German police and intelligence agencies have been granted enhanced snooping powers after the nation's ministry of interior gave its approval for investigators and cyber spooks to target computers with the use of spyware-based Trojans.
Known as Bundestrojaner – or 'Federal Trojan' – the software reportedly gives agencies the ability to track internet traffic, log keystrokes and monitor social media activity. Like common malware, Trojans are software programmes developed with the aim of stealthily infecting a computer system to access sensitive or private data. Now, it's no longer only hackers and cybercriminals using these techniques, but also nation state spies.
The German government maintains the spyware can only be used with a strict court order. This follows a 2008 ruling by the country's Constitutional Court that said remote access to a citizen's computer is allowed only if there is life-threatening danger or suspicion of criminal activity that would impact national security.
Following the news, a spokesman for the German interior ministry defended the surveillance powers saying "basically we now have the skills in an area where we did not have this kind of skill," as reported by national broadcaster Deutsche Welle. The ministry further revealed that the spying programme was fully endorsed by the government in late 2015.
Meanwhile, according to the website of German radio Deutschlandfunk, high-profile members of the Green Party protested the move. "We do understand the needs of security officials, but still, in a country under the rule of law, the means don't justify the end," said the party's deputy head Konstantin von Notz.
Adding to the mounting dissent was hacker association Chaos Computer Club (CCC). Its spokesperson Frank Rieger said that, based on previous research, the technical capabilities of the spyware needs to be diminished. "It's almost like you're watching people think, if you're reading as they type," he asserted.
Analysing the Federal Trojan
Yet it's not the first time that Rieger has encountered such malware. Back in 2011, the Chaos Computer Club successfully reverse engineered a piece of government surveillance software used for 'lawful interception' and found that it had a slew of invasive capabilities. "The government malware can, unchecked by a judge, load extensions by remote control, to use the Trojan for other functions, including but not limited to eavesdropping," the research found at the time.
"This complete control over the infected PC – owing to the poor craftsmanship that went into this Trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.
"The official claim of a strict separation of lawful interception of internet telephony and the digital sphere of privacy has no basis in reality [...] it is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web-based cloud services."
Still, the German proposals are light when compared to those used by other intelligence agencies such as the NSA or GCHQ. In the UK, for example, the most recent attempt to pass surveillance legislation – in the form of the draft Investigatory Powers Bill – contains plans to allow computer hacking and data interception on a mass scale.
Authors note: Google Translate was used to reference Deutschlandfunk