German "government trojan" debate is infantile

Written by

Patrick Gray
Patrick Gray

CEO and Publisher

By now you've likely read about the German Chaos Computer Club's (CCC) reverse engineering of the so-called "Bundestrojaner," or "federal trojan".

Someone found a copy of a remote access trojan in the wild, claimed it was government spyware and submitted it to CCC for analysis. The resulting publications give us a bit of an insight into at least one country's alleged "computer tapping" capabilities.

The German government has actually denied the malware is used by any of its federal agencies. Who knows about state police services or agencies. But if it turns out the trojan is indeed 'legit' then we can safely say, drum roll please, governments write pretty shitty malware.

I've been moved to write about this whole drama by the reaction to CCC's analysis. Some people out there are actually shocked that governments have this capability. I'm shocked they're shocked!

Every time one of these (allegedly) government-created remote access trojans pops up the tinfoil hatters scream Big Brother; they seem to think the existence of this sort of technology proves governments are conducting illegal surveillance on a massive scale.

They think the feds are rattling around in their computer already looking for evidence of subversive political thought. Kids, the government isn't using this technology to obtain advance copies of the anti-globalisation manifesto you're writing for Pastebin. You're a 21-year-old arts undergraduate with 320 Twitter followers. You're a nobody and no one cares about you. Deal with it. (QQ)

Reaction from the fringe-dwellers aside, the CCC analysis was a truly worthwhile exercise. It managed to expose a few things, like the fact the trojan was shipping with features explicitly forbidden under German law pertaining to surveillance.

The German government, under warrant, can lawfully intercept IP-based telephony with spyware, but it's not allowed to snoop on, say, files on the infected host's hard disk. Bundestrojaner's features explicitly allowed this.

As mentioned, the German (federal) government has denied Bundestrojaner is its creation, but you can bet your bottom dollar any similar badware used by ze Germans is now getting some proper attention and oversight from up on high.

This whole exercise has raised awareness at the very top and that's a hell of an accomplishment. The CCC deserves a pat on the back -- genuine kudos -- for bringing these issues to light.

CCC also found the Trojan was a big pile of insecure, bug-riddled shit that anyone with half a brain could reverse and learn how to control; unencrypted command and control For The Win.

Even if this trojan isn't government spyware, you can bet the real stuff is likely just as bad.

But like it or not, governments today actually need these capabilities for legitimate reasons.

So let's cool the debate a bit.

Just like a court approved telephone intercept, there are entirely valid reasons for law enforcement to conduct covert searches of suspects' computers. There's simply no problem with governments having this capability as long as the judicial oversight is sufficient. [ADDED 25/11/11: I've reflected a bit on this and I don't think you can actually introduce sufficient oversight in this case. In the case of intercepting communications like Skype? Maybe. But in the case of just going nuts snooping on someone's hard drive? That's just a situation ripe for abuse. So colour me convinced!]

If a law enforcement body is looking for specific evidence pertaining to a serious crime, has a prima facie case and there's no other practical way to obtain the evidence, how is a court granting a warrant allowing this sort of snooping a bad idea? [ADDED 25/11/11: Again, I'm convinced there's no effective oversight you could introduce here. In the case of phone/Skype intercepts I think you probably can have appropriate oversight, but remote, covert searches of someones' computer are a genuinely shitty idea. Mea culpa. I think I was just being contrarian to annoy the tinfoil hatters.]

We do not have an absolute right to privacy from government, even in Western democratic nations. The state can intrude on the privacy of its citizens if there's a good reason. [ADDED 25/11/11: I absolutely stand by this as a general principle.]

Should governments be installing completely bug-riddled, insecure trojans on peoples systems? Nope. Should they creating features that allow the controller of the malware to easily exceed their authority? Again, no.

But let's not throw the baby out with the bathwater here. These government-created RATs are valuable as investigative tools in serious crime investigations. That's good for all of us.

Let's look at this CCC analysis for what it is: A good excuse for Attorneys-general and police ministers all over the world to make sure this technology is being implemented in accordance with each country's wiretapping and surveillance legislation.

What do you think? Post a comment here.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.