Hacker News new | past | comments | ask | show | jobs | submit login
Bundeskabinett approves draft law allowing trojans on phones to monitor WhatsApp (afp.com)
95 points by Cantbekhan 88 days ago | hide | past | favorite | 55 comments

Note that this is not about backdoor requirements or abilities, but about QuellenTKÜ (english: source telecommunications surveillance), which involves getting a trojan onto end devices, either through hacking, like using a bought 0-day, or by breaking into houses of suspects. It already exists as a part of law enforcement in various German states. The proposed regulation is to allow this for a bunch of additional federal agencies as well.

A backdoor requirement like Australia has it would be the service vendor having to write their apps in a way that the apps can decrypt content on remote command. That goes much farther than expensively and riskily hacking the devices of suspects.

Link to the passed draft (German): https://www.bmi.bund.de/SharedDocs/downloads/DE/gesetzestext...

So this is something like planting a microphone into your house so they can hear your conversations (with a warrant)? That doesn't really sound too bad, it's targeted and you have to go through the proper channels to get authorization.

Coming from the country that had the Stasi, no. It's very bad. The Stasi was so smart, they knew it wasn't threatening you with violence that made you complicit, it's blackmail and threats to your loved ones or ruining your career. Also absurd types of guilt trips that make you feel obligated to comply with the objective of the state for other people.

Exactly this.

The best return on investment in surveillance is always, always, always extortion. The spooks like to extort by threatening to reveal crimes, or prosecute them. Ever heard of plea bargaining? Most often the promise of "reduced" charges is exchanged for participating in surveillance, yielding more victims and more pigeons. Spies like to get other kinds of cooperation, for other kinds of threats--including revealing that you already caved once. Some people have enemies who would act on revelations. Most people have relatives who wouldn't want them harmed. Judges have relatives. Ever wondered at Judges blatantly violating settled law? It is not always just because they felt like it. Since surveillance always involves official secrecy, it is easily and widely abused, and abuse is never, ever prosecuted.

Do you wonder why politicians stay exactly in line, these days? Think they just don't have any ambition, no independence, no cojones?

We already have a surveillance system in place that the STASI could only have ever dreamed of.

> it's blackmail and threats to your loved ones or ruining your career

Something you'll find prevalent with some dissidents today. Many of them return "willingly" when presented with the alternatives.

So you consider legal wiretapping and following people immoral as well?

If it is cheap and easy, there is no reason to assume it will only, or even mainly, be legal.

The primary purpose for entities such as the FBI and CIA are to give autonomy to an entity that somewhat exerts the will of the ruling establishment by curtailing movements or organizations. Communism had no influence or money even remotely close to that of the mob. Yet who did they prioritize? Communists. They pick and choose whom the state wants to deem as enemies and exert their powers to silence them.

The problem with similar laws has always been that there are no proper channels. There were cases those were just flat out ignored. And in other laws released numbers showed that less than 1% of requests were denied. These requirements are for optics only, they are never in place in practice.

Another example is a police internal system to request information about citizens. That has been abused many times to spy on neighbors and even celebrities. Kind of a current topic in Germany.

> less than 1% of requests were denied

The statistics of a rubber-stamp court are identical to a court, where the requirements for an approved request are so clear that no one ever submits requests that are likely to be denied.

To prove what you are claiming, you have to actually show that a large number of accepted requests were "unethical".

The problem with these surveillance requests is that only rejections need to be argued. When the court says yes, it's mostly just a rubberstamp. When the court says no, they have to write about 4 pages of text. Given the overload of the court system, judges tend to say yes except in the most egregious cases because they need to move on to the next case.

(Disclosure: I'm occasionally involved in public relations for a local chapter of the CCC, a German NGO that deals among other things with surveillance policy.)

I think you’re being sarcastic but I’m actually not sure.

I am not, do you consider legal wiretaps bad?

Not generally, but there shouldn’t be government microphones preemptively planted in everyone’s home, Stasi style, just waiting for a warrant either.

It’s one thing to have the ability to wiretap selectively and with some cost which makes it prohibitive to do on a massive scale; it’s another thing to require vendors and service providers to deliberately sabotage their customers’ products for them.

I mean there’s just potential for rampant abuse here. What of the right of political dissidents or other persecuted minorities to communicate safely? What of the possibility that this could be used to target a politician’s political adversaries (the way we see frequent mention of today)? There’s a whole history of abuse here, in the US and across the world, and there’s no need to facilitate the potential for such abuse on a scale we’ve never seen before.

