Germany's use of a government-created Trojan to intercept the VoIP communications of suspected criminals could continue, despite concerns over its legality.
In recent years, the country's law enforcement agencies have worked on developing interception software to monitor such communications. Known as 'Quellen-Telekommunikationsüberwachung', the program was meant to be installed on alleged criminals' hardware as a way of legally intercepting their VoIP communications. (There's no simple English translation for 'Quellen-TKÜ' – it describes a series of actions that can intercept and record a conversation at source before it gets encrypted). The program had all the features of a Trojan, and gained the nickname Bundestrojaner (federal Trojan).
While it's not been officially confirmed when and where the Trojan has been used in Germany, reports suggest the program has been deployed over 20 times.
The hacker collective Chaos Computer Club analysed an older version of the Bundestrojaner last year. During the analysis, the hackers found not only flaws that would open the target computer to other malware, but also that the Bundestrojaner was able to gather information from the target computer beyond its stated remit. As a result, it contravened a 2008 decision of the Federal Constitutional Court that gave German citizens a new right – the right to digital privacy and the protection of personal data held on IT systems.
The German federal government subsequently announced that it would redesign the software in accordance with the 2008 ruling. However, the German federal prosecutor's office now appears to be distancing itself from the controversial program. Prosecutor Harald Range stated in a recently released parliamentary response to the opposition SDP party (PDF) that he doesn't believe there is a sufficient legal basis under current German legislation for interception at source to be carried out.
This doesn't however mean the end of the Bundestrojaner. According to the German interior ministry, which is spearheading the development of the Trojan, Range's statement only "reflects the federal public prosecutor's opinion of its legality", it said in a parliamentary response (PDF) to a question from German opposition party SPD.
The German federal government is still evaluating whether the current law allows the interception of PC-based telecommunication before it is encrypted, while the country's law enforcement agencies are also in talks with VoIP operators like Skype to assess their options for lawful interception.
A lot of questions remain unanswered, according to SPD politicians Burkhard Lischka and Lars Klingbeil. Writing on the SPD blog last week, the pair said it is still not clear if something like the Quellen-TKÜ is "legally possible" and "if so, on what legal basis and with what basic legal protection".
"The government's responses [to the SPD's requests for information on the Trojan] are inadequate and worrying," the blog says. "We will ask the federal government to end this unacceptable and illegal situation", the politicians add — by either putting an end to source interception or clarifying under what legal basis it can take place.
Although it seems like support from Germany's ruling coalition for the Bundestrojaner is waning, the discussion is far from over.