all the same be caused intentionally by third parties."

The BSI is in this context talking about both accidental and deliberate damage, in efforts to remain fair and balanced, but also make users aware of the risks that federal and ordinary users face alike. 

The German government, while mindful that its state enemies abroad and their intelligence services may wish to conduct espionage in the country, is not suggesting there are "backdoors" in Windows. 

The only people left who really believe that Windows has a backdoor to the NSA are the same kinds of people who believe Facebook, Google, Apple, Yahoo, and the rest of the named seven major companies, gave "direct access" to their systems to the NSA — which they didn't, as they continue to fight in the courts to reveal documents that they know exonerates them from any allegations made by former NSA contractor Edward Snowden.

Topic: Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Article is a mess...

    Zack, I've been a harsh critic of yours for a couple of years, but I will freely admit that your pieces in the last 3 to 6 months have been much improved - even occasionally to the level of well-written and informative. This is not one of those!

    Please reread this article. It's a mess, a textbook example of disorganization, typos, bad grammar, indecipherable sentences and lazy translation from German. It should be rewritten from scratch or eradicated with extreme prejudice.
    • I'll second that

      I simply gave up half way through - headache material at it's best!
      The Central Scrutinizer
    • The only part you need to understand.

      Microsoft products will give your data to the American NSA.
      • German government refutes Windows 'backdoor' claims

        verb (used with object), re·fut·ed, re·fut·ing.
        1. to prove to be false or erroneous, as an opinion or charge.
        2. to prove (a person) to be in error.
        Since you obviously don't know the meaning of the word refute
        • Refute = Deny

          Denial without proof shows that they lie. Just as the US government hides the NSA the German government has it's secretes too. Do not overlook the source.

          • @TiOracle

            And how is the swamp?
      • Apple too

        Easier than anyone else.
    • I dont understand the article.

      Im sure its due to English isn't my mother tongue.
      • And German

        not being Zak's mother tongue either. It is very difficult reading and writing technical articles in a foreign language - I should know, I do it for a living.

        That said, there are places where a copy editor could have reduced the repetition of words and phrases or sought for a bit of clarification.
  • Germans don't have to worry about the NSA

    Only the Americans have to worry about NSA surveillance. Are we enjoying democracy yet?
    • You do realize

      That a decent amount of the world's internet traffic is routes through the US at some point, so yes they should probably worry about what the NSA can intercept. Especially since their citizen's data isn't protected in any way by our constitution.
      Sam Wagner
      • Sam Wagner

        It appears that our data isn't protected by the Constitution any more, either.
    • It doesn't matter

      Most of Germany's official computers (government agencies and towns) use Linux as a cheaper and more easily customizable system than Windows (any version). The backdoor is in the OS, but not in Linux. Even if they (NSA) did put one in on certain computers or even had a backdoor proliferate itself virus-like, it would be easy to eradicate.

      The Germans c an deny the existence of a backdoor all they want because it isn't on their computers. That doesn't mean there isn't one on American computers, where the NSA is active. After all it is the National Security Agency; they are most active IN the USA!

      Think about it.
      • It does matter

        Because German citizen's and businesses want to use Windows but if they do they're just handing data to the American NSA. Until all of those businesses drop Windows and switch to Linux the German people will be at risk of NSA spying.
        • The smart ones have already switched

          The smart individual and businesses have already switched. A lot of town and city administrations have switched, most of them for economic reasons (Linux is free! as opposed to the cost of Windows licenses) and some of the ministries in the federal government may (I do not know) have switched. The rest of the German federal government may say what it wants about backdoors and black holes, I am not inclined to believe them, ANY of them, whatever the country.
      • You should think more yourself

        The NSA is much more interested in activities outside the direct jurisdiction of the USA than within. It is basic to their original charter. The word "National" means nothing more than "United States" in context of the NSA. That is NOT to say that they have NO interest in activities within the US - that should be patently obvious.
  • Google Translator

    • That's a problem

      Google Translator is pretty useless for anything but the most simple of sentences.
  • Said companies did not grant direct access?

    How can you claim said companies did not grant direct access to their systems to the NSA if the documents that supposedly exonerate them have not been revealed?
  • The problem is that everyone the NSA gets to do stuff

    is subsequently sworn to secrecy, so no matter how uncomfortable the vendor may be about the arrangement, they can't tell anyone about it.

    It is almost impossible to know what the NSA does or doesn't have access to, as a result. This is the natural endpoint of secret courts that do or do not approve secret warrants. When there's no transparency, people assume the worst.