Trojan Trouble The Shady Past of Germany's Spyware
Details continue to emerge about the potentially unconstitutional use of spyware by German investigators, including indications they used the controversial Trojan horse program on suspects some 50 times. The future of online surveillance is now in question, and court appeals could also follow.
Among friends, Dimitry A. was known as "the Diminator." He was riding a wave of success. Whether it was money, friends or muscles, everything in his life seemed to be moving in one direction -- they were all growing.
At first, the 110-kilogram (243-pound) German of Russian descent was a champion junior bodybuilder. But then he got involved in the anabolic-steroid business. Using "Hushmail," a supposedly secure e-mail service provider, he wrote to his Chinese suppliers at their telling email address: firstname.lastname@example.org. The Diminator also communicated with his own clients via "SAFe-Mail," another encrypted email service.
On January 21, 2010, Dimitry's use of these services led a Nuremberg court to approve the use of computer surveillance "in the context of remote control." Federal prosecutors had asked for permission to employ a Trojan horse and, by way of precaution, they noted that issues surrounding the legality of using such software were "not yet viewed in a uniform way at the national level."
Investigators then smuggled the software onto the Diminator's hard drive, presumably via an e-mail attachment. They read e-mails he had sent in encrypted form, they recorded his telephone conversations via Skype and they took "application shots" that allowed them to monitor what the weight lifter was doing on his computer in real time.
After 13 days, investigators had enough evidence to arrest Dimitry A., who had apparently not anticipated that his pursuers would possess such technical finesse.
In Violation of High Court Ruling?
The Nuremberg case is fuelling a debate that has been raging in Germany in recent weeks about the fundamental rights of citizens in a constitutional state. The debate centers around two main questions: First, which technologies are German law-enforcement officials allowed to employ while investigating suspected criminals? And, second, in using such technologies, are they undermining the guidelines set in place by a February 2008 ruling by the Federal Constitutional Court, Germany's highest court, which placed narrow limits on the permissible use of programs known as Trojan horses?
The debate was triggered by an analysis conducted by the Chaos Computer Club (CCC), a famous hacker organization that dissected a spyware program known as a Trojan horse used by Bavarian law-enforcement officials. The group's recently published analysis not only found that the software was full of technical defects; it also said that it was in possible violation of German law. Since the report's release, there has been growing outrage at the apparently unconstitutional use of the surveillance software.
Officials allegedly use the Trojan horses only when they have run out of other options. They are only allowed to use them when suspected criminals engage in clandestine communication, whether by using scrambled chat software, telephoning via Skype or employing encrypted e-mail services. The spyware parks itself on the target individual's computer, from where it relays information to the investigators' server. For this reason, the method has been dubbed "source telecommunication surveillance."
In its precedent-setting 2008 ruling, the Federal Constitutional Court declared that the "integrity in information-technology systems" -- that is, of computers -- was a "fundamental right" comparable to the inviolability of the home, and that encroachments would first require a court order.
Spyware Use Suspended
Indeed, courts have approved requests from officials to employ such Trojan horse programs well over 50 times. The Federal Criminal Police Office (BKA) has smuggled the spyware onto the hard drives of suspected criminals 20 times, the Federal Office for the Protection of the Constitution, the country's domestic intelligence agency, has done so four times, and the federal police have done so once.
However, last week, Germany's Interior Ministry asserted that -- unlike in Bavaria -- the spyware had always been used in a restricted fashion that complied with the applicable laws. It noted, for example, that investigators had precluded capturing screenshots.
The Customs Criminological Office has also reportedly used the technique 16 times so far. And an unknown remainder of incidences involve cases handled at the state level.
Last week, as details continued to emerge, Interior Minister Hans-Peter Friedrich called on German states to refrain from using the spyware pending review of their constitutionality. Even Joachim Herrmann, the interior minister of Bavaria and a fellow member of the conservative CSU, has conceded to Friedrich's demand from above. Though, despite court rulings to the contrary, Herrmann still maintains that his Bavarian Trojan horse program was used appropriately.
