
German government to use Trojan spyware to monitor citizens - temp
http://www.dw.com/en/german-government-to-use-trojan-spyware-to-monitor-citizens/a-19066629
======
brakmic
I doubt they have capable programmers working for them. A few years ago the
Chaos Computer Club discovered the 'predecessor' version of this State-Trojan
("Bundestrojaner"). This version was a perfect example what happens when you
_want_ to have such a software but your programmers _suck_ at even most basic
things (like establishing a working traffic-encryption).

Here's the video (in German): [https://youtu.be/zAV-
hTpperU](https://youtu.be/zAV-hTpperU)

We shouldn't fear their 'capabilities' but rather their lack of knowledge
that'll ultimately lead to 'open systems' which can later be exploited by
other criminals.

In fact, our State (I'm from Germany) supports criminal activities by using a
crappy software that'll crack the basic security measures of Windows.

I doubt they have any professional Linux programmers working for them. Working
for the State also means earning only a fraction of what you can earn in the
free market.

I do not fear the State but criminals who'll sooner or later exploit holes
created by our "security agencies".

~~~
mrottenkolber
I guess you are not involved in politics? There is a lot of evidence that we
should be very afraid of the state if you look at Verfassungsschutz
activities. They are monitoring a _lot_ of people who oppose policy backed by
the state and there is a precedent in which “opposition members” were banned
from state official jobs (teachers, ...) just a few years ago. Opposition
member can mean for example being involved in anti nuclear-power protests.

Edit: People are also targeted for being critical of the Verfassungsschutz, so
me writing this as well as you replying positively is a likely reason to be
monitored, take care!

~~~
samstave
What is the expected outcome of "being monitored"? If a new WWIII starts that
means you'll be disappeared? In the mean time - what impact will this have on
you?

I am just wondering how governments make intelligence "actionable".

~~~
mrottenkolber
Right now its mostly about “divide and conquer”. They inject moles into
political groups which will then actively push for violence and extremism
which in turn causes a split of the group. Another effect is that people that
are active in opposition politics are always questioning whether their
comrades are on the states payroll (“V-Mann”). The goals here are to 1) weaken
opposition, and 2) provide plausible reason for more sate security (e.g.
Verfassungsschutz).

(Historically, the Verfassungsschutz was founded after WW2 and its goal was to
persecute communists. It was headed by hardcore Nazis for more than 30 years.
Even the Americans called it a “phony” institution, since its name translates
to “Constitution Protectors”.)

There are rumors that big parts of the Neo-Nazi scene is funded by the
Verfassungsschutz. They funded and instrumented the NSU assassinations and the
Oktoberfest bombing. That's only what we know of today, go figure.

If there was a fascist regime change in Germany, yes, I would expect a lot of
people to be disappeared.

Impact on me personally, right now? How would you feel if there was a military
black-ops agency tapping you?

------
jacobrobbins
This is the correct path forward to move society into a digital era. It
follows the well established principle that the state uses force in legally
proscribed ways to maintain security. Known as the “monopoly of the legitimate
use of force”, this is a core concept of modern law
([https://en.wikipedia.org/wiki/Monopoly_on_violence](https://en.wikipedia.org/wiki/Monopoly_on_violence)).
This concept carries over cleanly from the past into the digital era. In this
case govt security forces are committing digital violence in the same way that
criminals do. Same thing as when the SWAT team breaks down a door, just a
digital version.

The alternative is that the government co-opts manufacturers so that
government agencies can carry out security tasks without using digital
violence. That’s what the FBI is seeking in the Apple case and it is a much
worse direction for society because it challenges the existence of strong
security in our increasingly digital society.

Note that the legitimate use of force is done according to law. As stated in
the article, “In order to use the malware, government officials will have to
get a court order, allowing authorities to hack into a citizen's system.”. If
your objection to this is “they say that it’s done according to law but we
know there will also be instances of them using it inappropriately” then you
are also arguing that strong encryption (and pretty much any interesting
technology) should not be allowed for public use because we know there will
also be instances of it being used to achieve bad ends.

I understand that the reality of police, military, etc are not as nice as the
theory but I have not seen people here explicitly rejecting the use of force
by the state. If you oppose the German government employing spyware, you
should consider whether you also oppose it arresting people in general. I
suspect most people here have no alternative to suggest in place of the
centuries of legal tradition that western societies are built on.