Right, but the article, top comment, and my comment talk about one thing, and your response is about something completely different. That's a frustrating way to conduct discourse.

You’re right, I didn’t read the context carefully enough.

No, but wiretaps typically have scalability problems that prevent their widespread use. There's a high marginal cost (labor + equipment) with physical wiretaps, but with digital wiretaps the marginal cost is effectively zero.

A wiretap by compromising a specific device using an exploit after obtaining a court order is also likely fairly high-effort.

Wiretaps are normally implemented for a singular specific purpose by specific entities. Not run of the mill average everyday programmers.

So exactly like the proposed law then.

I guess I should've reread that. I think it's fine for large companies because they can afford to do it. It's just the small ones that I'd find it egregious.

This might actually be good. It seems to be an alternative way to enable law enforcement instead of breaking encryption. EDRi has a document outlining solutions for law enforcement without breaking encryption: https://edri.org/files/encryption/workarounds_edriposition_2...

There's always the $5 wrench for law enforcement, I suppose ...

I’ve heard that systems like these are more about promoting state-sponsored industrial sabotage than realistically assisting in crime prevention. In this case though, it seems like Germany is trying to act as the “city on a hill” for the rest of the EU member states to model afterwards.

A couple problems with this submission:

(1) articles on HN need to be in English. We have deep respect for the German language and for other languages, but HN is an English-language site;

(2) we've gotten complaints about this title being misleading and/or completely wrong.

I've edited the title now in an attempt to be more accurate. (Submitted title was "Germany's Bundeskabinett approves draft law allowing WhatsApp/Messenger backdoor".) If there's a more accurate and neutral title we can change it again.

I'm sorry ... I could not find any English language article on any reliable/reputable media reporting on this matter after searching extensively. Therefore I decided it was best to submit this reputable AFP one in German that could be translated easily using Google translate or whatever.

I thought it was quite important to report on it despite the absence of English media coverage.

I apologize for the title being wrong in this case but some other German media press articles have used the word backdoor instead of Trojan. I should have used the word Trojan instead of Backdoor in relation to this particular article and apologize for the mistake. But I'm not really sure which is worse to be honest... and I also suppose they don't want the suspects aware of the Trojan being on their phone. Which leaves many wondering if they don't mean that they want the Trojans at tech companies instead (which then would become backdoors).

It's quite ok - obviously your intentions were fine. I appreciate the explanation.

This doesn't seem like it "allows" a backdoor; it seems like it requires one. (IANAL, etc etc.)

So much for the EU's vaunted privacy rights...

Contrary to American beliefs that three letter security agencies are some angels that follow the law, most of us with our long term experience with dictatorships across the continent, are more than aware that even with democracy, the information services of each state are quite flexible in their interpretation of what is allowed or not.

>So much for the EU's vaunted privacy rights...

Do people really have such an impression?

In 2006 the EU passed a directive that obligated all ISPs to effectively save your browsing history.[0] They had to keep this for a minimum of 6 months. It took until 2014 for the directive to be found to be invalid. It worked until then though.

And that's on the EU level. My expectations are even lower when it comes to individual member states, particularly Germany.

[0] https://en.wikipedia.org/wiki/Data_Retention_Directive

But the data collection comes with safeguards to accesing the data. You need a court order to request it. This is not state ordered mass surveillance but rather gives police a right to monitor when they have a court order.

If e2e encryption is backdoored, there are no safeguards. If a court can read the data, then any "encryption" is privacy theater: either the key has been leaked and stored on government-controlled servers (which means an adversary who got access to the government-controlled servers could read your data without your knowledge too), or the e2e encryption is entirely fake and there's a plaintext copy stored somewhere that, similarly, adversaries could access. If the government can read all of your data, a hacker can too — which in today's age, also includes foreign (or even domestic!) government surveillance programs.

Backdoored encryption isn't real encryption. It's theater.

Secret court orders. We have already seen where that naturally goes. Each abuse makes the next easier.

Afaict this article is not at all about backdoors(things whatsapp/facebook has to provide) but about device surveillance, putting itself between e2e and humans

It would be bad, if the HN title wasn’t complete clickbait that had nothing to do with the article it links to…

edit: I would appreciate an explanation how my comment about an article talking about trojan horses on the victims' computer with a title about backdoors is wrong instead of mindless downvotes.

