Today, the German Federal Constitutional Court tried constitutional complaints against the revision of the Federal Criminal Police Office law (BKAG) from 2008. Central to this trial was the constitutional assessment of governmental trojan spying software. Within this hearing the Chaos Computer Club was asked for an advisory opinion. We publish our arguments delivered in the hearing. [1]
By means of the revision of the BKAG the Federal Criminal Police Office was granted additional powers to infiltrate and manipulate IT systems. These covert intrusions in IT systems enable an „online search“ of a target's computers and also a „communication source surveillance“. These spying tools are supposed to be allowed just by suspicion of a future crime.
The trojan surveillance is not bound to a specific device technology. The BKAG rather legitimates to aquire data from any kind of device like computers, smartphones, tablets, smartwatches or other kinds of information and communication technology device.
In 2011, the Chaos Computer Club has analysed a state trojan developed by DigiTask, which has been used by several police authorities. [2] This analysis has clearly shown the enormous risk of exposing infected computers to malicious attacks by third parties using the included backdoors. Design and implementation flaws make all of the functionality available to anyone on the internet. It turned out that the trojan allowed remote control by attackers and download of additional software besides the officially provided functions available to the authorities. Besides, the software could be used to capture audio data from the environment independent from any communication.
The fundamental problem of covert infiltration for both kinds of malware, an „online search“ trojan as well as a „communication source surveillance“ tool, is: In order to successfully implant governmental espionage tools security systems have to be exploited permanently.
The Chaos Computer Club speaks out against the plans of infiltration of information systems by authorities not only for technical reasons, but more importantly so because of the imminent danger of interfering with the core area of the private conduct of life, a human's most personal information.
Links:
[1] Advisory Opinion to the Federal Constitutional Court on the Federal Criminal Police Office law (BKAG) and state trojan software (German) http://www.ccc.de/system/uploads/189/original/BKAG_Stellungnahme.pdf
[2] Chaos Computer Club analyzes government malware, https://www.ccc.de/en/updates/2011/staatstrojaner