Germany backs away from using a Trojan on its citizens - for now

Germany backs away from using a Trojan on its citizens - for now

Summary: Support for the use of a government-created Trojan to intercept the VoIP communications of suspected criminals appears to be on the wane - but it's far from dead.

TOPICS: Security, Privacy, EU

Germany's use of a government-created Trojan to intercept the VoIP communications of suspected criminals could continue, despite concerns over its legality. 

In recent years, the country's law enforcement agencies have worked on developing interception software to monitor such communications. Known as 'Quellen-Telekommunikationsüberwachung', the program was meant to be installed on alleged criminals' hardware as a way of legally intercepting their VoIP communications. (There's no simple English translation for 'Quellen-TKÜ' – it describes a series of actions that can intercept and record a conversation at source before it gets encrypted). The program had all the features of a Trojan, and gained the nickname Bundestrojaner (federal Trojan).

While it's not been officially confirmed when and where the Trojan has been used in Germany, reports suggest the program has been deployed over 20 times.

The hacker collective Chaos Computer Club analysed an older version of the Bundestrojaner last year. During the analysis, the hackers found not only flaws that would open the target computer to other malware, but also that the Bundestrojaner was able to gather information from the target computer beyond its stated remit. As a result, it contravened a 2008 decision of the Federal Constitutional Court that gave German citizens a new right – the right to digital privacy and the protection of personal data held on IT systems.

The German federal government subsequently announced that it would redesign the software in accordance with the 2008 ruling. However, the German federal prosecutor's office now appears to be distancing itself from the controversial program. Prosecutor Harald Range stated in a recently released parliamentary response to the opposition SDP party (PDF) that he doesn't believe there is a sufficient legal basis under current German legislation for interception at source to be carried out.

This doesn't however mean the end of the Bundestrojaner. According to the German interior ministry, which is spearheading the development of the Trojan, Range's statement only "reflects the federal public prosecutor's opinion of its legality", it said in a parliamentary response (PDF) to a question from German opposition party SPD.

Legal wrangles

The German federal government is still evaluating whether the current law allows the interception of PC-based telecommunication before it is encrypted, while the country's law enforcement agencies are also in talks with VoIP operators like Skype to assess their options for lawful interception.

A lot of questions remain unanswered, according to SPD politicians Burkhard Lischka and Lars Klingbeil. Writing on the SPD blog last week, the pair said it is still not clear if something like the Quellen-TKÜ is "legally possible" and "if so, on what legal basis and with what basic legal protection".

"The government's responses [to the SPD's requests for information on the Trojan] are inadequate and worrying," the blog says. "We will ask the federal government to end this unacceptable and illegal situation", the politicians add — by either putting an end to source interception or clarifying under what legal basis it can take place.

Although it seems like support from Germany's ruling coalition for the Bundestrojaner is waning, the discussion is far from over. 

Topics: Security, Privacy, EU

Moritz Jaeger

About Moritz Jaeger

Moritz is a Munich-based IT-journalist with more than eight years of experience as an author under his belt.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Long compound words

    German does seem to lend itself to them, doesn't it? "Telekommunikations" is obvious, but what do quellen and überwachung (oversight?) mean?

    "bundestrojaner" is definitely easier to understand.
    John L. Ries
  • Why english is so powerful as a language

    So much easier to create new words. I once installed the german version of windows 98 on a family members PC in Switzerland. The german words for different technical terms in the installer menus; while acurate descriptions in german most of the words were 20-30 characters each and many syllables.

    As for the topic Germany along the rest of Europe's citizens don't enjoy the same privacy and freedoms that we in the US take for granted. Government sponsored malware is lose lose no matter what percieved good would come of it.
    • Wait a sec...

      Germany enjoys a lot more privacy and freedoms than the USA seems to get at the moment - especially since the introduction of the Patriot Act.

      Privacy, especially against commercial bodies, is much tougher in Europe than America - why do you think Google, Facebook et al keep getting hauled over the coals over here for not following privacy laws; data collection that is acceptable in America is not acceptable under the law over here.

      On top of that, using a cloud service over here is dodgy, because of the afore mentioned Patriot Act. If the cloud provider has offices in the USA, the user of the cloud service can end up being prosecuted under EU law, because their cloud provider passed information onto the US Government without informing the user, who in turn did not get written permission from each individual whose information was handed over...

      Getting back to the Bundestrojaner, Mr. Schäubler, the then interior minister, wanted it to be installed on every computer. Luckily the constitutional court rejected that as unconstitutional and the police could only install it with a court order, the same as a traditional wiretap. They could also only physically install it (local access to the computer), they are not allowed to remotely install it.
  • Quellen-Telekommunikationsüberwachung

    Is easy to translate, telecommunications interception at source.
    • Thanks

      My high school German is quite limited and I didn't feel like looking up the parts (but probably I should have).
      John L. Ries
      • One of the advantages

        of being English and living in north Germany, I speak both languages on a daily basis. Surveillance would also work, instead of interception.