German police hacking hit by volley of complaints: Can 'state trojan' law survive?

Germany's use of state-sponsored malware to fight crime is under fire from several sides.
Written by David Meyer, Contributor

Civil rights activists and politicians will in the coming days launch a volley of constitutional complaints against the German government over its use of state-sponsored malware in criminal investigations.

On August 24 last year, a new law came into effect that drastically expanded the number of investigations where hacking could form part of the authorities' arsenal.

The complaints are coming now because there's a one-year deadline for making such objections to the Constitutional Court.

One of the complaints is being prepared by the Society for Civil Rights, GesellschaftfürFreiheitsrechte, or GFF, which is taking a two-pronged approach.

The first is that the recent law does not respect the boundaries set by the Constitutional Court in a 2008 ruling, which said state-sponsored malware, Staatstrojaner, can only be used to monitor ongoing communications, and not to search people's computers.

The second part of the GFF's argument is that "there is an indirect detrimental effect on IT security as a whole".

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Ulf Buermeyer, the organization's chairman, said: "To use one of these state-sponsored malwares, authorities usually need a security flaw in the system they want to target. These flaws can not only be exploited by German state actors, but also by foreign state actors, or by plain criminals."

To make its complaint valid, the GFF has assembled three complainants who can justifiably claim to be affected by such insecurity.

The first is Green politician Konstantin von Notz, a longstanding critic of the law who, like all German parliamentarians, was vulnerable to a long-term hack of the Bundestag last year, most likely by Russian hackers.

He's joined by Hajo Seppelt, an ARD journalist who reported on Russian doping and has been constantly targeted since, and Can Dündar, a Turkish exile who is targeted by his home government.

"We argue that trojans are detrimental to our security in general," said GFF's Buermeyer.

"It creates a strong incentive for state actors in Germany not to disclose security flaws to vendors. We say this is a risk and the German legislature entirely neglected this risk."

He said trojans may be used for investigations but there has to be "some system of management for security flaws to make sure only some are kept secret, and we can disclose most of the flaws so they can be fixed".

In addition to the GFF-led complaint, a group of politicians from the liberal Free Democrats party (FDP) is also intending to complain to the Constitutional Court about the law.

"We will work closely together with the FDP lawyer, but [in the end] the politicians decided it would be more advantageous to them to split the complaint," said Buermeyer.

SEE: IT pro's guide to GDPR compliance (free PDF)

Those two complaints are imminent, while a third, from the activist group DigitalCourage, landed Tuesday.

"Our goal is different. We want to put a stop to this sort of governmental spyware altogether," said Kerstin Demuth, a spokeswoman for the group.

Demuth said DigitalCourage wants to have last year's law entirely invalidated for being constitutionally incompatible.

"Our thinking is, the acts...of reading your communications or searching through your devices are in themselves a violation of the human right of the core of your private life, because it is next to impossible to only find things that have something to do with something police are trying to investigate," she said.

Somewhat surreally, one complainant in the DigitalCourage case will be Marc-Uwe Kling, an artist and author of The Kangaroo Chronicles, in which he describes life in a flat-share with a communist kangaroo who wants to overthrow the system.

Kling will argue that he fears law enforcement might not recognize the kangaroo as a fictitious character, and might therefore target the author with surveillance.

Previous and related coverage

Police get broad phone and computer hacking powers in Germany

The German parliament has waved through a massive expansion of police hacking powers.

Spies win right to keep monitoring all traffic at world's biggest internet hub

Vital internet hub, De-Cix in Frankfurt, has lost its fight against German intelligence services' mass surveillance.

No, we're not trying to get backdoors in smart homes, cars, says Germany

The German government is trying to quell outrage over reported smart-home and car-bugging proposals.

Russians suspected of new German attack may 'have been inside system for a year'

German intelligence services and federal specialists are investigating "an IT security incident".

Windows scores a win over Linux as another state decides to switch

Around 13,000 workstations running OpenSuse will be migrated to a current version of Windows.

Can Russian hackers be stopped? Here's why it might take 20 years TechRepublic

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?

Russian hackers accessed US electric utilities' control rooms CNET

Hackers could have caused blackouts, federal officials tell the Wall Street Journal.

Editorial standards