Country-hearing: Germany (14 November)
- Andre Meister, netzpolitik.org
On three occasions, Federal Criminal Police Office (BKA) Vice-President Martina Link has been invited, says the committee chair, but she does not come without giving a reason. The Munich public prosecutor’s office was also invited, but was not allowed to talk about ongoing investigations. At least they replied.
Andre Meister talks about state hacking, which he has been observing for 10 years. It is a disgrace that the German government refuses to testify, he says, Germany has similar problems with it as other countries that are currently being investigated by the PEGA committee.
In Germany, he prefers not to speak of spyware, but of state hacking, because it is about penetrating systems. It’s not just about mobile phones and smartphones, ultimately all digital devices on the Internet of Things can be hacked, even medical implants. He would like to use the term „state hacking“ for this.
In 2006, a hotel in the Congo was hacked, where a German soldier was said to have talked to a spy. The Federal Intelligence Service is concerned with espionage – not like the police. In 2015, a network operator in Afghanistan was hacked, so it’s not just about devices. Customs and police have been hacking since at least 2008, the first cases that became public were related to product piracy and smuggling, not serious crimes such as terrorism.
In parliament, the laws for the police were justified with crimes such as child pornography, organised crime, murders. In practice, however, these cases hardly occur, terrorism even not at all. He would like to say something personal: In 2015, the chairman of the Office for the Protection of the Constitution filed a complaint against me and my colleagues for treason, and there were subsequent investigations where state hacking was also used. Therefore, he directs his solidarity to all those who should be muzzled in such a way.
In Germany, the first federal law of 2008 regulated hacking for the Federal Police, since then this has always been expanded. In 2017, every law enforcement agency was allowed to do this for a total of 42 offences. This also involves hardware that may be used for attacks. A new basic right for the protection and confidentiality of IT systems limits interventions to special interests of the state, i.e. terrorism and serious crimes. To get around this, a trick has been devised, namely the separation into an online search and the restricted version of it, where only certain applications are observed. The new fundamental right becomes a farce.
In 2013, the police bought FinSpy from FinFisher, but only after five years did it meet the requirements. FinFisher then went bankrupt and was sold to Rohde & Schwarz. After this disaster, the BKA initially developed its own tool, RCIS. That’s why it took until Pegasus was acquired; the first meetings took place in 2017, then the purchase in 2020. There is no information on the Federal Office for the Protection of the Constitution, but it is assumed that Pegasus is used by the Federal Intelligence Service. The government and the Federal Criminal Police Office then set up the agency ZITiS, which acquired state hacking software from Austria and Israel, for example.
The Bundestag is not informed, even though MPs have repeatedly asked important questions. Two years ago, MPs said that this was illegal and would sue; unfortunately, they did not do so and are now part of the government. They asked for the contract with FinFisher and only got it after suing. So you have to sue the police to make them comply with the law. The BKA also did not want to hand over the contract with NSO, so they had to sue again. However, the contracts that were released were also so heavily blacked out that they are hardly usable. Their confidentiality lasts until 2080.
Vulnerabilities must be closed immediately by the companies. State hacking poses a great risk to the rule of law, as the EU Data Protection Commissioner has made clear. The hacking of EU institutions had clearly shown the danger.
When asked, Meister says that the distinction between the two types of hacking is legally constructed; technically, it is impossible to separate them. Both methods are used for completely different crimes. The more advanced variant is used against serious crimes. Secret services also use it, but there it is different again. He expects that sooner or later climate protests will also be attacked with at least telephone surveillance or even tools like these.
As far as the victims are concerned, very few have come forward, as far as he knows. In 2011, a bodybuilder who bought anabolic steroids that were legal in the neighbouring country came forward to DigiTask. In his investigation files, logs were found that must have come from a hacking operation. Attacks on Catalan activists were also reported in Germany, and one of them was even said to be a German citizen. With regard to the information, the numbers were known, but not the software used. The BKA could have provided information on this, but decided to stay away.
It was not known whether software from the Austrian company DSIRF was used in Germany, but the company had spoken to the BKA, though it was kept secret. There were many reports on Russian connections at the time, but in 2021 it was not yet that interesting. Jan Marsalek also had communication on this in his mailbox, he had discovered a document on this.
He does not believe that the separation into „small“ and „large“ Trojans is legally clean. He knows of no country that has similar regulations. It was also only necessary in Germany, as the Federal Constitutional Court restricted its use to the most serious crimes. The BKA invented source telecommunication surveillance for this very reason.
In addition to CitizenLab, NGOs such as Access Now, Amnesty Lab and Reporters Without Borders also have the tools to investigate the attacks. But the people concerned do not come, and he does not know why. Perhaps this is also not in the investigation files, so that those affected do not find out about it. Moreover, intelligence services have their own rules on the use of the software, which also differs in the 16 federal states. So there is probably a lot of misuse.
On the question of regulating or banning the software, Meister says there needs to be a ban, you can’t get the genie back in the bottle. A ban is therefore very much needed. There are possibilities for regulation so that one does not fall behind, at zerodays this should also happen. The EU was also a pioneer in the export control of such tools. Privacy International had already published a document with demands against digital espionage in 2018. They had also seen how attackers disguised themselves as, for example, social security, which was identity theft and fraud. In his opinion, states should not be allowed to oblige companies to carry out attacks and hack their own customers. There are also possibilities to prohibit foreign companies from doing business on their own territory, as the USA has done.
Transparency according to the German legal system could be improved. Whenever something was investigated, abuse was found. One cannot allow state institutions to control themselves. There is no reason for secrecy, because criminals know that they are being bugged. The Ministry of the Interior now also wants to break the coalition agreement and allow state hacking after all.
Initially, they said they would buy FinFisher for the transition until their own product was programmed. That didn’t work out because FinFisher also had to be revised several times. These tools are all different, they don’t do the same thing. This is already evident with two different mobile phone operating systems, others infect Windows computers, others cars. For the intrusion of each system, different security holes are needed. So from a technical point of view, it is understandable why the authorities would have different tools.
See here the stream of today‘s hearing.