[liberationtech] Secret Government Document Reveals: German Federal Police Plans To Use Gamma FinFisher Spyware
ilf
ilf at zeromail.org
Wed Jan 16 08:00:58 PST 2013
https://netzpolitik.org/2013/secret-government-document-reveals-german-federal-police-plans-to-use-gamma-finfisher-spyware/
The German Federal Police office has purchased the commercial Spyware
toolkit FinFisher of Eleman/Gamma Group. This is revealed by a secret
document of the Ministry of the Interior, which we are publishing
exclusively. Instead of legitimizing products used by authoritarian
regimes for the violation of human rights, the German state should
restrict the export of such state malware.
In October 2011, German hacker organization Chaos Computer Club (CCC)
analyzed a malware used by German government authorities. The product of
the German company DigiTask was not just programmed badly and lacking
elementary security, it was in breach of German law. In a landmark case,
the Federal Constitutional Court of Germany ruled in 2008 that
surveillance software targeting telecommunications must be technologically
limited to a specific task. Instead, the CCC found that the DigiTask
software took over the entire computer and included the option to remotely
add features, thereby clearly violating the court ruling.
Since then, many German authorities have stopped using DigiTask spyware
and started to create their own state malware. For this task, a bCenter of
Competence for Information Technology Surveillance (CC ITC)b was
established, sporting a three million Euro budget and a team of 30 people.
Today, the Federal Ministry of the Interior is informing the Federal
Parliament Bundestag about the centers progress and work. Members of the
Finance Committee of the German Parliament are receiving a classified
document, that we are now publishing. (text)
According to the document (in German only) dated December 7, the Federal
Criminal Police Office plans to finish the development of their own
surveillance malware until the end of 2014. There is no word on the
progress or even how many developers have applied for the job, which seems
to be frowned upon by many German hackers.
In the meantime, the Federal Police plans to continue using commercial
software. In a bmarket surveyb, they have assessed bthree products as
generally suitableb. The result:
> The Federal Criminal Police Office has acquired, for the event a use is
> necessary, a commercial product of the company Eleman/Gamma.
The Gamma Group of Companies, a network of companies linked to offshore
secrecy, is behind the infamous FinFisher/FinSpy IT intrusion software kit
developed in Germany and used by authoritarian regimes across the world to
spy on political activists. The software is highly sophisticated and can
completely take over a veriety of devices, including Windows, OS X, Linux,
iOS, Android, Symbian, Blackberry and Windows Mobile. A promotional video
advertises the ability of bremote intrusionb via fake updates from mobile
carriers and Internet providers.
The experienced team behind FinFisher/FinSpy is less likely to implement
bsignificant design and implementation flawsb, as the CCC diagnosed for
DigiTask. But with strong clues that authoritarian regimes such as
Bahrain, United Arab Emirates, Qatar, Ethiopia, Mongolia and Turkmenistan
are using those products, the German state is sending a dangerous political
message by using exactly the same software itself. In Britain, the
Secretary of State put FinSpy software under export restrictions, requiring
the Gamma company to acquire a licence to export these tools. In Germany,
we are also calling for export restrictions to stop the sale of western
surveillance technology to regimes known for their violation of human
rights.
Besides this fundamental criticism, it also remains unclear if this
spyware developed for international customers can meet the high standards
set by the Constitutional Court for the use of such software in Germany. As
discovered by the CCC, DigiTask was breaking the law by allowing to update
installed malware and adding new features from remote. Although Gamma keeps
its software secret, current research suggests that the FinFisher/FinSpy
toolkit consists of a basic module (the trojan) that can also remotely load
additional bfeature modulesb, for example a module for recording Skype
conversations. Analysts who have looked at FinFisher parts told
netzpolitik.org that they have not seen limits on what additional modules
can be loaded or even a signature verification of additional modules. If
this is indeed the case, this would clearly violate German law.
Since the CCC analysis showed that the current German state trojan was
able to do more than allowed, it should be obvious that all future spyware
must be verified before use. According to the document, both the Federal
Commissioner for Data Protection and Freedom of Information and the Federal
Office for Information Security are not able to audit the source code of
the program to check if it complies with the legal requirements. For this
reason, the German part of IT corporation Computer Sciences Corp was tasked
with the review, which was supposed to be finished in December. The
document does not mention the progress or results of such an audit.
There are also no mentions of a amount which the Federal Police is paying
to Gamma, the terms of a sale or licensing, or whether German officials
have already used the software. Gamma spokesperson and developer Martin J.
MC<nch has not answered questions sent by netzpolitik.org.
CCC spokesperson Frank Rieger states:
> With the purchase of Gamma FinFisher, the Federal Criminal Police
> Office has chosen a vendor that has become a symbol for the use of
> surveillance technology in oppressive regimes worldwide. FinFisher also
> consists of various components, which can be loaded when needed,
> thereby allowing the installation of spying capabilities that go far
> beyond the already questionable bwiretapping at the sourceb.
--
ilf
Cber 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes fC<r Tastaturbenutzung
--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list