Officials in a number of German state governments have owned up to using the Quellen-TKÜ Trojan Horse software in criminal investigations to intercept encrypted telecommunications on PCs.
At least one state said it has suspended use of the software, after the Chaos Computer Club discovered that it could be controlled by anyone, not just law enforcement officers.
Bavarian Interior Minister Joachim Herrmann said that interception of encrypted telecommunications using Quellen-TKÜ is a legally authorised law enforcement measure in the fight against serious crime. Bavaria has always operated within the rules up to now, and all such intercepts have been preceded by a court order as required by law, he said, according to a statement from the Bavarian Interior Ministry.
The legal restrictions on the use of such intercept software on PCs were set out in a 2008 ruling by Germany’s Federal Constitutional Court, and require among other things that the software used be capable only of recording voice calls, much as a traditional wiretap would, and not be capable of eavesdropping at other times, or of capturing other data from the PC such as screenshots or files.
Despite his reassurances about the legality of the Quellen-TKÜ, Herrmann said he had asked the Bavarian State Commissioner for Data Protection to carefully check that the appropriate technical measures were implemented with regard to the Quellen-TKÜ software, and that the state had complied with legal requirements. The ministry’s specialists will conduct an intensive investigation into the matter, he said.
Doubts about the legality of the software were raised over the weekend by the Chaos Computer Club (CCC), which discovered that the software could accept instructions to download and activate new surveillance functions. CCC also discovered that those instructions were not authenticated: the software it tested will accept them from anyone, not just law enforcement officers.
After Bavaria’s admission, the Ministry of the Interior for the German state of Baden-Württemberg said that it had used the same software as Bavaria to intercept calls in “individual cases.” Its use of Quellen-TKÜ was within the law, but nevertheless, Baden-Württemberg Interior Minister Reinhold Gall has temporarily suspended the state’s use of the software as a precaution, pending a fuller investigation, the ministry said.
The German state of Hessen has also used Quellen-TKÜ, but only within the limits prescribed by the Federal Constitutional Court, Hessen Interior Minister Boris Rhein said Monday. Police in Hessen have so far used only legally compliant software versions that have been programmed under court order, he said.
However, he said he would seek clarification from the German Federal Interior Minister and discuss the matter with interior ministers from other German states.
Two other states, Brandenburg and Lower Saxony, have also admitted using software to intercept encrypted voice communications on suspects’ PCs, according to local media reports.
Brandenburg police used the same Quellen-TKÜ software as that used in Bavaria, according to the Berliner Morgenpost, but the software used in Lower Saxony is different, the chief of the state police authority, Uwe Kolmey told North German radio station NDR.
German Federal Justice Minister Sabine Leutheusser-Schnarrenberger said that a “comprehensive and complete investigation” of the use of the software was now necessary to maintain German citizens’ confidence in the rule of law.
The Federal Interior Ministry is now conducting inquiries to find out whether the monitoring software has been used by police authorities across Germany, but that ministry is not responsible for intelligence agencies such as the Federal Intelligence Service, Leutheusser-Schnarrenberger said in an interview with the Passauer Neue Presse, a transcript of which was published in German on the Justice Ministry’s website.
View full post on National Cyber Security » Computer Hacking