German Federal Criminal Police acquires interim government trojan from Gamma
A confidential report that was submitted to the German Bundestag's budget committee and which has now been leaked on the Netzpolitik.org blog suggests that the German Federal Criminal Police Office (BKA) has bought surveillance software from Elaman/Gamma (Finfisher/Finspy). The software was purchased to bridge the gap until the BKA's custom-developed source telecommunication surveillance software is ready – which is expected to happen in late 2014 at the earliest.
Source telecommunication surveillance involves monitoring internet telephony by having a trojan record conversations before they are encrypted on the sender's side or after they are decrypted on the recipient's side. Critics such as the German Federal Privacy Commissioner, Peter Schaar, say that the boundaries with secretive online surveillance are blurred and that there is no technical way of ensuring that the software isn't used beyond the provision of source telecommunication surveillance to intrude into citizens' constitutionally protected core privacy.
The document details the added funding that the German Federal Criminal Police will receive to develop its own source telecommunication surveillance software. Thirty statutory posts have been approved for this task, which will be supported by further regional state experts within the "Strategie und Forschungszentrums Telekommunikation" (SFZ TK, telecommunications strategy and research centre). Another planned SFZ TK task will be to search for "source telecommunication surveillance alternatives that better protect citizens' constitutional rights" on a national and international basis and test potential alternatives for their suitability.
To tide them over until the source telecommunication surveillance software, which is to be developed according to the XT Bund V-Model, is completed, the BKA has acquired software from Elaman/Gamma. Although the document mentions no names, the product purchased from the controversial Gamma software developers is likely to be the Finfisher software suite.
As the BKA's 30 statutory employees are busy developing the custom surveillance software and neither the German Federal Office for Information Security (BSI) nor the German Federal Privacy Commissioner (BfDI) possess the required expertise, a company called CSC Deutschland has been instructed to check the source code. This analysis, the results of which are considered confidential, was carried out as a "sample test". If minor changes to the surveillance software need to be made at a later stage, it should be sufficient just to check these changes by looking into the protocols and program documentation.
As a further step when carrying out surveillance using source telecommunication surveillance software, the BKA will define criteria for a quality assurance process. The criteria will define operational steps that can't be documented by the software alone. Apparently, the German federal states have already agreed to observe this quality assurance process when carrying out source telecommunication surveillance.
(Detlef Borchers / sno)