No it gives the authorities the right to tap phones by e.g using 0 days.

Tja: “Rules for thee but not for me”

Genuinely curious. How is this different from China mandating visibility into all of their citizens' internet data ?

It's not about mass surveillance, it's about court-ordered surveillance of individual suspected criminals. As someone said in another thread, it's like a wiretap.

okay. looks like step-1 towards that.

What does this mean for Signal?

if the authorities gain physical access to your devices while you're not at home and pwn them with a keystroke logger that phones home + automated screenshot tool, all bets are off.

Who would leave their mobile phone at home?

Someone having an alternate phone for their secret activities.

>Die Nachrichtendienste sollten in digitalen Bereich dieselben Möglichkeiten bekommen, die sie im analogen bereits haben

translated: "Intelligence agencies ought to have the same capacities in the digital sphere that they have in the analog world."

Going to be an unpopular opinion here but i agree with this. I don't think there is any precedent for impenetrable private communication legally or culturally. Capacity to say, tap a phone or surveil communication has existed, of course with a warrant and strict legal checks.

People who want to argue against this need to make a case why legal or cultural standards should adopt to a technology, rather than arguing from technological capacity backwards.

I’m not sure I agree. If I chose to build an impenetrable fortress in which to live, and the police wanted to stealthily bug it, they’d have to figure out how to do it, and if they couldn’t get in, tough shit. Or they’d have to ask me nicely or someone else to give them what they wanted.

Furthermore, I don’t think they could really require my hypothetical fortress builder to intentionally build in weaknesses into each fortress they built so that they could get in “just in case”.

Because the laws of physics trump the laws of the sovereign? I agree with the position that law enforcement should be able to attempt to access communications with a judicial warrant. I do not agree with a government mandate to use flawed encryption that would allow anyone to read my communications. It's questionable whether that would even accomplish their stated goals, and personally I doubt it.

> I don't think there is any precedent for impenetrable private communication legally or culturally.

What about discussions between conspirators in the privacy of their own home? Should the government be allowed to mandate that telescreens be installed in everyone's homes, with the promise that they would only listen in when they have a secret warrant to do so?

isn't that already the status quo? Most governments I'm aware of have the right to engage in surveillance of individual homes, albeit with strong requirements. But all guarantees you have right now that no intelligence is bugging your home is the promise (and legal protection) that they don't do it arbitrarily.

But you have right to protect your home by installing better locks, security systems, hell you can go as far as to transform your rooms into sound proof Faraday cages, which would make task of covert surveillance borderline impossible. Law does not mandate that such systems must include backdoor capabilities.

The law effectively mandates that for every lock there should be a master key owned by police. Even in physical world it works poorly (see the joke under the name of Travel Sentry Approved locks) and in digital world it will be even worse, due to the near zero cost of using such backdoor.

While it is lawful for your government to bug your home, it is also legal to own a home that doesn't have a telescreen or to remove a bug if you find one.

Laws against E2E encryption effectively mean that it is illegal to use a communications technology that is hard for the government to interfere with, even if you are not using it to break any (other) law, which seems like a change from the status quo.

You say that, but in at least one case [1], you can be charged with stealing government property if you remove a bug from your car.

[1] https://arstechnica.com/tech-policy/2019/11/man-charged-with...

That case did come to mind when I wrote my previous comment.

> After waiting another 10 days to see if it would start working again, detectives applied for a warrant to search Heuring's home and a nearby property belonging to Heuring's parents. ... Police did find the tracking device.

It sounds like the suspect moved the bug from his car into a house. If you were to move a bug from your living room to your attic (and place a sign at the location of the original bug saying "The bug is now in the attic, feel free to collect it when you find this note") then it might be harder for the police to claim you had stolen it.

> I don't think there is any precedent for impenetrable private communication legally or culturally.

Two people can communicate fairly trivially in person with a reasonable level of certainty that their conversation remains privy to only them and the most a 3rd actor might glean is that the conversation took place; not it's contents.

What you might be confusing is that historically there are inherent weaknesses in using a physical or radio or electronic medium to transfer information from one mind to another and that those have always been exploitable. That exploitation usually comes by "force", for some definition of force depending of the value systems held by the parties involved.

What if someone whispers something in your ear?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact