[liberationtech] Secret Government Document Reveals: German Federal Police Plans To Use Gamma FinFisher Spyware

[ilf]

https://netzpolitik.org/2013/secret-government-document-reveals-german-federal-police-plans-to-use-gamma-finfisher-spyware/

The German Federal Police office has purchased the commercial Spyware 
toolkit FinFisher of Eleman/Gamma Group. This is revealed by a secret 
document of the Ministry of the Interior, which we are publishing 
exclusively. Instead of legitimizing products used by authoritarian 
regimes for the violation of human rights, the German state should 
restrict the export of such state malware.

In October 2011, German hacker organization Chaos Computer Club (CCC) 
analyzed a malware used by German government authorities. The product of 
the German company DigiTask was not just programmed badly and lacking 
elementary security, it was in breach of German law. In a landmark case, 
the Federal Constitutional Court of Germany ruled in 2008 that 
surveillance software targeting telecommunications must be 
technologically limited to a specific task. Instead, the CCC found that 
the DigiTask software took over the entire computer and included the 
option to remotely add features, thereby clearly violating the court 
ruling.

Since then, many German authorities have stopped using DigiTask spyware 
and started to create their own state malware. For this task, a “Center 
of Competence for Information Technology Surveillance (CC ITÜ)” was 
established, sporting a three million Euro budget and a team of 30 
people. Today, the Federal Ministry of the Interior is informing the 
Federal Parliament Bundestag about the centers progress and work. 
Members of the Finance Committee of the German Parliament are receiving 
a classified document, that we are now publishing. (text)

According to the document (in German only) dated December 7, the Federal 
Criminal Police Office plans to finish the development of their own 
surveillance malware until the end of 2014. There is no word on the 
progress or even how many developers have applied for the job, which 
seems to be frowned upon by many German hackers.

In the meantime, the Federal Police plans to continue using commercial 
software. In a “market survey”, they have assessed “three products as 
generally suitable”. The result:

> The Federal Criminal Police Office has acquired, for the event a use 
> is necessary, a commercial product of the company Eleman/Gamma.

The Gamma Group of Companies, a network of companies linked to offshore 
secrecy, is behind the infamous FinFisher/FinSpy IT intrusion software 
kit developed in Germany and used by authoritarian regimes across the 
world to spy on political activists. The software is highly 
sophisticated and can completely take over a veriety of devices, 
including Windows, OS X, Linux, iOS, Android, Symbian, Blackberry and 
Windows Mobile. A promotional video advertises the ability of “remote 
intrusion” via fake updates from mobile carriers and Internet providers.

The experienced team behind FinFisher/FinSpy is less likely to implement 
“significant design and implementation flaws”, as the CCC diagnosed for 
DigiTask. But with strong clues that authoritarian regimes such as 
Bahrain, United Arab Emirates, Qatar, Ethiopia, Mongolia and 
Turkmenistan are using those products, the German state is sending a 
dangerous political message by using exactly the same software itself. 
In Britain, the Secretary of State put FinSpy software under export 
restrictions, requiring the Gamma company to acquire a licence to export 
these tools. In Germany, we are also calling for export restrictions to 
stop the sale of western surveillance technology to regimes known for 
their violation of human rights.

Besides this fundamental criticism, it also remains unclear if this 
spyware developed for international customers can meet the high 
standards set by the Constitutional Court for the use of such software 
in Germany. As discovered by the CCC, DigiTask was breaking the law by 
allowing to update installed malware and adding new features from 
remote. Although Gamma keeps its software secret, current research 
suggests that the FinFisher/FinSpy toolkit consists of a basic module 
(the trojan) that can also remotely load additional “feature modules”, 
for example a module for recording Skype conversations. Analysts who 
have looked at FinFisher parts told netzpolitik.org that they have not 
seen limits on what additional modules can be loaded or even a signature 
verification of additional modules. If this is indeed the case, this 
would clearly violate German law.

Since the CCC analysis showed that the current German state trojan was 
able to do more than allowed, it should be obvious that all future 
spyware must be verified before use. According to the document, both the 
Federal Commissioner for Data Protection and Freedom of Information and 
the Federal Office for Information Security are not able to audit the 
source code of the program to check if it complies with the legal 
requirements. For this reason, the German part of IT corporation 
Computer Sciences Corp was tasked with the review, which was supposed to 
be finished in December. The document does not mention the progress or 
results of such an audit.

There are also no mentions of a amount which the Federal Police is 
paying to Gamma, the terms of a sale or licensing, or whether German 
officials have already used the software. Gamma spokesperson and 
developer Martin J. Münch has not answered questions sent by 
netzpolitik.org.

CCC spokesperson Frank Rieger states:

> With the purchase of Gamma FinFisher, the Federal Criminal Police 
> Office has chosen a vendor that has become a symbol for the use of 
> surveillance technology in oppressive regimes worldwide. FinFisher 
> also consists of various components, which can be loaded when needed, 
> thereby allowing the installation of spying capabilities that go far 
> beyond the already questionable “wiretapping at the source“.

-- 
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung