Police use of trojans to hack into mobile phones will become routine under new German law

Posted on Jun 21, 2017 by Glyn Moody

A new law allowing the German police to hack into mobile phones for even minor crimes, is expected to be passed by the German parliament this week [update: the law has now been passed]. Currently, the use of a “Staatstrojaner” – government trojan – is only permitted in order to prevent future terrorist attacks. Under the new law, the authorities will be allowed to implant surveillance malware to help secure convictions for over 70 types of crime. These include serious ones such as genocide, treason and murder, but also less serious crimes such as money counterfeiting, vehicle theft, computer fraud, rigged sports betting and tax evasion. Two kinds of trojans will be available. The first allows the authorities to eavesdrop on calls made with the mobile phone, whether using standard telephony or VoIP, while the second gives access to all information held on the device.

In addition to the extremely broad extension of powers granted to the police, the new law is notable for the way it is being introduced. As an article on the digital rights blog Netzpolitik explains, in order to avoid public debate in a country that is understandably suspicious of any plans to increase government surveillance, the ruling coalition parties have resorted to subterfuge. Instead of introducing the law directly, politicians have added the ability to use government trojans more widely to unrelated legislation. The law in question will allow German courts to impose driving bans on those convicted of minor crimes, rather than sending them to prison. Clearly, that has nothing to do with surveillance, but is simply a way of moving the malware law through parliament with the minimum of visibility.

Although German politicians confirmed on Twitter that the vote on the malware law would take place this week, and would be supported by both of the main parties – and thus is certain to pass – there are likely to be challenges from other quarters. For example, Germany’s constitutional court issued an important judgment on the subject back in 2008, when it ruled:

“The secret infiltration of an information technology system by means of which the use of the system can be monitored and its storage media can be read is constitutionally only permissible if factual indications exist of a concrete danger to a predominantly important legal interest. Predominantly important are the life, limb and freedom of the individual or such interests of the public a threat to which affects the basis or continued existence of the state or the basis of human existence.”

The new law would seem to fail that test, since it includes the use of “infiltration” technology for many crimes that do not involve any “concrete danger” to life or limb, nor do they represent a “threat” to the basis of human existence. It is therefore almost certain that human rights organizations will seek to have the new law, if passed, examined by Germany’s constitutional court.

Another interesting possibility is that the new law could fall foul of the EU e-privacy directive currently under consideration. As Privacy News Online reported earlier this week, leading European politicians have called for “state-of-the-art” end-to-end encryption with no backdoors. It is an interesting question whether the use of malware constitutes “weakening of the security and encryption of their networks and services” that the EU committee wishes to ban. However, it is quite likely that EU governments will seek to add exceptions to this clause in order to allow the police to use trojans subject to appropriate oversight.

In any case, it is certainly true that more and more governments around the world are looking to use malware to obtain information. Spanish police have had this capability since 2015; the UK’s highly-intrusive Investigatory Powers Act includes generic “equipment interference” powers that allow the police and intelligence agencies to hack into systems using malware. Just recently, it was revealed that the Mexican government has been using malware to spy on journalists, activists and anti-corruption groups.

It’s easy to see why authorities are increasingly attracted to the use of malware to carry out surveillance. It seems to be the perfect solution to the issue of end-to-end encryption that cannot be unlocked even by the companies that offer it to their users – something that governments refuse to accept. Malware allows devices to be compromised so that messages can be intercepted before they are encrypted, or after they have been read.

But malware comes with its own unavoidable problems, as the German coding group Chaos Computer Club revealed in 2011:

“The largest European hacker club, “Chaos Computer Club” (CCC), has reverse engineered and analyzed a “lawful interception” malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.”

The CCC demonstrated that placing trojans on a person’s system in order to carry out surveillance brings with it the risk that others will be able to exploit the same functionality, not least because of flaws in the code. Allowing the police and intelligence services to use malware to gather evidence is not only questionable for its assault on privacy, but inevitably undermines computer security too, which is never a good idea.

Featured image by Tevfik Teker.