German officials admit using spyware on citizens, as Big Brother scandal grows
By Bob Sullivan
A government surveillance software scandal that erupted in Germany this weekend has spread beyond that nation's borders, raising questions about how far government officials around the globe might go to monitor citizens through spyware.
On Saturday, as reported on MSNBC.com, the German-based Chaos Computer Club announced it had examined a Trojan horse program allegedly spread by government officials to secretly spy on citizens' Internet travels, e-mail, chat and more. The software, originally intended only to help officials intercept Internet phone calls through legal wiretaps, went far beyond those permissible purposes, the hacker group alleged. The group called the government's use of the software outrageous and demanded it be destroyed immediately.
Since Saturday, new details have emerged which largely confirm suspicions raised by the hacker group. That has German officials calling for an investigation.
"Clearly the limits set by the Federal Constitutional Court have been massively violated," said Claudia Roth, co-leader of the Green Party, according to Der Spiegel's online edition
Justice Minister Sabine Leutheusser-Schnarrenberger has called for an investigation of the incident.
German Hackers track down govt issued Trojan/Keylogger
So far, four German states -- including Bavaria -- have said they've used the program, though officials maintain it was implemented legally in concert with court orders.
But a lawyer representing a suspect in an illegal pharmaceutical trafficking case told journalists that his client's laptop computer had been deliberately infected with the Trojan horse by Customs agents in 2009 when he was traveling through Munich airport, according to Deutsche Wells.
German firm DigiTask told several media outlets this week that the program inspected by the Chaos Computer Club was likely a tracking program it had sold to Bavarian authorities in 2007, and that it was looking into claims that the same software was sold to other German states. DigiTask officials also said it had sold similar spy software to government officials in Austria, Switzerland, and the Netherlands, according to Deutsche Wells. The firm said it had never sold its software outside of Europe.
Digitask's relationship with the German government first came to light in 2008, when documents released by WikiLeaks showed German law enforcement officials were working with the firm to develop software that would allow interception of Skype-based phone calls.
A landmark court decision in Germany in 2008 permitted limited use of such spying software to help government officials enforce wiretap orders as a countermeasure to alleged increased use of encypted Internet telephony by criminals and terrorists. Government agencies that used DigiTask's software had said it was limited to conducting legal wiretaps. But an English-language presentation published by website cryptome.org suggests DigiTask offers "forbidden functions" to government clients. The presentation describing the firm's "remote forensic software," talks about the ability of the software to be updated remotely and customized.
Antivirus firm F-Secure, based in Finland, said in a blog entry that it had found a document indicating that the German Customs Investigation Bureau had purchased "surveillance services," from Digitask for $2.9 million in 2009.
F-Secure, along with many other antivirus firms, is detecting and disabling the German Trojan horse, now known as R2D2 because of references made in the software's computer code to various “Star Wars” characters.
The German spyware scandal touches on various sensitive subjects for Internet users and civil liberties advocates. BBC commentator Stephen Evans said the incident has touched a nerve among Germans "who, given the country's Nazi and Communist past, feel strongly about spying on citizens."
U.S. officials have long flirted with the idea of spying on private computers in America to fight crime or terrorism. A program developed by the FBI in 2001 called Magic Lantern had capabilities similar to R2D2, but was abandoned after a series of critical news stories. Wired Magazine has reported extensively on "Computer and Internet Protocol Address Verifier" software used by the FBI since at least 2007 to aid in investigations of hackers and terrorist threats.
The R2D2 incident has implications far beyond German borders, prompting the Chaos Computer Club to call on government officials everywhere to reconsider the notion that electronic surveillance can be successfully implemented in a limited form.
"This refutes the claim that an effective separation of just wiretapping Internet telephony and a full-blown Trojan is possible in practice – or even desired," the club said in a statement. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully."