The German government is preparing to pass laws that would permit authorities to use state trojans to hack into people's devices, even when they aren't suspected of a crime.
The law would extend the Federal Intelligence Service's powers and allow authorities to gain root access to anybody's device for surveillance purposes.
As a result, encrypted messengers with reliable end-to-end encryption would become useless – the government would be able to monitor people's messages in real-time before they are encrypted and sent.
Germany's Federal Criminal Police Office has been officially permitted to use state trojans since 2016, when a new surveillance law was passed by the grand coalition concealed within the pages of a non-controversial bill.
The hidden legislation provided the authorities with legal permission to infect smartphones, tablets, and computers with malware during criminal investigations.
Despite the existence of that five-year-old bill, German intelligence is known to have employed state trojans (Bundestrojaner) secretively since at least 2011 – when the Chaos Computer Club (CCC) "reverse engineered and analyzed a "lawful interception" malware program used by German police forces".
According to CCC, that malware could "not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs".
Now, the government wants to extend its surveillance powers to allow the police to hack any citizen's device under any circumstances.
If passed, this would create overreaching capabilities that result in a widespread surveillance nexus. This is concerning, because police can use those powers to bypass encryption in apps such as Telegram, WhatsApp, and Signal, removing the ability for people to communicate privately.
Massive threat to privacy
The ability to send encrypted messages is hugely important for journalists, human rights activists, whistleblowers, political activists, lawyers – and any other citizen who wants to communicate sensitive and private information without it being available to their service provider.
Huge numbers of people are known to require access to private communications to protect themselves from persecution, which is why it is essential for all citizens to enjoy access to encrypted messaging.
Removing citizens' ability to communicate privately has long been considered a threat to fundamental human rights – including freedom of expression and freedom of access – by advocacy organizations like ProPrivacy, Privacy International, and Open Democracy.
Now, the German government is planning to broaden one of the most invasive surveillance laws in Europe – in a move that would hugely threaten civil rights. The forthcoming legal changes are so troubling that a number of organizations – including Facebook and Google – have united to express opposition.
According to those companies, the decision to force ISPs to cooperate with the government to install state trojans onto people's devices will create a dangerous precedent. If passed, it will fundamentally alter the relationship between internet service providers and their clients.
As a result, Google and Facebook have joined Chaos Computer Club in sending a joint letter that calls for the government to:
- Refrain from passing additional laws that weaken or break encryption
- Abandon plans to force companies to comply with amendments to the Federal Law on the Protection of the Constitution – which would result in companies becoming an "extended arm of intelligence services" and would "significantly jeopardize cybersecurity".
- Engage in a consultation period with citizens, civil society, and industry openly to permit for transparency and proper parliamentary procedure and to gain adequate feedback before proposals are considered and passed.
It is positive to see Big Tech vehemently opposed to Germany's plan. Unfortunately, however, it seems unlikely to have any direct effect on the government's plans.
The German government has been using malware for investigative purposes for a decade, and it seems probable that the grand coalition of CDU/CSU and SPD parties will decide to rush through the new powers in the coming weeks.
If the amendments to the Federal Law on the Protection of the Constitution are passed – and the proposed Federal Police Act is also passed – this would allow the police to begin snooping on everybody using government malware, even if they aren't actually suspected of committing a crime.
If this comes to pass, it will be hugely concerning for citizens not only within Germany but also elsewhere, because it will create a precedent that other countries may seek to replicate.
No backdoors necessary
Right across the Five Eyes surveillance nexus, governments have been pushing for backdoors into encrypted messenger services.
Governments in the UK, the USA, and Australia have been openly advocating for and passing laws that attempt to force services like WhatsApp to work hand-in-hand with government agencies to provide access to private messages.
The deployment of state trojans without the knowledge of consumers, in cooperation with Internet Service Providers, creates a method for governments to gain root access to devices in such a way that governments no longer require backdoors from service providers, and instead get complete access to messages before they are encrypted.
This also creates severe cybersecurity and privacy risks for users. Not only does it potentially give the government access to everyone's personal data, including their credentials and passwords and even their financial information – but it also increases the possibility for devices infected with the trojan to be victimized by third-party hackers.
As a result, the widespread deployment of this kind of exploit could lead to severe threats to consumer security, and allow cybercriminals to engage in serious crimes.
Ultimately, this creates far too many risks for consumers and is something that the German (and other governments) should not legally be permitted to do – or should only ever be allowed to do in a highly targeted manner after receiving a warrant to ensure there is evidence of criminality before a device is targeted.