New German law would force ISPs to allow secret service to install trojans on user devices

Posted on Jul 9, 2020 by Caleb Chen
new german law would force ISPs to allow secret service to install trojans on user devices

A new law being proposed in Germany would see all 19 federal state intelligence agencies in Germany granted the power to spy on German citizens through the use of trojans. The new law would force internet service providers (ISPs) to install government hardware at their data centers which would reroute data to law enforcement, and then on to its intended destination so the target is blissfully unaware that their communications and even software updates are being proxied. Specifically, Netzpolitik pointed out that the law calls for the following:

“the redirected data should remain intended for forwarding to the addressee after the measure has been carried out.”

Germany wants to be the man in the middle

The state sponsored trojans would likely be utilizing software called FinFly ISP from a company called FinFisher which has already been used by German law enforcement in the past. FinFisher claims to be able to inject trojans on target devices from the ISP level with ease::

“FinFly ISP is able to patch files that are downloaded from the destination on-the-fly or to send fake software updates for popular software.”

FinFly ISP has been around for almost a decade and a 2011 advertising brochure available via WikiLeaks emphasized that their software has already been used:

“A secret service used FinFly ISP in the network of the most important national Internet service provider. It was sufficient that the system only knew the target person’s log-in information into the provider network in order to install a remote monitoring solution on their computer and monitor them from there.”

Amnesty International noted that this vector of trojan insertion has been previously used on a Morrocan journalist by the NSO Group.

Germany has a long history of government malware use

The BKA (Germany’s Federal Criminal Police Office) has previously been using trojans on individual smart phones as a way to have access to encrypted communications before they are encrypted. It’s important to remember that all the encryption in the world is useless if your device is compromised and clear text can be accessed before it becomes end-to-end encrypted. The same holds true if there happens to be a camera behind your screen that can see what you’re typing. Hell, even the changes in the gyroscope/accelerometer in your smartphone can be used to derive what your PIN or password is. We can infer that the BKA has seen success with their trojan use and now are seeking to install hardware in the datacenters of ISPs that would allow them to send these trojans to new smartphones, computers, and other devices during an update.

This law will and should be challenged for constitutionality

Many groups including the Society for Freedom Rights are already filing suit against the government for their use of trojans and plan to bring a constitutional challenge if this expansion of state trojan use comes to pass. Even the ISPs themselves are not happy with this development, citing a fundamental loss of trust. Bitkom, a group which counts Germany’s top ISPs as members commented that the project:

“fails to recognize the enormous risks to the overall network integrity of the providers and the associated loss of trust.”

The proposed law is already the result of lots of back and forth within the government and many expect it to pass when it is presented to Germany’s congressional body, the Bundestag, after next week. Germany has long been seeking this state trojan power to read encrypted messages with government malware and otherwise control target devices for years now and the fight is finally coming to a head. Notably, Germany’s top court recently ruled that constitutional protections on internet activity stemming from the right to privacy extend to non-Germans, as well; however, the use of trojan software to “support the diversion of telecommunications” seems to be a clear step in the opposite direction, even if it is only used under warrant.