On February 27, 2008 the Bundesverfassungsgericht (Federal Constitutional Court of Germany) issued an historical judgment. Concluding the discussion surrounding the Bundestrojaner (or Staatstrojaner, literally „state/federal trojan“, colloquial German term for the government malware concept) – known as an „online search“ in official German – the highest court in Germany announced a new constitutional right to uphold IT system privacy and integrity. It sets severe restrictions on the secret services and investigation authorities when they seek permission to infiltrate computers in Germany for the purpose of extracting data and surveying core privacy.
Even so, the judgment contains a passage that has the aware concerned: It is the paragraph on Quellen-Telekommunikationsüberwachung (“source telecommunication surveillance“ or lawful interception at the source). Representatives of the investigation authorities and the government have vehemently argued in the Karlsruhe discussion that they need to capture all encrypted communication on a suspect’s PC before they become encrypted. The court does not want to completely obstruct this and have permitted „source telecommunication surveillance“ – though only „when the surveillance is limited to data from an ongoing telecommunications process. This is to be enforced through technical and legal means.“
How this type of enforcement is supposed to function in practice was already heatedly debated during the Karlsruhe hearing on the Bundestrojaner. In any case, the court recognized the risks and wrote: „If a complex information technology system is technically infiltrated in order to perform telecommunication surveillance (“source telecommunication surveillance”), the infiltration overcomes the critical hurdle to spying on the system as a whole. The endangerment thereby brought about goes far beyond what is entailed by the mere surveillance of ongoing telecommunication.“
The concern is that a backdoor which has already been installed on a PC can be easily programmed with functionality (or download functionality over the internet), which surpasses the constitutionally permissible. This backdoor functionality could then infiltrate undetected deep into the protected private core of the infected PC user’s life.
More than three years have passed since the judgment, and the German investigation authorities have not been idle. Criminal proceedings all over Germany in recent months show the use of trojans as a means of surveillance: for example, the case file shows evidence that could not have been garnered from mere telephone wiretapping, or screenshots taken from a suspect’s PC show up with no traceable origin. These screenshots documenting various (from an investigation viewpoint) incriminating emails or chats were disguised as „source telecommunications surveillance“, applied for and legally approved as wiretapping internet telephony.
If suspects seek to defend themselves against this infiltration into their private sphere, the authorities justify their actions by saying the program they implemented originates from an extremely safe and security-screened service provider. And that they were also specifically created in accordance with current wiretap laws. Exceptionally strict quality control is supposed to make sure that none contain functionality above and beyond the surveillance rules set forth by the constitutional court.