It sounds like something out of George Orwell's novel "1984" -- a computer program that can remotely control someone's computer without their knowledge, search its complete contents and use it to conduct audio-visual surveillance via the microphone or webcam.
But the spy software that the famous German hacker organization Chaos Computer Club has obtained is not used by criminals looking to steal credit-card data or send spam e-mails. If the CCC is to be believed, the so-called "Trojan horse" software was used by German authorities. The case has already triggered a political shockwave in the country and could have far-reaching consequences.
On Saturday, the CCC announced that it had been given hard drives containing a "state spying software" which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the US. As well as its surveillance functions, it could be used to plant files on an individual's computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse's functions for their own ends. The software possibly violated German law, the organization said.
So-called Trojan horse software can be surreptitiously delivered by a harmless-looking e-mail and installed on a user's computer without their knowledge, where it can be used to, for example, scan the contents of a hard drive. In 2007, the German Interior Ministry announced it had designed a Trojan horse that could be used to search the hard drives of terror suspects.
Beyond the Limits
The hard drives that the CCC analyzed came from at least two different German states. It was unclear whether the software, which is said to be at least three years old, had been used by state-level or national authorities. In a Sunday statement, the Interior Ministry denied that the software had been used by the Federal Criminal Police Office (BKA), which is similar to the American FBI. The statement did not explicitly rule out the possibility that the software could have been used by state-level police forces.
If the CCC's claims are true, then the software has functions which were expressly forbidden by Germany's highest court, the Federal Constitutional Court, in a landmark 2008 ruling which significantly restricted what was allowed in terms of online surveillance. The court also specified that online spying was only permissible if there was concrete evidence of danger to individuals or society.
German politicians from all sides of the political spectrum have reacted to the news with alarm. Government spokesman Steffen Seibert said that Chancellor Angela Merkel was taking the CCC's allegations very seriously. It needed to be investigated on all levels whether such a Trojan horse had been used, he said, adding that the German government always acted on the basis of law.
"Clearly the limits set by the Federal Constitutional Court have been massively violated," said Claudia Roth, the co-leader of the Green Party. Sebastian Nerz, the leader of Germany's Pirate Party, which campaigns for Internet freedom and civil rights, said that the authorities were "clearly acting outside the limits set by the constitution."
Justice Minister Sabine Leutheusser-Schnarrenberger has called for an investigation into the software on both the national and state level. She said the use of such a Trojan horse, if it did exist, was not compatible with German law. "It can not continue in this form," she told the television station ARD.
On Monday, commentators in German newspapers take a look at the allegations.
The center-right Frankfurter Allgemeine Zeitung writes:
"Investigators have released programs into electronic networks that wrest control of computers from their users. Private data on laptops, personal computers and networked devices of all kinds can be searched. Remote access allows secret programs or criminal evidence to be deposited on the hijacked computers. And what is even worse: Anyone with the necessary IT skills can use the spying software as a back door to look at the investigators' findings. The door to the machine's unconscious is now wide open."
"It is a worst-case scenario for data security in Germany. The inevitable political consequences will reach far into society. … The surveillance programs that the Chaos Computer Club has now cracked fall far short of the requirements of a modern democratic society, not to mention their technical failings. They are both despotic and shoddy."
The conservative daily Die Welt writes:
"The analysis of the Trojan horse just released by the Chaos Computer Club is noteworthy for two reasons. The experts are stunned that -- assuming the CCC information is correct -- this spy software is poorly programmed and technologically out of date. Do we not have anything better, or is this just an old version?"
"In the foreground of the initial reactions to the CCC's revelations are also other questions, and rightfully so. Should this tool to fight crime even exist in Germany? Under whose authority was it created, and on what legal basis? The German interior minister must immediately comment exhaustively on this matter along with his state-level colleagues. What is at stake here is nothing less than the fundamental balance between security and freedom."
"But before the wave of outrage grows too large, first the origin and usage of the Trojan horse must be clarified. If German officials were working with lousy software of their own accord, then action must be taken. But if this is just an old version that was in use before the Federal Constitutional Court decision, then the discussion about contemporary crime-fighting tools should return to where it left off before the CCC's revelations. And this discussion should finally lead to some results."
The left-leaning Berliner Zeitung writes:
"If it is true what the Chaos Computer Club has now revealed, then the concrete danger (which the Federal Constitutional Court referred to) clearly exists on a regular basis. Information has apparently been repeatedly used in recent criminal cases which could not have been obtained by eavesdropping on telephone conversations but which must have been obtained via screenshots, e-mails, online chats or other data saved on private computers. To put it in a nutshell, the authorities have been employing the surveillance of sources' telecommunications successfully -- and unconstitutionally."
"On top of all that, the spying software appears to be so poorly protected that other hackers would also be able to use it. In the light of such violations of citizens' rights, it is hardly surprising that the Pirate Party is so popular."