According to an internal Interior Ministry progress report published this week by the independent news outlet Netzpolitik, a new version of the German police’s Remote Communication Interception Software (RCIS) will be ready for use before the end of the year.
Unlike the first version, RCIS 2.0 is not limited to the surveillance of desktop computers, but can be used on mobile devices with Android, iOS, and Blackberry operating systems. It circumvents the encryption built into services such as WhatsApp and Telegram by hacking the phones themselves and reading the messages “at source” on users’ screens.
Last month, the German government passed a law to hand police the power to hack into devices belonging to all people suspected of criminal activity and not just those expected of terror offenses. However, the new document shows that RCIS 2.0 has been in development since the beginning of 2016. In other words, the security forces have been applying some pressure to bring legal legitimacy to the technology that they were already developing.
“To sell state hacking as just another surveillance measure like any other is, in the face of the newly published papers, a brazen distortion of the truth,” Chaos Computer Club spokesman Falk Garbsch told Netzpolitik. “An arsenal of Trojans is being built as if it were already normal for the state to hack the digital brains of its citizens.”
The document was leaked from the Interior Ministry
The leaked document shows that Germany’s security services have bought the surveillance software FinSpy as a backup should the state’s own RCIS system be leaked or compromised.
That revelation is politically contentious because the program is able to go beyond what is currently allowed by German law.
Part of the FinFisher range developed by Gamma International in Munich, FinSpy is able to remotely record all calls and messages on a phone – both in regular SMS and other texting services – as well as turn on its microphone and camera, and locate and track the device in real time.
Frank Herrmann, of Germany’s Pirate Party, believes that the legality of such software remains a fraught question in itself. “It’s not that easy to bring the legal formulations into step with the technological,” he told DW. “If the law says that no alterations are allowed to be made to the user’s device, then that isn’t technically possible with a Trojan.”
Edin Omanovic, of the UK-based NGO Privacy International, said this was all part of an EU-wide trend. “We’re seeing efforts to legislate for hacking powers in the UK, in Austria, in Italy, and Germany,” he told DW. “There’s more of a cultural sensitivity in Germany than other countries, but what we’re seeing in this legislation is that Germany is one of the most advanced countries for surveillance.”
“Some of these capabilities have already been practiced across Europe,” Omanovic said. “The UK, for example, has been engaged in hacking, but just hasn’t legalized it. There’s a complete lack of safeguards and oversight over the use of this type of technology.”
“We’ve seen the growth of an industry selling these privatized hacking tools over the last few years,” Omanovic said. “And there have been some examples of misuse by governments around the world. For example, there’s evidence that FinSpy was used to target human rights activists and lawyers in Bahrain.”
FinFisher software is thought to have been used against opposition activists in Bahrain
‘Legal or not’
A spy program developed by a private firm to be commercially available offers the police an added benefit: potentially less legal responsibility. “That’s why the authorities like to use outside software – because you can’t know everything,” Herrmann said. “You can always defer responsibility.”
Using privately developed software means that the state is not obliged to produce a report on the validity of the practice. “There has to be a charge and a court process at some point in the future to decide whether something was legal or not,” said Herrmann. “You can really hide a lot with private providers.”
That was one of the reasons why German parliamentarians forced the government to develop its own software in the first place: Privacy and national security were deemed too sensitive as issues to cede control and expertise to firms. “But in practice they do it differently,” Herrmann said. “It doesn’t always work properly – it’s a very long process, and they need a lot of specialists – so they need ‘alternatives.'”
The government’s argument for the legal change is that security forces need the same powers to check digital messages as they have to monitor phone calls. “That’s logical for the average citizen, but the consequence of this equivalence is that people don’t realize that this malware endangers the security of the whole device,” Herrmann said. “The technological intervention is much more severe than just listening in on a phone call.”