Government spyware
October 11, 2011
A spokesperson for German software company DigiTask confirmed Tuesday that it is behind the "Bundestrojan" ("Federal Trojan") spyware, also known as "R2D2" or "0zapftis."
The spyware was shown to have gone well beyond its intended lawful interception capabilities by a German hacker group over the weekend.
Following Saturday's revelations by the Chaos Computer Club that the software can log keystrokes, take screenshots, record Skype conversations and more, a number of other German states confirmed Monday that their state law enforcement agencies have been using the software.
"It is most probably ours in Bavaria," said Winfried Seibert, a Cologne-based attorney and DigiTask spokesperson. He told Deutsche Welle that the company was looking into the possibility that its software had also been used in other German states.
"If it is the software which we sold to authorities in Bavaria, it is the software [that we sold to them in] 2007."
Seibert also confirmed that similar software has been sold to state and federal governments in Austria, Switzerland and the Netherlands, although he declined to specify exactly to which states or agencies.
A Bavaria-based attorney, Patrick Schladt, said in a Monday German-language press release that one of his clients had this software installed on his laptop while at the Munich airport.
"Even if the measure itself was controlled by the Bavarian authorities, it is clear to me without a doubt that federal agencies - such as the Customs and the Customs Criminal Office - were involved in the course of assistance," Schladt wrote.
Joachim Herrmann, the Bavarian interior minister, said in a statement Monday that the state police had acted within the law, and he promised a review of the software's use.
The scandal has reached the highest levels of the German government.
On Twitter, government spokesperson Steffen Seibert (no relation) wrote Monday that "the chancellor is taking the CCC reports very seriously," adding that the "federal and state governments [must] clarify quickly whether the Trojan [spyware] came into use."
He reiterated that the BKA (Bundeskriminalamt), Germany's Federal Criminal Police Agency, has denied using the software.
Company advertised 'forbidden features'
DigiTask's Seibert added that the software had been sold to Bavarian authorities in 2007, but he declined to disclose how much the software cost.
However, an online record on an official European Union website shows that in 2009, the German Federal Network Agency (Bundesnetzagentur) paid DigiTask over 660,000 euros ($897,000) for the construction of a "wiretap testing and monitoring system."
"[This software has been sold] nowhere in the Americas, nowhere in Africa, Middle East, nowhere in Eastern Europe, nowhere in Australia," Seibert added.
The DigiTask spokesperson emphasized that the company was staying within the bounds of the law.
"We have a basic software, which does not allow anything which is against the law," he said.
"Then, if the client, in Bavaria or wherever, asks for the specialized version, it has to refer to a decision by a German court which allows exactly what they are asking for. What the authorities do and how often they do it and where they do it, is not our concern and we can't influence it," said Seibert.
In other words, if law enforcement authorities decide to use a specialized, enhanced version of the software, "we will never be aware of it and we could never prohibit it," he added.
A copy of an English-language corporate presentation given by Michael Thomas, one of the top executives at DigiTask, at a previous conference for "Intelligence Support Systems" has been circulating online.
On one of the final slides, the presentation advertises the fact that the "software may be built according to court order" to include "forbidden features" such as the ability to be remotely updated.
Spyware 'very easy' to block
Tech experts have noted that the R2D2 software is not very sophisticated and can easily be blocked by anti-malware products.
"R2D2 is very simple at its operation," wrote Mikko Hypponen, the chief research officer at F-Secure, a Helsinki-based computer security firm, in an e-mail sent to Deutsche Welle. "If we would not have known that it's a governmental Trojan, we would not have thought twice about it. It doesn't really stand out much from backdoors used by online criminals."
He added that the software was "very easy" to block and remove from infected computers, a conclusion that seemed to be a consensus in the tech security community.
"[The software always uses] the same encryption key," said Felix Leder, a German security architect in the Malware Detection Team at Norman, a Norwegian computer security firm.
"Since some of the bytes are always the same, you can detect them and then you can detect that you have Bundestrojan traffic on your network. We are seeing similar mistakes made in spyware. Normally they forget simple stuff."
Government oversight
Still, tech experts have raised new questions about the proper oversight of this type of digital surveillance in Germany.
"What it does suggest, however, is that perhaps the authorities were using a Trojan which had capabilities beyond what is allowed by Germany's Federal Constitutional Court," wrote Graham Clueley, a senior technology consultant for British computer security firm Sophos, in another e-mail to Deutsche Welle.
"Questions may also be asked as to what are appropriate scenarios for use of computer spying - many people may think that monitoring terrorist suspects in this way is appropriate, but for less serious types of crime?"
Some European Union politicians have already begun raising questions about the use of DigiTask's software in various EU member states.
"I do consider [this episode] very worrying and we will question the Dutch [government] about this," wrote Sophie in 't Veld, a Dutch member of the European Parliament, in an e-mail sent to Deutsche Welle.
"What is most worrying however, is that it is part of a trend. Governments seem to think they have an intrinsic right to spy on their citizens, and that they can go very far. Technology definitely lowers the threshold. I am not saying we should use the technology, but the safeguards should be strengthened. If not, we risk being on a slippery slope."
Author: Cyrus Farivar
Editor: Martin Kuebler