German police will be able to use surveillance software by the end of the year that can hack into people’s smartphones and read encrypted messages in such services as WhatsApp, says a report that cites a leaked document.
A new version of the German police’s Remote Communication Interception Software (RCIS), which is used for surveillance over electronic devices, will be ready by the end of the year, a German independent media outlet, the Netzpolitik, reports, citing a leaked Interior Ministry internal progress report it obtained.
Unlike the previous version of the program, which was limited to surveillance only over desktop computers, the new software will be able to hack into smartphones and tablets with Android, iOS and Blackberry operating systems.
It can also circumvent the encryption systems built into various anonymous messaging services such as WhatsApp or Telegram by hacking directly into the devices themselves and obtaining the messages directly from the “source” – the users’ screens.
In June, the German Bundestag adopted a law that allowed the police to hack into messengers such as WhatsApp using “state trojans” to intercept user communications before they are encrypted on their devices as well as to gain full access to their chat messages, video recordings or other private data.
The law also gave police power to hack into the devices of all people suspected of any criminal activity – not just those who are suspected of terrorism.
However, the leak showed that the new version of the surveillance software that allowed hacking into smartphones and spying on anonymous messengers has been in development by the German Federal Criminal Police (BKA) since at least the beginning of 2016 – almost a year and a half before the security service was legally allowed to develop such software.
The document obtained by Netzpolitik also revealed that the BKA purchased commercially developed surveillance software, the FinSpy, as early as in 2012. It was originally regarded as a potential substitution for state-developed software that could be used during a “transition period” between the BKA receiving allowance to hack into people’s devices and developing its own surveillance program.
Later, the BKA decided to keep it as a backup in case of its own software being compromised.
However, it has not yet used the software, despite paying some €150,000 for it over five years, as it is able to go well beyond the restrictions set in the law, the document says.
FinSpy, developed by Gamma International in Munich, is able to record all calls and messages on a mobile device as well as remotely turn on its microphone and camera and locate and track the device in real time.
FinSpy’s manufacturer has already altered the software three times to make it compatible with German law, Netzpolitik reports.
The latest developments have provoked criticism from activists and politicians, who believe that massive state surveillance will eventually compromise people’s security instead of protecting them against any threats.
“To sell state hacking as just another surveillance measure like any other is, in the face of the newly published papers, a brazen distortion of the truth,” the Chaos Computer Club spokesman, Falk Garbsch, told Netzpolitik. “An arsenal of Trojans is being built as if it were already normal for the state to hack the digital brains of its citizens.”
Frank Herrmann, a member of Germany’s Pirate Party, warned that hacking directly into mobile devices could lead to more serious consequences than monitoring phone calls. “People don’t realize that this malware endangers the security of the whole device,” he told Deutsche Welle, adding that “the technological intervention is much more severe than just listening in on a phone call.”
In the meantime, Erin Omanovic, an activist of the UK-based NGO Privacy International, told Deutsche Welle that similar measures aimed at giving security services the right to hack into people’s electronic devices are being taken not only in Germany but also in many other countries.
“We’re seeing efforts to legislate for hacking powers in the UK, in Austria, in Italy, and Germany,” he said.
“Some of these capabilities have already been practiced across Europe,” Omanovic said. “The UK, for example, has been engaged in hacking, but just hasn’t legalized it. There’s a complete lack of safeguards and oversight over the use of this type of technology.”
“And there have been some examples of misuse by governments around the world. For example, there’s evidence that FinSpy was used to target human rights activists and lawyers in Bahrain,” the activist added.