State Trojan Horses

Germany's Pirate Party and the Free Democratic Party have declared that they believe the use of state spyware to track criminals was unconstitutional.

According to hackers from the Chaos Computer Club, who hacked the police viruses last weekend, the so-called state-trojans can be used not only as surveillance but to completely control computers remotely. The German constitutional court has previously declared this unconstitutional.

German Interior Minister Hans-Peter Friedrich has now advised the individual German states not to use the software in question.

Sebastian Nerz, chairman of the Pirate Party, who have campaigned for internet freedoms, said, It is absolutely impossible to install a trojan that meets legal requirements. He added that because of the state trojans, a judge would never be able to tell whether evidence allegedly found on the computer of someone under surveillance had not been altered or fabricated later.

The FDP, junior coalition partner to Merkel's governing coalition, has also joined the growing political furor against police spyware. FDP legal spokesman Marco Buschmann told the Neue Osnabru cker Zeitung, The newly uncovered state-trojan feeds substantial doubts that the use of spy software is possible under the German constitution.

Police in New South Wales may be given authority to search homes and hack into people's computers for as long as three years without their knowledge.

The Australian government has already enacted similar practices, though its Supreme Court ruled such searches illegal in 2006.

New legislation to expand investigative powers was introduced last week in the Australia Parliament by Minister Nathan Rees. The measures allow police to apply for cover search warrants in order to gather evidence in what are deemed as serious crimes, according to ZDNet.

The laws allow for the search of computers and computers networks related to the site of a search. Rees said police will be allowed remote access to computers for five days up to a total of 28 days, with possible extended periods beyond that time, depending on an investigation.

Critics are calling the legislation much too broad, but law enforcement insists secrecy will keep criminals in the dark.

Police Minister Tony Kelly explained each application must go before a Supreme Court judge, who would initially OK secret investigations for as long as six months, but police could apply for delays as long as 18 months and even three years, pending the nature of the case.

Australian Council for Civil Liberties president Terry O'Gorman is among those opposing the law, reports ABC.net: Clearly, if the police are able to search a person's home without anyone being present, the police will be in the position to plant evidence. That's a big worry. This particular announcement extends police powers hugely without putting in any checks and balances against those powers being abused.

The laws will apply to offences punishable by at least seven years in jail, including statutes applying to homicide, kidnapping, assault, drugs, firearms, money laundering, hacking, organized theft and corruption.

The UK Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives a coach and horses through privacy laws.

The hacking is known as remote searching . It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

A remote search can be granted if a senior officer says he believes that it is proportionate and necessary to prevent or detect serious crime — defined as any offence attracting a jail sentence of more than three years.

However, opposition MPs and civil liberties groups say that the broadening of such intrusive surveillance powers should be regulated by a new act of parliament and court warrants. They point out that in contrast to the legal safeguards for searching a suspect’s home, police undertaking a remote search do not need to apply to a magistrates’ court for a warrant.

Shami Chakrabarti, director of Liberty, the human rights group, said she would challenge the legal basis of the move. These are very intrusive powers – as intrusive as someone busting down your door and coming into your home, she said.

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state. He said the authorities could break into a suspect’s home or office and insert a key-logging device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. It’s just like putting a secret camera in someone’s living room, he said.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or malware . If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

The Association of Chief Police Officers (Acpo) said such intrusive surveillance was closely regulated under the Regulation of Investigatory Powers Act. A spokesman said police were already carrying out a small number of these operations which were among 194 clandestine searches last year of people’s homes, offices and hotel bedrooms.

Dominic Grieve, the shadow home secretary, agreed that the development may benefit law enforcement. But he added: The exercise of such intrusive powers raises serious privacy issues. The government must explain how they would work in practice and what safeguards will be in place to prevent abuse.

The Home Office said it was working with other EU states to develop details of the proposals.

Update: In Denial

6th January 2009. See article from theregister.co.uk

The Home Office has denied it has made any change to rules governing how police can remotely snoop on people's computers.

Any such remote hack - which normally requires physical access to a computer or network or the use of a key-logging virus - is governed by Ripa - and the rules have not changed.

But European discussions on giving police more access are underway - we reported on the meeting of ministers in October. But despite this Sunday Times story, no change has yet been made. The paper claimed the Home Office: has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers.

A spokesman for the Home Office told the Reg that UK police can already snoop - but these activities are governed by the Regulation of Investigatory Powers Act and the Surveillance Commissioner. He said changes had been proposed at the last Interior Ministers' meeting, but nothing has happened since.

