Chaos Computer Club Claims to have Cracked Spying Software Used by the German Government

It seems the American government doesn’t have a monopoly on illegally spying on its citizens. The Chaos Computer Club claims to have crack malicious software used by the German government to illegally spy on its citizens:

It sounds like something out of George Orwell’s novel “1984” — a computer program that can remotely control someone’s computer without their knowledge, search its complete contents and use it to conduct audio-visual surveillance via the microphone or webcam.

But the spy software that the famous German hacker organization Chaos Computer Club has obtained is not used by criminals looking to steal credit-card data or send spam e-mails. If the CCC is to be believed, the so-called “Trojan horse” software was used by German authorities. The case has already triggered a political shockwave in the country and could have far-reaching consequences.

On Saturday, the CCC announced that it had been given hard drives containing a “state spying software” which had allegedly been used by German investigators to carry out surveillance of Internet communication.

As you can guess this news didn’t surprise me (just once I’d like a government to surprise me by not actually being up to anything nefarious) but I do find it interesting that the software allows the controller to remotely control the target’s computer. Such a feature seems like a potential court defense since somebody whose machine was infected with the software could claim that the police are framing him. Then again the state runs the courts and the police so it’s unlikely any judge would be willing to throw a case out because his fellow state agents were doing something naughty. That isn’t even the worst part though, the software also demonstrates that a state can’t actually do anything with any measurable amount of competency:

The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the US. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Nice, not only does the software allow a third-party to remotely control the system but it’s also full of security holes so any jackass on the Internet could waltz right in. Security flaws is ultimately the reason I don’t believe any evidence gathered from software of this nature should be admissible in court. Anytime you install a new piece of software you face possible security issues that could allow a third-party to gain remote access to your system. If state agents infect your machine with this software and a third-party uses a security flaw in the software to access your machine and perform illegal acts it’s most likely the state is going to target you because they already suspect you’re up to something they don’t approve of.

I also find the fact that the software transmits data to server in the United States interesting. This could be a barrier put into place so the gathered evidence lies outside of German jurisdiction (for instance if the software is discovered and the state decides to perform an investigation into what was gathered). Another possible reason for sending data to the United States could be due to some secret agreement between the two country’s governments regarding intelligence sharing. Of course it could just be due to the software manufacturer being a United States company and the software is transmitting quality assurance data.

Either way this story should demonstrate the fact that agents of the state can never be trusted. Software such as this is supposed to be illegal according to German law:

If the CCC’s claims are true, then the software has functions which were expressly forbidden by Germany’s highest court, the Federal Constitutional Court, in a landmark 2008 ruling which significantly restricted what was allowed in terms of online surveillance. The court also specified that online spying was only permissible if there was concrete evidence of danger to individuals or society.

When has a state complied with its own ruling though? While I hope the information being presented by the Chaos Computer Club is incorrect I honestly trust a group of hackers far more than any government.