Expanded state hacking powers make a stealthy return to German agenda

A leaked draft amendment shows the German government is attempting a last-minute expansion of state hacking.
Written by David Meyer, Contributor

It appears the German government is trying to slip through a last-minute amendment expanding the use of 'state trojans'.

Image: Getty Images

The German government wants to expand its law-enforcement agencies' hacking powers to allow them to investigate many more types of crime by breaking into people's smartphones and computers.

It has long been known that the government, a grand coalition of Athe center-right CDU-CSU and the center-left SPD, has been working on a promised reform of the criminal justice code.

However, with federal elections due in September, it appears that the government wants to slip through the expanded use of 'state trojans' with a last-minute amendment.

Also: Cybercrime: A spotter's guide to the groups that are out to get you | Understanding the military buildup of offensive cyberweapons | The impending disaster of industrial control systems | Ransomware attack: How a nuisance became a global threat

Germany's federal constitutional court has already said such invasive search mechanisms should only be used in extreme cases where lives are in danger.

However, on Wednesday the website Netzpolitik published a leaked draft of the amendment, showing that the use of the Staatstrojaner would be permissible in investigations of 27 different kinds of criminal offence. These range from currency counterfeiting and money laundering to serious cases of bribery, sex crimes and the distribution of child sexual abuse imagery.

These are all types of crime where the current law allows the use of traditional wiretapping of telecommunications. However, as the draft makes clear, the authorities want to be able to break into computing devices to bypass the growing use of encryption in online communications. The trojan would also make it possible to search through the files held on the hacked devices.

Interior minister Thomas de Maizière said last week it was unacceptable that end-to-end encryption should stop the authorities from investigating crimes.

The draft amendment is dated Monday this week, although the wider reform to the criminal code was approved back in December. The law, with the amendment, must now be approved by the Bundestag, Germany's lower house of parliament.

A Bundestag source told ZDNet that the government hasn't officially tabled it yet but will have to do so by or during June, to get it through before the elections. The justice ministry, which drafted the law and the amendment, declined to comment.

"This is the type of thing that happens before elections -- trying to push through all sorts of laws, hoping that nobody will notice," technology lawyer Niko Härting told ZDNet.

Germany's opposition, which is largely powerless given the coalition between the country's biggest parties, is livid. Konstantin von Notz, the Greens' deputy chair, told Netzpolitik that the expansion of hacking powers was "questionable in terms of constitutional law". And Harald Petzold of the Left party pointed out: "If the state opens the door of information technology systems, entirely different actors will also be able to go through."

Indeed, the timing of the amendment could not be worse, coming as it does in the immediate aftermath of the WannaCry debacle. The ransomware outbreak was enabled by the existence of flaws in old versions of Windows, which the US National Security Agency knew about but did not disclose, because it wanted to be able to exploit the vulnerabilities for its own espionage purposes. Much of the NSA's stockpile leaked, and the rest is highly embarrassing history.

The official use of hacking powers will always rely on exploiting such flaws, and keeping knowledge of those flaws a secret.

This is not the first time the issue has raised hackles in Germany. In 2011, the white-hat hacker community known as the Chaos Computer Club revealed the existence of malware that could be used for intercepting VoIP communications, which it attributed to the German authorities. The government promised to redesign the malware to bring it in line with earlier constitutional rulings.

Editorial standards