This weekend, the German CCC (Chaos Computer Club), an institution which probably is best described as the "white hat" association in Germany and being prominent for a long time for identifying security issues, informed the public about severe issues with the so called "Bundestrojaner", a trojan used by the German BKA (sort of the counterpart to the FBI) in some cases to hack computers of suspects and to collect internet telephony data.

There are two severe issues identified. The first one is that the trojan is able to do a lot of things which are just illegal. The German Federal Constitutional Court has ruled the German state regarding what is allowed and what not. In fact, only tapping of voice communication is allowed, and even that only within tightly defined boundaries. However, the trojan can for capture keyboard data, take over control of the webcam, and some other things. Interestingly, these things have been explicitly forbidden by the Court.

The other issue is simply that the Bundestrojaner is inherently insecure. It doesn't authenticate communication and thus can be easily hijacked. So, a suspect could hijack the Bundestrojaner which has been placed at his system, for example. Regarding to current news, some communication of the Bundestrojaner even uses servers based in the US.

I won't judge about the necessity of things like a Bundestrojaner, but I think the direction given by the German Federal Constitutional Court is reasonable. However, if Germany introduces such tools, they at least should do it right - with respect to the limits defined by the court and with respect to security.

By the way: This evening, the ministry of the interior ("Innenministerium") denied the use of the trojan that had been analyzed and criticized by the CCC. Notably, they denied the use (not the existence). Let's see what happens next. Overall, the concern I had from the very beginning regarding the "Bundestrojaner" has been fortified.