~~~
saulrh
Use of force requires transparency and regulation to avoid corruption. That's
why we have things like a separate judiciary, warrants, publicly available
court documents, freedom of information requests, and so on and so forth. The
use of force is also _minimized wherever possible_ ; warrants restrict the
scope, both for arrests and searches, and are filtered through the
aforementioned public and separate judicial system. Then we have things like
the Posse Comitatus Act and use-of-force guidelines encouraging or mandating
diplomatic and less-lethal attempts when possible and limiting force to
dedicated peacekeepers.

Governments have been using their digital force _violently, indiscriminately,
and secretly_. None of those are acceptable even on their own and all three
together is _outrageous_.

------
Quanttek
Relevant:

> According to a 2008 decision by the German Constitutional Court, remote
> access to a citizen's computer is permissible only if there is life-
> threatening danger or suspicion of criminal activity against the state.

~~~
creshal
That's their usual shtick. The same was used to legitimize blanket license
plate scanning (now used for speeding tickets) and data retention laws (mainly
used for drug trafficking).

"Life-threatening danger" my ass.

~~~
TheCoreh
> The same was used to legitimize blanket license plate scanning

Was that ever illegal? The license plates are publicly displayed and visible,
and you could already put people on the field watching and manually noting the
license plates down, or even put cameras and look at the footage later. The
only thing that changes is the economics of making it automated, no?

~~~
Xylakant
In Germany any kind of data collection must be backed by a cause. So automated
license plate scanning was illegal since it allows creation of movement
profiles by the state, something that is very much frowned upon.

Putting fixed cameras up and filming the public is not legal either in Germany
- you can't have a surveillance camera pointed to public space, for example
filming the boardwalk in front of your house. Whether dashcams are legal is
still contested [1].

Whether large=scale manual collection would be legal is an interesting
question which has - to the best of my limited knowledge - never been put to
the test :)

[1] a fairly ok high level summary in german:
[https://www.adac.de/infotestrat/ratgeber-
verkehr/verkehrsrec...](https://www.adac.de/infotestrat/ratgeber-
verkehr/verkehrsrecht/Dashcam/Situation%20in%20Deutschland.aspx?ComponentId=219667&SourcePageId=202144)

~~~
gist
> you can't have a surveillance camera pointed to public space

Interesting so a business for example can't have a camera monitoring outside
(or inside) the place of business for security purposes? Can they apply for an
exemption and is it normally granted?

~~~
detaro
You can monitor your own property if you inform properly (post notices,
renters have to agree, ...)

> _Can they apply for an exemption and is it normally granted?_

No. If your camera monitors public space (streets, sidewalk, ...) it either
has to be so far in the distance that it can't identify people or cars, or you
have to block these parts of the image (either physically, or by blanking
those parts of the signal before they are recorded. Many cameras allow to put
black boxes over parts of the image in firmware)

~~~
germanier
> You can monitor your own property if you inform properly

Even that is restricted. For example it is not allowed to video monitor your
employees in almost all cases. To use video surveillance you have to have a
legitimate reason and even then the rights of you and the ones being filmed
need to be carefully balanced.

~~~
detaro
true, i was maybe generalizing a bit to much.

------
alexandercrohde
I think this really illustrates one of the biggest concerns with concentrating
software power in the executive: what if a totalitarian seizes control? How
much damage can they accomplish?

Last time, less than 100 years ago, 2/3rds of the Jewish race was eliminated.
How much damage could be done to a targeted minority in the information age?
Governments by my account, have killed (6 million) an order of magnitude more
innocents than terrorists ever have, and short of nukes, ever will.

~~~
marvin
If you're referring to the Holocaust, the state-orchestrated mass-murder part
of it was actually ten million dead, not six.

~~~
mkesper
And there is no something as a 'jewish race'.

~~~
gmanley
You should probably take another look at some discussions around the
definition of race in modern times. It certainly can be used to refer to a
grouping of people by common culture, such as the "Jewish" race.

As a side note, I've seen some pretty heated arguments about this. It's a bit
strange to me why this is such a contentious subject. Is this coming from
people who still think we have cleanly delineated "races" like Caucasoid,
Mongoloid & Negroid?

