[liberationtech] Secret Government Document Reveals: German Federal Police Plans To Use Gamma FinFisher Spyware

ilf ilf at zeromail.org
Wed Jan 16 08:00:58 PST 2013 

https://netzpolitik.org/2013/secret-government-document-reveals-german-federal-police-plans-to-use-gamma-finfisher-spyware/

The German Federal Police office has purchased the commercial Spyware  
toolkit FinFisher of Eleman/Gamma Group. This is revealed by a secret  
document of the Ministry of the Interior, which we are publishing  
exclusively. Instead of legitimizing products used by authoritarian  
regimes for the violation of human rights, the German state should  
restrict the export of such state malware.

In October 2011, German hacker organization Chaos Computer Club (CCC)  
analyzed a malware used by German government authorities. The product of  
the German company DigiTask was not just programmed badly and lacking  
elementary security, it was in breach of German law. In a landmark case,  
the Federal Constitutional Court of Germany ruled in 2008 that  
surveillance software targeting telecommunications must be technologically 
limited to a specific task. Instead, the CCC found that the DigiTask 
software took over the entire computer and included the option to remotely 
add features, thereby clearly violating the court ruling.

Since then, many German authorities have stopped using DigiTask spyware  
and started to create their own state malware. For this task, a bCenter of 
Competence for Information Technology Surveillance (CC ITC)b was  
established, sporting a three million Euro budget and a team of 30 people. 
Today, the Federal Ministry of the Interior is informing the Federal 
Parliament Bundestag about the centers progress and work. Members of the 
Finance Committee of the German Parliament are receiving a classified 
document, that we are now publishing. (text)

According to the document (in German only) dated December 7, the Federal  
Criminal Police Office plans to finish the development of their own  
surveillance malware until the end of 2014. There is no word on the  
progress or even how many developers have applied for the job, which seems 
to be frowned upon by many German hackers.

In the meantime, the Federal Police plans to continue using commercial  
software. In a bmarket surveyb, they have assessed bthree products as  
generally suitableb. The result:

> The Federal Criminal Police Office has acquired, for the event a use is 
> necessary, a commercial product of the company Eleman/Gamma.

The Gamma Group of Companies, a network of companies linked to offshore  
secrecy, is behind the infamous FinFisher/FinSpy IT intrusion software kit 
developed in Germany and used by authoritarian regimes across the world to 
spy on political activists. The software is highly sophisticated and can 
completely take over a veriety of devices, including Windows, OS X, Linux, 
iOS, Android, Symbian, Blackberry and Windows Mobile. A promotional video 
advertises the ability of bremote intrusionb via fake updates from mobile 
carriers and Internet providers.

The experienced team behind FinFisher/FinSpy is less likely to implement  
bsignificant design and implementation flawsb, as the CCC diagnosed for  
DigiTask. But with strong clues that authoritarian regimes such as  
Bahrain, United Arab Emirates, Qatar, Ethiopia, Mongolia and Turkmenistan 
are using those products, the German state is sending a dangerous political 
message by using exactly the same software itself. In Britain, the 
Secretary of State put FinSpy software under export restrictions, requiring 
the Gamma company to acquire a licence to export these tools. In Germany, 
we are also calling for export restrictions to stop the sale of western 
surveillance technology to regimes known for their violation of human 
rights.

Besides this fundamental criticism, it also remains unclear if this  
spyware developed for international customers can meet the high standards 
set by the Constitutional Court for the use of such software in Germany. As 
discovered by the CCC, DigiTask was breaking the law by allowing to update 
installed malware and adding new features from remote. Although Gamma keeps 
its software secret, current research suggests that the FinFisher/FinSpy 
toolkit consists of a basic module (the trojan) that can also remotely load 
additional bfeature modulesb, for example a module for recording Skype 
conversations. Analysts who have looked at FinFisher parts told 
netzpolitik.org that they have not seen limits on what additional modules 
can be loaded or even a signature verification of additional modules. If 
this is indeed the case, this would clearly violate German law.

Since the CCC analysis showed that the current German state trojan was  
able to do more than allowed, it should be obvious that all future spyware 
must be verified before use. According to the document, both the Federal 
Commissioner for Data Protection and Freedom of Information and the Federal 
Office for Information Security are not able to audit the source code of 
the program to check if it complies with the legal requirements. For this 
reason, the German part of IT corporation Computer Sciences Corp was tasked 
with the review, which was supposed to be finished in December. The 
document does not mention the progress or results of such an audit.

There are also no mentions of a amount which the Federal Police is paying 
to Gamma, the terms of a sale or licensing, or whether German officials 
have already used the software. Gamma spokesperson and developer Martin J. 
MC<nch has not answered questions sent by netzpolitik.org.

CCC spokesperson Frank Rieger states:

> With the purchase of Gamma FinFisher, the Federal Criminal Police  
> Office has chosen a vendor that has become a symbol for the use of  
> surveillance technology in oppressive regimes worldwide. FinFisher also 
> consists of various components, which can be loaded when needed,  
> thereby allowing the installation of spying capabilities that go far  
> beyond the already questionable bwiretapping at the sourceb.

-- 
ilf

Cber 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes fC<r Tastaturbenutzung


--
Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list