How would you recognize the surveillance

The information portal for safe cell phone use

What is a state trojan?

A “Trojan” is a specific type of malware that can be used to infect computers, smartphones and other devices. Trojans open access to the infected device, which third parties can then use to secretly read data, for example.

Such Trojans are not only used by people with criminal intent, but also by government agencies such as the police, secret services or customs. When government agencies use this malware, one speaks of the “state Trojan”. In the last few years "Federal Trojans", "Eurotrojans" and "Police Trojans" came up as additional terms, each indicating the state level at which spy software was purchased or used.

Difference to "normal" telephone monitoring

The term “state trojan” does not appear in laws. Instead, lawyers speak of “source telecommunications surveillance” (Quellen-TKÜ). Why do authorities also require a source TKÜ in the form of a malicious program in addition to conventional telephone surveillance - telecommunications surveillance (TKÜ)?

With classic telephone monitoring, the telephone provider accesses the call data from a monitored telephone while the data is being transferred between the call partners. He then delivers the data to the supervising authority.

If the content of the messages is encrypted, the provider can only pick up illegible data clutter at this point. Because a large part of communication now takes place via encrypted chats such as WhatsApp or Signal, authorities such as the police and secret services are seeing their monitoring options dwindle.

The Quellen-TKÜ should help here. It is so called because this monitoring does not take place on the data line between the devices, but directly on the monitored device, i.e. at the "data source". A smuggled spy program can read text messages there before they are encrypted.

Who can do what? Legislation related to the state Trojan

The legislation on the sources TKÜ has changed continuously over the past few years. While its use was initially very limited, it is now available to many police authorities and also for medium-level everyday crime.

  • Since 2017, according to the Code of Criminal Procedure (StPO), the state Trojan can also be used for medium-level everyday crime, such as forgery of documents. Previously, it was only allowed to be used for serious crimes, for example to ward off terrorism.
  • The police are currently allowed to use at least one version of the state trojan in eight out of 16 federal states. In Bavaria since May 2018 even without specific suspicion - it is enough that one person is considered dangerous. It remains to be seen whether this regulation will stand before the constitutional courts.
  • The Ministry of the Interior is currently drafting a law that would allow the Office for the Protection of the Constitution to use state Trojans. At the same time there is a draft law from the Ministry of Finance that would allow customs to use state Trojans for source TKÜ.

Why state Trojans endanger IT security for everyone

The demand for a source TKÜ may sound plausible at first. In contrast to conventional telephone monitoring, however, it has so many disadvantages that the actual social benefit is highly questionable.

In order to smuggle a Trojan onto a smartphone unnoticed, you have to find and use weak points in the security architecture of the devices. This leads to the paradoxical situation that the police themselves will search for loopholes in the security of smartphones and other devices and keep them open.

In the end, this endangers the IT security of all users, as the "WannaCry" case impressively demonstrated. In May 2017, a group of hackers crippled 300,000 Windows computers to extort money. Critical infrastructure was also affected, including hospitals in the UK. The group used a vulnerability in the Windows operating system to install the "WannaCry" Trojan. The explosive: The US secret service NSA had known about this vulnerability for years. Instead of reporting to the manufacturers so that it can be closed, the NSA kept the loophole secret so that it could use it itself. This made it possible for the hacking group to use the security hole for their own purposes.

This is an important difference between conventional telecommunications surveillance (TKÜ) and surveillance using Trojans: even in the event that the police would never or only rarely use a Trojan, the entire IT security is already weakened by keeping the open security gaps ready. Vulnerabilities must either be found or purchased. If the state now buys security vulnerabilities, then it makes it more attractive to sell discovered security vulnerabilities for monitoring purposes instead of reporting them to the manufacturer.

In practice: overpowered, expensive and complicated

Activists regularly demand that the software used be disclosed and thus traceable. Because technically it is also possible to upload and change data on the target device using Trojans. It is therefore questionable whether the data obtained can even be used as evidence in court.

The state Trojan from the company DigiTask in Hesse has become known, for example. Activists from the Chaos Computer Club examined the spy software in 2011 and showed that it is inadequately protected against access by third parties and that many more functions can be reloaded than legally permitted.

In practice, the legally compliant use of surveillance technology also appears to be quite difficult and expensive. In 2012, for example, the State of Berlin bought a Trojan from the Munich company FinFisher for 400,000 euros. It had to be reworked several times, but was never used. For the in-house development of the Federal Criminal Police Office called "Remote Communication Interception Software Version 1.0 and 2.0" (RCIS), the agency spent 5.8 million euros and took over four years. The first version was also considered a flop: it could only listen to Skype calls on Windows PCs.

Unclear: How does the Trojan get on the phone?

In the first step, the investigators have to identify the target device and determine which operating system is running on it. In the past, laws have already been adapted so that the police can break into the homes of those affected for this purpose. In the second step, the spy software is smuggled into the target device and executed. The question of how this is done has not yet been legally clarified. Technically speaking, Trojans can be deployed either with physical access to the device or remotely.

There are numerous options for playing from a distance. All ways in which data reach a system are conceivable, such as messenger or e-mail attachments, manipulated websites or other forms of manipulation that cause those affected to execute a program. Updates can also have been prepared by the manufacturer in such a way that they include the malware at the same time.

Cases have also become known in which investigators briefly gained physical access to the device, for example during bogus customs controls. As a rule, those affected will not notice anything about the nested Trojan, it can stay there for weeks or months.

Do you already know our newsletter? Once a month we will send you the latest mobile-safe reading tips straight to your inbox. Register here.
# Federal Trojans # surveillance
Has information changed or do you have a hint for us on this subject?
Write to us: [email protected]