------
pmille5
Civilians are now subject to an unprecedented level of surveillance. It would
be a mistake to underestimate the probabilities of abuse of personal and
private information. The 'justifications' for spying are as endless as the
means for carrying it out; in 2001 it was Al Queda, today it's ISIL and
tomorrow it will be something else. Exactly how these surveillance programs
are implemented is beside the point. The results are very clearly a loss of
privacy and freedom of expression. Whether or not you're likely to become a
security threat will be left to the interpretation of bureaucrats rummaging
through your Evernote entries and text messages.

------
carsongross
If you are doing nothing wrong, you have nothing to fear, citizen.

This is for your own protection, citizen.

Your prompt compliance in this matter is appreciated, citizen.

~~~
hawleyal
Get back in the designated free-speech zone.

------
therealmarv
It sounds like big news but I'm pretty sure that US intelligence is laughing
at this kind of software... Germany is very bad on spying on its own citizens
(this is by design, e.g. the privacy laws) in comparison to the USA which I
think is even better on spying German citizens than their own government ;)

------
scurvy
Good thing the EU is now forcing US companies to keep EU customer data in the
EU. You know, to prevent spying on people's data.

~~~
edko
If a government is going to spy on me, I'd rather it be my own.

~~~
tomtoise
'If I'm going to be forced to eat a pile of shit for my lunch, I'd rather it
be my own'

No thanks.

~~~
Xylakant
Against your own government you have at least some amount of leverage, be that
through courts or legal system or by supporting a political movement. Against
a foreign government you're out of options. There is no feasible way a german
citizen can appeal an act of the american administration.

------
mihaifm
Are our operating systems so vulnerable? Even if we're talking about
governments, how is it still possible for someone to 'break' into my computer
without me doing anything stupid. How do they plan to install Trojans into my
computer?

~~~
pluma
IIRC the predecessor was injected as malware into MITM'ed software downloads.

So if the police wants to deploy it against a suspect they first get access to
their network traffic and then work from there. It was intended as an
alternative to breaking and entering to deploy surveillance equipment or gain
physical access to hardware.

Of course this approach has several obvious limitations (e.g. encryption) but
there may be other approaches in use. That's just what I remember from when
the original trojan was reported on a few years back.

------
teamhappy
Do we know who wrote this version? The last one was from FinFisher IIRC.

~~~
sanid
It's developed by the Federal Criminal Police Office [0] (german BKA) They
also bought another program from FinFisher as a backup that needs to be
altered to fit the regulations and stuff. [0] only in German sorry:
[http://www.spiegel.de/netzwelt/netzpolitik/bundestrojaner-
in...](http://www.spiegel.de/netzwelt/netzpolitik/bundestrojaner-
innenministerium-gibt-spaehsoftware-frei-a-1078656.html)

~~~
teamhappy
I don't know what "Steigerung der passgenauen Einsatzfähigkeit" means (I speak
german; I just don't know what it means), but it sounds like they still need
the exploits from FinFisher.

~~~
brakmic
I think it means "better aim". "Passgenau" could mean "better fitted fit"
which is actually a tautology because a "fit" already "fits".

Legal German is like any other "legal Language". Not for human consumption. ;)

------
sageikosa
I just hope they don't start pressuring anti-virus makers to ignore their
malware; lest we be exposed to malware pretending to be government spyware.

------
gypsy_boots
> The interior ministry spokesman defended the government's decision, saying
> "basically we now have the skills in an area where we did not have this kind
> of skill." The program was already endorsed by members of the government in
> autumn 2015, the ministry said.

By this do they mean they've only now just found and hired someone that can
build this program? Is that what they mean by "skill"?

~~~
germanier
I think they used the German word "Fähigkeit" which better translates to
something like ability (of an intelligence service).

~~~
Xylakant
"capability" would probably be the best translation of "Fähigkeit"

~~~
germanier
Ah, yes thanks, that was the word I was looking for. This is the closest
translation which covers the meaning in this context.

------
cuillevel3
The funny thing is they don't want to develop an all-purpose trojan. It's only
meant to intercept communication before it is encrypted and sent over the
wire. This came to happen because they were unable to listen in on Skype calls
in the past. So they're basically deploying a trojan which is able to copy
VOIP traffic.

From media reports it's unclear if communication includes chat and email,
which would make the trojan a keylogger. There are lawyers that argue email,
without PGP encryption, is within the 'Quellen-TKÜ' laws reach.

Furthermore the government is not allowed to turn the infected machine into a
listening station, by law the flat of a person is under stronger protection
than his communication.

Technically this will be really hard to enforce in software...

------
akerro
> "basically we now have the skills in an area where we did not have this kind
> of skill...

when we were STASI

------
lostInTheWoods3
Are we headed for civil war in cyber space? This is the kind of bs that starts
to wake people up.

