Skip to main content
  1. Home
  2. Web
  3. News

German officials admit to using R2D2 Trojan to spy on citizens

Jeff Hughes
By

Chaos-Computer-ClubYou may have seen a trail of news stories bubbling up yesterday and over the weekend about a group of hackers who said they discovered the German government was using spyware to keep tabs on its citizens. It turns out that story may be true as some German officials from a number of states have admitted to using the software.

The large European hacker club called Chaos Computer Club (CCC) stumbled upon a Trojan Horse, and upon reverse-engineering and analyzing tracked the program back to German police. The software was designed to be used through legal wiretaps, but has allegedly been used to spy on more than it should.

Related Videos

According to Deutsche Welle, Chaos Computer Club asserts that the software, nicknamed R2D2 or0zapftis, once installed has the ability to log keystrokes, screenshot and even record Skype conversations. Bavaria was one of the first German states to confirm use of the program, the Bavarian interior minister Joachim Herrmann belived the police acted within the laws parameters but will investigate into the matter of R2D2’s use.

Related

german-flagGerman law, thanks to a court decision in 2008, permits use of spy software by government officials in order to combat terrorists and criminals. Wiretapping is legal but courts need to give the OK. Also, according to Chaos Computer Club’s analysis, the program oversteps bounds of the law as it not only observers but has the ability to “receive uploads of arbitrary programs from the Internet and execute them remotely”.

The German DigiTask firm revealed that R2D2 could be a tracking program the company sold to Bavaria four years ago. DigiTask also sold similar programs to Austria, Switzerland and the Netherlands. DigiTask is rumored to offer certain “forbidden functions” to some of its government clients.

The Trojan find adds fuel to the debate of whether governments should use electronic surveillance. As CCC points out, how easy it may be for authorities to overstep boundaries if not watched carefully.

Via msnbc

Editors' Recommendations

Terms & Conditions: Should ignoring fine print be illegal?
CFAA

For this week's T&C, we're going to veer from the regularly scheduled programming – parsing a single terms of service or privacy policy – to focus on a more pressing matter, an issue that concerns all terms of use, of every Internet-connected service in existence.
Right now, a bill is floating around in the House of Representatives that would make it explicitly illegal – a felony – to violate certain terms of service. Sound crazy? That's because it is – but it's also real. Which is why we need to talk about it. Below, I'll explain what the situation is, and what we should all try to do to help.
Computer Fraud and Abuse Act, the short version
There is a law that's been on the books since 1984 called the Computer Fraud and Abuse Act, or CFAA. It's a big law, and has recently come up due to a number of "hackers" facing prosecution under the CFAA. One of these hackers was Aaron Swartz, who helped create RSS, Creative Commons, and Reddit, and killed himself in January amidst ongoing prosecution under the CFAA.
Swartz got in trouble for downloading a bunch (read: millions) of scholarly articles from a service called JSTOR. He did so by accessing it through the network of the Massachusetts Institute of Technology. The problem here is that Swartz potentially faced up to 30 years in prison. Many people think that is far too harsh a sentence for what was, by all accounts, a victimless crime.
There have been a number of other similar cases recently – one against "AT&T iPad hacker" Andrew "Weev" Auernheimer, and another against Reuters' deputy social media editor Matthew Keys – but the complaints are all the same: Penalties under the CFAA are too strong.
Another problem with the CFAA – which was passed before the Internet existed – is that it prohibits "unauthorized access" of a "protected computer." But nowhere does the law define what either of those two terms mean – thus, the courts have had to sort this out. That's led to more confusion, and more problems.
For example, prosecutors have charged people in the past under the CFAA for violating the terms of service of a website, based on the argument that doing so constituted "unauthorized access."
In other words, the federal government has the power to send you to jail if you lie about your name or age on Facebook, which are against the rules. You could theoretically be put behind bars for sharing your Pandora password. Will you? Probably not – but that doesn't mean the government should have that power.
This is a problem, clearly. But it's not getting any better; in fact, it could get worse.
CFAA, redux
OK, so the problems people have with the CFAA are that it's penalties are too harsh, and what exactly "unauthorized access" and "protected computer" mean is anyone's guess. Since Swartz's death, people have been pushing for Congress to fix the CFAA. A recently surfaced "draft bill" (meaning it's still in its earliest stages) that would amend the CFAA shows that the House Judiciary Committee wants to do exactly the opposite of what the people have called for. Worse, it could make it even easier to go after those of us who violate terms of service.
See the draft bill text here (PDF).
According to the Center for Democracy & Technology – a balanced, trusted rights advocacy group – updating the CFAA with the new language "would push the law in the exact wrong direction, dramatically heightening penalties while giving the government and civil litigants more latitude to prosecute or sue average Internet users who happen to violate a Web site’s terms of service or an employer’s computer use policy."
As the Electronic Frontier Foundation aptly points out, many news websites (and other services) prohibit users under the age of 18, and more often 13, from accessing the website, according to the terms of service. (This rule is in the terms to help ensure these companies don't violate the Children's Online Privacy Protection Act (COPPA), which prohibits the unauthorized collection of personal data of kids 12 and under.) If kids of the wrong age do access these sites, they would be "criminals" according to the U.S. Department of Justice.
Not on my watch
While it is vitally important to protect our financial data and information related to national security out of the hands of hackers, there appears to be no good reason to make terms of service violations a criminal offense. (Please, speak up if you have one!) If you agree, there are a couple of things you can do. 
First, sign up for the EFF's call to action against the CFAA. Next, do the same for Demand Progress' campaign. And finally, call your representatives in Congress, and tell them exactly how you feel about the CFAA and the changes outlined above.
Terms of service and privacy policies are important to read and understand – that's why T&C exists. But clicking "I Agree" without reading first should never send you to jail.

