[liberationtech] Secret Government Document Reveals: German Federal Police Plans To Use Gamma FinFisher Spyware
https://netzpolitik.org/2013/secret-government-document-reveals-german-feder... The German Federal Police office has purchased the commercial Spyware toolkit FinFisher of Eleman/Gamma Group. This is revealed by a secret document of the Ministry of the Interior, which we are publishing exclusively. Instead of legitimizing products used by authoritarian regimes for the violation of human rights, the German state should restrict the export of such state malware. In October 2011, German hacker organization Chaos Computer Club (CCC) analyzed a malware used by German government authorities. The product of the German company DigiTask was not just programmed badly and lacking elementary security, it was in breach of German law. In a landmark case, the Federal Constitutional Court of Germany ruled in 2008 that surveillance software targeting telecommunications must be technologically limited to a specific task. Instead, the CCC found that the DigiTask software took over the entire computer and included the option to remotely add features, thereby clearly violating the court ruling. Since then, many German authorities have stopped using DigiTask spyware and started to create their own state malware. For this task, a b Center of Competence for Information Technology Surveillance (CC ITC )b was established, sporting a three million Euro budget and a team of 30 people. Today, the Federal Ministry of the Interior is informing the Federal Parliament Bundestag about the centers progress and work. Members of the Finance Committee of the German Parliament are receiving a classified document, that we are now publishing. (text) According to the document (in German only) dated December 7, the Federal Criminal Police Office plans to finish the development of their own surveillance malware until the end of 2014. There is no word on the progress or even how many developers have applied for the job, which seems to be frowned upon by many German hackers. In the meantime, the Federal Police plans to continue using commercial software. In a b market surveyb, they have assessed b three products as generally suitableb. The result:
The Federal Criminal Police Office has acquired, for the event a use is necessary, a commercial product of the company Eleman/Gamma.
The Gamma Group of Companies, a network of companies linked to offshore
secrecy, is behind the infamous FinFisher/FinSpy IT intrusion software kit
developed in Germany and used by authoritarian regimes across the world to
spy on political activists. The software is highly sophisticated and can
completely take over a veriety of devices, including Windows, OS X, Linux,
iOS, Android, Symbian, Blackberry and Windows Mobile. A promotional video
advertises the ability of b remote intrusionb via fake updates from mobile
carriers and Internet providers.
The experienced team behind FinFisher/FinSpy is less likely to implement
b significant design and implementation flawsb, as the CCC diagnosed for
DigiTask. But with strong clues that authoritarian regimes such as
Bahrain, United Arab Emirates, Qatar, Ethiopia, Mongolia and Turkmenistan
are using those products, the German state is sending a dangerous political
message by using exactly the same software itself. In Britain, the
Secretary of State put FinSpy software under export restrictions, requiring
the Gamma company to acquire a licence to export these tools. In Germany,
we are also calling for export restrictions to stop the sale of western
surveillance technology to regimes known for their violation of human
rights.
Besides this fundamental criticism, it also remains unclear if this
spyware developed for international customers can meet the high standards
set by the Constitutional Court for the use of such software in Germany. As
discovered by the CCC, DigiTask was breaking the law by allowing to update
installed malware and adding new features from remote. Although Gamma keeps
its software secret, current research suggests that the FinFisher/FinSpy
toolkit consists of a basic module (the trojan) that can also remotely load
additional b feature modulesb, for example a module for recording Skype
conversations. Analysts who have looked at FinFisher parts told
netzpolitik.org that they have not seen limits on what additional modules
can be loaded or even a signature verification of additional modules. If
this is indeed the case, this would clearly violate German law.
Since the CCC analysis showed that the current German state trojan was
able to do more than allowed, it should be obvious that all future spyware
must be verified before use. According to the document, both the Federal
Commissioner for Data Protection and Freedom of Information and the Federal
Office for Information Security are not able to audit the source code of
the program to check if it complies with the legal requirements. For this
reason, the German part of IT corporation Computer Sciences Corp was tasked
with the review, which was supposed to be finished in December. The
document does not mention the progress or results of such an audit.
There are also no mentions of a amount which the Federal Police is paying
to Gamma, the terms of a sale or licensing, or whether German officials
have already used the software. Gamma spokesperson and developer Martin J.
MC With the purchase of Gamma FinFisher, the Federal Criminal Police
Office has chosen a vendor that has become a symbol for the use of
surveillance technology in oppressive regimes worldwide. FinFisher also
consists of various components, which can be loaded when needed,
thereby allowing the installation of spying capabilities that go far
beyond the already questionable b wiretapping at the sourceb . --
ilf
C ber 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes fC
participants (1)
-
ilf