~~~
pdkl95
It's been a _cold_ civil war for many years. Encryption - and communication
technology in general - is a power usable by anybody, not just established
institutions.

As Dan Geer explains:

    
    
        In other words, [c]onvergence is an inevitable consequence of the
        very power of cyberspace in and of itself. [I]ncreasingly powerful,
        location independent technology in the hands of the many will tend
        to force changes in the distribution of power.  In fact, that is
        the central theme of this essay -- that the power that is growing
        in the net, per se, will soon surpass the ability of our existing
        institutions to modify it in any meaningful way, so either the net
        must be broken up into governable chunks or the net becomes government.
        
        It seems to me that the leverage here favors cyberspace whenever
        and wherever we give cyberspace a monopoly position, which we are
        doing that blindly and often.  In the last couple of years, I've
        found that institutions that I more or less must use [...] no longer
        accept paper letter instructions, they each only accept digital
        delivery of such instructions.  This means that each of them has
        created a critical dependence on an Internet swarming with men in
        the middle and, which is more, they have doubtlessly given up their
        own ability to fall back to what worked for a century before.
    
        It is that giving up of alternative means that really defines what
        convergence is and does.  It is said that all civil wars are about
        on whose terms re-unification will occur.  I would argue that we
        are in, to coin a phrase, a Cold Civil War to determine on whose
        terms convergence occurs. 
    
    

[https://www.youtube.com/watch?v=nT-
TGvYOBpI#t=2824](https://www.youtube.com/watch?v=nT-TGvYOBpI#t=2824)

[http://geer.tinho.net/geer.blackhat.6viii14.txt](http://geer.tinho.net/geer.blackhat.6viii14.txt)
(section "10\. Convergence")

------
antitamper
What's to stop someone setting up a honey trap computer all exposed with
Microspy Windows running on it, and effectively summoning these guys.

I genuinely am interested in their payloads...

~~~
pluma
Nothing. Also nothing is stopping anti-virus companies from making their
software detect the "Bundestrojaner" as soon as they have learned to recognize
it. They have done this with the previous version, too:

[https://www.avira.com/en/support-for-home-knowledgebase-
deta...](https://www.avira.com/en/support-for-home-knowledgebase-
detail/kbid/1074) (2011)

~~~
nandhp
For context, Avira is a German anti-virus company.

~~~
pluma
Thanks. I wasn't actually aware they're a German company. This should make it
even more reassuring though: if even German anti-virus companies won't give it
any special treatment, this really makes it no more of a concern than any
other malware from the user's POV (other than the political debate of course).

------
thinkindie
considered how Germans are obsessed with privacy and state surveillance (see
for example cash usage vs electronic payments), let's see a country going nut
in 3 2 1 ...

~~~
detaro
You have a bit too positive image of us ;)

Yes, it will spark discussions again, and certainly be tested in front of our
highest courts, and probably fail in some aspects and send back to the drawing
boards again after a few years, but I don't expect that much "outrage", at
least as long as it remains a tool for few specialized cases.

~~~
thinkindie
I'm working in Germany (Berlin) and I was shocked by how often you see "cash-
only" signs and how electronic payments are avoided on a privacy ground. Plus
I saw the reaction from a German colleagues when it was a matter of
communicating some personal data to a company that manages the salaries and I
realised how Germans are obsessed (not necesserily in a bad way) about their
privacy

~~~
brightsize
Yet they (the Germans I've known) don't seem to give a second thought to
handing out their bank account numbers to businesses for electronic payment
purposes. Discount card use seemed to be widespread as well despite all the
tracking that inevitably comes with it. I never once got through the check-out
stampede at Rewe without being asked if I had a card. I met some
wantrepreneurs in Berlin who were hatching discount/reward card schemes of
their own, not something that would attract much investor attention here in
the States, unless of course it was "the Uber of discount cards". No, stop,
that's not an Idea.

------
ai_ja_nai
Goog luck hacking in my Ubuntu box with latest patches and an iptables
firewall... The only reasonable way to obtain people's data is to lock them in
some Guantanamo like infrastructure and get their password. Betting on weak
security as a mean to control people can't eventually prevail because open
systems get patched at faster speed than vulnerabilities found.

