The German Federal Court of Justice has ruled that computers cannot be searched without their owners knowledge. DW-WORLD.DE spoke to security expert Jürgen Schmidt about civil rights and the state
German police have been prohibited for the moment from hacking into suspects' computers
DW-WORLD: Will data protectionists be able to sit back and put their feet up after the German Supreme Court decision?
Jürgen Schmidt: The decision is highly significant because for the moment at least it clearly stands in the way of the wishes of the police and the intelligence agency. But data protectionists will definitely not be able to relax. On the one hand, a special law already exists in the German state of North Rhine-Westphalia that permits computers to be searched without their owners' knowledge. On the other, German Interior Minister Wolfgang Schäuble has made clear that he wants this kind of legal power and will, if necessary, attempt to get the necessary legislation passed at national level.
How would the state technically go about conducting such investigations?
I am not really sure how they would go about it. There are still a number of issues that have not been resolved. In individual cases, it would be possible for police computer searches to be carried out on an analogue basis just like normal hackers. Let me give you an example, you receive an e-mail that is addressed to you personally and if possible, a subject line with a personal reference, sent from an address that you trust. You are then required to open an Word attachment and you do this. At the moment, there are five known security loopholes in Word that hackers can use to plant viruses in your PC. But instead of malware, the mail would have some kind of government-approved spyware embedded in it that would then be installed in your computer. This would allow the computer to be searched by a remote device.
Can computer users do anything to stop this kind of intervention using firewalls or virus protection programs?
If it is done well, then it will definitely be able to get past the usual virus protection programs. But if the authorities aim to do something ambitious with only a relatively small budget, they'll run into difficulties. Then I would expect firewalls, antivirus programs and other security software to kick in and stop these intrusions, providing that software manufacturers are not required to run so-called white lists. They would allow let certain things, which signal "we are the goodies", to get through. But implementing that would be very difficult because there are over 20 different virus protection software manufacturers. And how are you going to persuade a Russian manufacturer to define a program used by German police as posing no threat? I don't know how this could be comprehensively implemented.
The Internet does not respect national boundaries. Is it possible that foreign intelligence agencies or national agencies are already hacking into German computers? The lack of any proper legislation in this area would also mean that this would not have any consequences for them.
It is already happening. On the one hand, intelligence agencies who support spy networks do it. On the other, private organizations who have specialized in the area do it. In the field of industrial espionage security flaws in software are exploited to spy on computers on a daily basis.
Would it be paranoid to think that there is co-operation between software manufacturers and the authorities?
As soon as there is a law compelling software manufacturers to incorporate secret loopholes for the state or forfeit their distribution licenses, manufacturers will comply with this. It is difficult to tell whether these kind of underhand dealings are already going on. I think the problem would be in getting such practices accepted across the board. You would have to make underhand deals with 30 manufacturers and then rely upon all of them to keep quiet.
People who support legislation in this area frequently say that upright citizens have nothing to fear from state measures. Another argument is that intrusions of this kind can be judged commensurate if they allow the police to prevent crime. Can these arguments simply be rejected out of hand?
When it comes to the issue of whether these measures are commensurate or not, I would tend to set the bar very high. Many people use their computers for very private, intimate things. What would you say in front of a camera in your bedroom? That's a drastic comparison, but I use my computer for very personal things. There are people who write their diaries on theirs. That must be taken into account. The German Federal Court of Justice has done so.
Jürgen Schmidt is the editor-in-chief of Heise Security and head of the security issues section at the computer magazine c't
The interview was conducted by Christoph J. Heuer