The German Interior Ministry explained at the time that almost all partner countries have or intend to have in the near future national laws allowing access to computer hard drives and other data storage devices located on their territory. But the Germans noted the legal basis of transnational searches is not in place and ministers were looking for ways to rectify this.

The German parliament's upper house has approved a Big Brother bill that gives police powers extensive new powers, clearing the way for it to become law.

The upper house, the Bundesrat, approved the bill by a vote of 35-34.

The new law reforms the federal police and give authorities powers to break into personal computers during preventive inquiries into terrorism and other serious crime.

The revised bill requires a judge to authorize police access to a suspect's personal computer and to oversee the search of data by law enforcement officers.

It also clarifies the jurisdiction for such searches between the federal government and state authorities.

Police have been studying whether they could either enter premises to plant monitoring devices in computers or send viruses to the computers via the internet so that investigators could covertly read the hard disks.

Legislators, clergymen and defense lawyers are fully protected from such searches, but journalists, other lawyers and doctors are not.

Michael Konken, chairman of the German Journalists Association has called the bill a farce: We are worried in the editorial department, because people no longer know what they should do with their information.

German police will get sweeping new powers to hack into people's home computers with 'Trojan' viruses sent through the internet.

Under a compromise between the hardline Interior Minister Wolfgang Schaeuble and dissenting MPs, Germany's Parliament is put unprecedented power in the hands of the Federal Criminal Police (BKA). Under the compromise, the police will need a judge's approval before using the Trojans, even in an emergency.

Trojans will carry Remote Forensic Software that can search hard drives and send evidence back to investigators without their having to enter the suspect's home.

Rolf Tophoven from the Institute for Terrorism Research and Security Policy said: We need this. The masterminds among the terrorist groups of today are highly qualified, very sophisticated people. The police need as much power as we can give them so that they can remain at the technological level of the terrorists. After all, the terrorists already have a huge advantage: they have the first shot."

Based on article from theregister.co.uk

In practical terms there are many potential drawbacks to this Trojan approach.

For starters, infecting the PC of a target of an investigation is hit and miss. Malware is not a precision weapon, and that raises the possibility that samples of the malware might fall into the hands of cybercrooks.

Even if a target does get infected there's a good chance any security software they've installed will detect the malware. Any security vendor who agreed to turn a blind eye to state-sanctioned Trojans would risk compromising their reputation, as amply illustrated by the Magic Lantern controversy in the US a few years back.

Germany's lower house of parliament has approved a hotly debated law vastly expanding the surveillance capabilities of the federal police.

Opponents lambaste the measure as an effort to create a super police -- and look forward to their day before the Constitutional Court.

The measure passed 375-168 with the strong backing of Chancellor Angela Merkel's grand coalition government pairing her conservative Christian Democrats with the center-left Social Democrats. The measure's backers hope to get the stamp of approval of the Bundesrat, the upper house of parliament, before Christmas so that it can go into effect in early 2009.

The measures are specifically aimed at increasing the investigative powers of Germany's Federal Criminal Police Office (BKA). Among the increased powers would be the right to spy on people's computers using Trojans carrying so-called Remote Forensic Software that can clandestinely search through hard drives and send potentially incriminating evidence back to investigators. However, the measure does not allow the police to enter a home in order to put monitoring equipment or software on a computer.

The measure also allows the BKA to bug, film or photograph the homes of suspected terrorists or places where they are staying. Also permissible is the tapping of suspects' telephones and cell phones as well as tracking the location of mobile phone calls.

Finally, the measure will permit the BKA to perform data-mining searches as a preventative measure rather than as part of criminal proceedings following terrorist attacks. In certain cases, such data-mining can also include the use of data seized from private institutions.
All of these proposed powers would still require court approval. However, in cases of emergency, the measure allows the BKA to undertake activities without immediate court approval if such approval is obtained within three days.

The measure will also permit the BKA to perform data-mining searches as a preventative measure rather than as part of criminal proceedings following terrorist attacks. In certain cases, such data-mining can also include the use of data seized from private institutions.

According to the Interior Ministry, similar investigative powers are already enjoyed by the police forces of Germany's federal states as well as the other federal intelligence services, including Germany's Federal Intelligence Service (BND), the German army's military security service (MAD), and the Federal Office for the Protection of the Constitution (BfV).

Germany's Constitutional Court has curbed Germany's wide-reaching data collection law by stating that the data can only be collected and saved in case of real danger to citizens.

The Court decided in response to a class action suit filed by 34,000 Germans, the biggest of its kind in Germany.