Software More Sophisticated Than Initially Thought
The controversy primarily revolves around which computer-related activities remain covered by the term "communication." A district court in the Bavarian town of Landshut already voiced an opinion on the matter in January 2010, when it decided that taking screenshots in the context of source telecommunication surveillance was unlawful.
The case, which is still making its way through the courts, involves a businessman from Landshut accused of having traded in illegal narcotics. A Trojan horse developed by the Hessian private software company DigiTask under contract from state law-enforcement officials reportedly took a screenshot from the man's computer every 30 seconds.
It was precisely this screenshot function that the court classified as illegal. "In the chamber's view," the court's opinion read, "no legal basis exists for copying and saving the graphic content of (computer) screens because there is still no instance of telecommunications transpiring at the moment these measures are taken."
As a matter of fact, though, the CCC discovered that the software employed in Bavaria was capable of much more, such as downloading additional programs onto a target's computer. The group also found that the program had insufficient safeguards when it came to transferring data to investigators and that a third party could theoretically hijack its functions for its own purposes.
DigiTask's Criminal Connections
According to one government official, in discussions held before the software was purchased, DigiTask "showed its toolbox and, in doing so, bragged about all the things it could do." Indeed, some officials were more willing to buy programs from DigiTask than others were -- and some of them are now being forced to respond to accusations of having collaborated with businesspeople with shady backgrounds.
The fact is that investigators were also already aware of the company from their own case files. In 2002, for example, one of the company's managers was given a suspended sentence of 21 months and issued an unusually steep fine of 1.5-million ($2.06 million) for attempting to bribe an official from the Customs Criminological Office. What's more, in 2000, criminal police from a number of states conducted simultaneous raids while investigating suspected corruption linked to the company.
The fact that federal officials and those from the criminal police of various states chose to work with the successor company DigiTask again appears to have one main reason. In 2007, when the BKA started scanning the market for these sensitive technologies, there were several companies offering complete surveillance solutions, including ones capable of performing so-called "online searches," which entailed remotely making a complete copy of a hard drive.
According to sources close to the investigators, most of the firms failed to pass security checks. DigiTask, however, was the only company that allowed German investigators to look into their source code, a program's blueprint that can be analyzed to determine exactly what the software is doing.
The trust-building measures opened up a market worth millions to DigiTask -- while at the same time disproving official statements claiming investigators didn't know precisely just what the Trojan horse was technically capable of.
Federal and state officials closed deals with the company separately. Bavarian officials signed yearly contracts for the Trojan horse for a lump sum of roughly 220,000. The BKA, on the other hand, had streamlined versions of the Trojan horse tailor-made for individual cases, tested them beforehand and paid on a per-use basis. In three months, it incurred costs of 15,000.
This coming Thursday, federal Interior Ministry officials will hold a conference call with their state-level colleagues to discuss the future of the Trojan horse surveillance programs. During the call, they are also likely to discuss a proposal being debated internally: developing their own software so it will be legally irreproachable and so they can revise it themselves.
Unlike with source telecommunication surveillance, the BKA uses a program developed for remote online searches to prevent terrorist threats, for example. BKA officials spent roughly 680,000 on the program's development. Since 2010, it has been used seven times against suspected militant Islamists.
A confidential BKA report finds that the state's spyware for remote online searches functions in a way that is "technically similar" to the other programs. For this reason, it also concludes that the program could be repurposed for source telecommunication surveillance without much effort.
At the moment, Dimitry A. is serving a 4.5-year sentence in a Bavarian jail. For him, the debate over Trojan horses could have an unexpected result. Bavarian investigators used their Trojan horse against the bodybuilder despite the fact that the district court in Landshut had already expressed its reservations about them doing so.
Jürgen Schwarz, his lawyer, is now considering an appeal. "Evidence was apparently illegally obtained in this case," Schwarz says. "That can't go without consequences."
Translated from the German by Josh Ward