Doubts about the constitutionality of surveillance software possibly used by state authorities, questions originally raised by a famous hacker organization, are mounting in Berlin. But amid the political finger pointing, it remains unclear just who will take responsibility.
With two states saying they are in possession of the spy software, and three others also possibly involved, conservative Interior Minister Hans-Peter Friedrich on Tuesday urged states to suspend all usage of the program. He also, however, warned his fellow cabinet members not to place investigators under "general suspicion."
The Interior Ministry has denied the spyware in question was used by the Federal Criminal Police Office (BKA), but has not ruled out the possibility that state investigators may have used it for surveillance.
Friedrich's warning was likely directed at members of Chancellor Angela Merkel's junior coalition party, the business-friendly Free Democrats (FDP). Some in the party have sharply criticized the software. In what appeared to be a bid to gain voter support by the ailing party, FDP leaders on Tuesday made a show of meeting with the Chaos Computer Club (CCC), the hacker group that announced over the weekend that it had obtained and analyzed the software. Not only was the software full of defects, the group said, but it also possibly violates German law.
FDP General Secretary Christian Lindner on Tuesday aligned the party with the CCC, saying that the discovery of the questionable program had confirmed society's fears that surveillance software could violate data protection laws. The Trojan horse software was "comparable to a home search" after which "the front door is left open," he said.
Individual Agencies Responsible, Chancellery Says
Justice Minister Sabine Leutheusser-Schnarrenberger, likewise a member of the FDP, has also taken a hard line against the software, suggesting that no further surveillance be undertaken until circumstances can be clarified. In an interview with SPIEGEL ONLINE on Wednesday she said that Interior Minister Friedrich should order an independent investigation. "We have to show German citizens that this coalition takes the protection of their private sphere seriously," she said, warning that the use of such spyware could lead to disastrous consequences.
The head of the Pirate Party, which campaigns for Internet freedom and civil rights, also slammed the spyware. "There is no possible way to install a Trojan horse in a way that adheres to legal requirements," Sebastian Nerz told news agency DAPD. The scandal shows the relevant authorities have "either a certain naivety or the intent to breach the constitution," he said.
But Chancellor Merkel's intelligence coordinator Günter Heiss assigned responsibility for potential illegal use of the software with individual government agencies. "Every authority that uses the programs must customize the software for each individual use, so that it is permitted according to the Federal Constitutional Court," he told daily Stuttgarter Zeitung. According to Heiss, state criminal investigators do not develop their own surveillance software, but purchase "multi-functional" templates from contractors. "Every spy program is tailored to the system the authorities want to penetrate," he told the paper. "That means there is not a single Trojan horse that is always used, can do everything, and is thus unlawful."
The confusion that has accompanied the issue may arise from inadequate legal structures, said Bernhard Witthaut, head of Germany's largest police union, the GdP. "There must finally be clear, binding rules," he told daily Passauer Neue Presse, calling on the Justice Ministry to "fill the legal gaps."
Bavaria Denies Illegal Surveillance
Authorities in the states of Bavaria and Baden-Württemberg have admitted to possessing the software, though they have announced they will abstain from using it for the time being, pending review by data protection officials. Hamburg and Brandenburg are also said to be looking into possible usage. North Rhine-Westphalia officials may have also employed the program, sources told SPIEGEL ONLINE.
The head of Bavaria's state office of criminal investigation (LKA), Peter Dathe, told daily Süddeutsche Zeitung that his organization had not used the program illegally. "This is not about conducting uncontrolled surveillance of citizens," he said. "It's about investigating crimes."
The spyware in question came to light on Saturday when the CCC announced it had been given hard drives containing a program used by German investigators in at least two states to conduct surveillance of Internet communication. The Trojan horse software, said to be at least three years old, can be secretly installed via e-mail on the computers of suspected criminals, where it can, for example, scan the hard drive.
According to the CCC's analysis of the spyware, it could also be used to plant files on computers, or even control them from afar. The hacker organization also judged the program to be defective, saying it was insufficiently protected, opening the possibility that a third party could hijack its functions for their own purposes.
Private Company Developed Spyware
If the CCC's claims are true, then the software has functions which were expressly forbidden by Germany's highest court, the Federal Constitutional Court, in a landmark February 2008 ruling which significantly restricted what was allowed in terms of online surveillance. The court also specified that online spying was only permissible if there was concrete evidence of danger to individuals or society.
Following the CCC's release of the program details, it was confirmed that Hessian private software company DigiTask developed the spyware. The company's lawyer, Winfried Seibert, told SPIEGEL ONLINE that it was delivered to the Bavarian LKA in November 2008, rejecting the CCC's assessment that the program was faulty.
"The software was delivered almost three years ago," he said. "That is light years in the IT industry." All responsibility for how the spyware is used and whether it conforms to German law rests squarely with state and federal authorities, he added, explaining that investigators ordered special software according to each individual situation, which must be approved by a judge.
"The authorities ensure that this request adheres to this court decision," Seibert said. "DigiTask can't and isn't allowed to review this -- a company isn't allowed to know who is being monitored with the delivered software, or why."