The data collection law went into effect in January 2008. It gave federal government broad access to stored telephone and internet data, including email addresses, for at least six months.

The bill, part of an EU directive immediately sparked controversy among free-market liberals, privacy advocates and civil rights groups, which criticised its scope. In Hamburg, demonstaters staged a mock funeral marking The Death of Privacy.

March saw the German Constitutional Court issue an injunction against the law, saying it needed further review. Authorities would only be allowed to access it under extreme circumstances, and with a warrant. Also, the law could only be used for serious crime investigations such as murder, theft, child pornography, money laundering, corruption, tax evasion and fraud.

Using the saved data for prosecuting individuals who illegally downloaded music and movies was ruled out completely.

The ruling finally puts an end to crossing the limits of constitutionality on citizen rights, critics say. Data can only be collected when the stability or security of Germany or another country need to be defended and life, limb, and freedom of German citizens need to be protected.

The ruling was seen as a serious blow to tighter security measures by Chancellor Angela Merkel's government.

Yes Gordon, of course people will believe this is all about terrorism. Make the lie big, make it simple, keep saying it, and eventually they will believe it

This supposedly "informal" G6 group usually seem to manage to "policy launder" their decisions via the wider, full membership of the European Union, and then they can pretend that their latest Orwellian control fantasy which they are inflicting on our freedoms and liberties, has somehow been imposed on them by the EU, and is necessary to meet "international commitments", even though they themselves instigated the original policy.

From Hansard:

Written Ministerial Statements Wednesday, 15 October 2008
Home Department G6 and United States Counter-Terrorism Symposium

Jacqui Smith (Home Secretary; Redditch, Labour)

The informal G6 group of Interior Ministers from France, Germany, Spain, Italy, Poland and the United Kingdom met in Bonn, Germany on 26 and 27 September 2008, along with the United States State Secretary of the Department of Homeland Security. This was the third G6 plus US counter-terrorism symposium meeting. I attended on behalf of the United Kingdom.

The symposium was divided into four substantive discussion sessions:

[...]

remote searches of computer hard drives;

[...]

Is this a further development of what the German government has been attempting recently ?

Presumably this involves intrusive access to remote computers, by means of some sort of spyware, computer virus, trojan horse backdoor etc., or by on the fly deep packet inspection and sniffing of passwords or other security credentials,

The German government have passed an anti-terror law that would grant police the power to monitor private residences, telephones and computers.

Instead of tapping phones, they would be able to use video surveillance and even spy software to collect evidence. Physically tampering with suspects' computers would still not be allowed, but police could send anonymous e-mails containing trojans and hope the suspects infect their own computers.

Government cyberspying, the legislators point out, would only be conducted in a handful of exceptional cases.

The bill, called a building block for Germany's security architecture by interior minister Wolfgang Schäuble, still needs to be approved by the lower and upper chamber of the German parliament.

The federal law was passed after months of heated debate. The proposed plans would not only widen the anti-terror skills of police and the Federal Crime Office, better known as BKA, it would also reverse recent rulings by Germany's constitutional court and Federal Supreme Court. A law which permits authorities in the western state of North Rhine-Westphalia to spy on computer users was rejected recently and last year the the Supreme Court ruled online police spying was unlawful.

Max Stadler, a security expert with the German Free Democratic Party, warned earlier the plan would weaken the trust of German citizens in government.

Germany's highest court has restricted the right of the security services to spy on the computers of suspected criminals and terrorists.

Under the technique, software sent in an email enables the authorities to spy on a suspect's computer hard drive.

The case - which began last year - was brought after the western state of North Rhine-Westphalia allowed officials to begin using the technique.

The Federal Constitutional Court in Karlsruhe said cyber spying violated individuals' right to privacy and could be used only in exceptional cases. Court President Hans-Juergen Papier said that using such software contravened rights enshrined in Germany's constitution, adding that the decision would serve as a precedent across the country. The ruling emphasised that cyber spying by the authorities would have to receive the permission of a judge.

The German government has described cyber spying as a vital tool in fighting terrorism. Interior Minister Wolfgang Schauble welcomed the possibility of using the strategy and said it would be considered as part of plans to change the law: The court's decision must be carefully analysed and will be accounted for as the legislation is modified .

Judicial approval is already required in Germany for a suspect's telephone to be tapped, and the interior ministry had been expecting the court to make a similar requirement for spying on computers.

During the case, Germany's independent privacy commissioner Peter Schaar argued that the measure would be a further alarming step towards ever more sweeping surveillance