Germany’s Minister for Justice has called for an investigation into Internet surveillance by the country’s state governments, after a tool used for legitimate surveillance has been found to open the door for a greater degree of snooping than is legally permitted.
Last week, hacking group the Chaos Computer Club (CCC) claimed that a "lawful interception" program used by the German police to tap VoIP calls could be used to install and execute code on a target device remotely.
The group concluded that "the Trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping Internet telephony, as set forth by the constitution court".
Independent security firms said that that there was no reason to doubt CCC’s findings, with Mikko Hypponen of F-Secure saying that CCC has a long history of trustworthy research.
The topic of state surveillance is of particular sensitivty in Germany, and the CCC’s announcement has brought the interception of Internet communications into the public eye. So far the states of Bavaria, Baden-Wurttemberg, Brandenburg and Lower Saxony have admitted to using some form of spyware, although they may not have all used the same program.
Justice minister Sabine Leutheusser-Schnarrenberger told German newspaper Deutsche Welle that "trying to play down or trivialise the matter won’t do. The citizen, in both the public and private spheres, must be protected from snooping through strict state control mechanisms".
In 2008, transparency group WikiLeaks published documents revealing that the Bavarian goverment was trying to find a way to eavesdrop on calls made through VoIP service Skype. Messages were exchanged between the Bavarian bureau of investigation to Düsseldorf-based software maker DigiTask.
According to Graham Cluley, chief researcher at security company Sophos, the details of the system discussed in that exchange match those of the system described by CCC. "It is possible that DigiTask did not write the malware – but the functionality does match," Cluley said.
In July this year, a Microsoft patient for "legal intercept" was made public, just months after the company bought Skype, the popular VOIP software.