------
swehner
Apparently this "trojan" only works on a Windows computer.

[https://nakedsecurity.sophos.com/2011/10/10/german-
governmen...](https://nakedsecurity.sophos.com/2011/10/10/german-
government-r2d2-trojan-faq/)

------
CyberDildonics
So this goes both ways and the German citizens can monitor their government
right?

------
matt4077
On a practical level, I feel like configuring my systems as just-try<n>.come-
get-me.de

If it's like any other IT project, they probably have just finished the
Windows XP version of their 'trojan'.

------
coldcode
Good luck getting a trojan onto an iOS 9 based iPhone 6.

~~~
choosername
a second one text to preinstalled one? What would be the use?

------
dschiptsov
It seems today's governments, like churches of the dark ages, wants too much
control over what is not their fucking problem.

------
patkai
One could easily mirror the title as: "German citizens to use Trojan spyware
to monitor governments".

------
gotchange
> They [trojans] are often used by hackers and thieves to gain access to
> somebody else's data.

What does this make the German government?

If you get something on a suspect, bring him/her into custody and start your
investigation but bugging them and putting their digital life at risk for the
lure and greed for information gathering is just detestable and unethical.

------
MindTooth
How can someone justify spyware in any shape and form?!

------
IncRnd
I see why merkel was upset with the US spying on her...

------
throwaway21816
When the state has a monopoly on force any speech against them is hate speech.
Defending the censorship of people you dont like will simply come back to bite
you.

~~~
throwaway21816
Today it may be good fun to watch people with a differing opinion get arrested
and harassed as a part of "justice" but tomorrow when they decide you dont
need encryption and youre the one being targeted it wont be so funny.

~~~
throwaway21816
>You are not arrested for "having an opinion" but if you call for violence,
deny the holocaust or endorse genocide. Those are not opinions.

Those are all opinions. An opinion is a view or judgement on a given item.
Just because they are opinions you do not like doesn't make them anything more
than opinions.

>Nobody moves the definition every day and it has nothing to do with
encryption nor can those laws ever used against encryption by definition as
they all include doing something in public.

Nobody moves to definition? Talk to me about the use of spyware on citizens,
I'm pretty sure that definition just got moved.

>Probably everybody who knows the German society will know whether something
is "just an opinion" or violates one of those laws just be looking at most
statements. It's one of those "I know when I see it" definitions that is
shared among Germans. That being said courts have created very narrow and
clear precedent on those laws.

Well if the state say so then it has to be okay right?

~~~
germanier
The thing is, this discussion is really off-topic. This spyware has nothing to
do with hate-speech laws. It's supposed to be used in instances where
wiretapping is legal but not possible. The idea is that the spyware wiretaps
"at the source". Again, that has absolutely nothing to do with hate-speech
laws and no definition has been shifted.

You will probably not even find a reasonable number of people living in
Germany in favor of repealing those laws let alone something near a majority.
Those laws are ok because the people living here are ok with those kinds of
hate-speech laws. If you don't like it you are free to stay away from Germany.

------
actionwords
Merkel has already told facebook and twitter to delete comments and ban
accounts negative of her 'policies'.

~~~
embik
This is not true at all. The German Government is asking Facebook to delete
comments which could be categorized as hate speech ("Volksverhetzung" in
German). These comments are not "negative of her policies", they are calling
on people to kill, gas or otherwise attack refugees, politicans or
journalists. They are simply asking Facebook to comply with German law.

Some comments comparable to those in question are curated at a tumblr blog
([https://perlen-aus-freital.tumblr.com/](https://perlen-aus-
freital.tumblr.com/)). Those comments are anything but a political statement
against Merkel's policies. They are born out of pure hatred.

~~~
actionwords
When a state defines 'hate speech' laws they're really defining 'thought
criminal' laws.

Merkle and co. are trying to manipulate public opinion through the destruction
of contrarian thought from the public realm.

~~~
germanier
Hate speech laws and thought crimes are on a totally different level. In
Germany you are completely free to use the most blatant hate speech as much as
you like as long as you don't do so in public.

Those laws are also not created by "Merkel and co." but decades old and
introduced by the allies after the second world-war.

------
error53
I will always remember that days when german businesses requested servers in
their offices because AWS was under NSA...

~~~
therealmarv
This is not an uncommon request... actually a lot of German companies
(especially the bigger ones) will never trust public cloud infrastructures
especially when they are based in another country.