Read more
This friend to hackers is probably your best bet for Internet freedom, too
meet tor ekeland the attorney war on hackers thumb

Since the death of famed developer and "hacktivist" Aaron Swartz at the beginning of this year, one law more than any others has come to the forefront of the Internet community's consciousness: The Computer Fraud and Abuse Act, or CFAA, which many believe is dangerously vague and can result in grossly unfair punishments for those, like Swartz, who are prosecuted under its statutes. And few people are as close to the front lines of this battle over the CFAA as New York-based attorney Tor Ekeland.
Ekeland first jumped into the CFAA fight last year, after he agreed to represent infamous "AT&T iPad hacker" Andrew "Weev" Auernheimer, who was recently sentenced to 41 months in prison for something many say should not be illegal. He is continuing this fight by representing Matthew Keys, Reuter's deputy social media editor and famed Twitter journalist, who has been indicted under the CFAA for allegedly handing over login credential for the network of his former employer, the Tribune Company, to Anonymous hackers. Keys potentially faces 25 years in prison and $250,000 in fines.
We gave Ekeland a call to get his take on the computer crime law that critics believe could, if the government so chose, land every Web user behind bars.
Digital Trends: How did you get into computer crime law?
Tor Ekeland: I came into this by chance because my wife is a photo journalist who was shooting Occupy Wall Street. And she ran into Andrew Auernheimer. She started talking to him. He mentioned he was looking for a lawyer to replace his federal defender. I had worked in corporate law for five years, and was about to start my own law practice. So she came home and said, 'Hey, I met this guy. Looks like a really interesting case. Are you interested?' I took a look at it and said, 'This is really fascinating. I think the issues here are potentially really major.' So I call him up. We met. He agreed to me repping him pro bono. And that was that.
You've mentioned on Twitter that you "hate" the Computer Fraud and Abuse Act. Can you tell me a bit about why that is?
The Computer Fraud and Abuse Act is a statute that originated in 1984, before the Internet existed, before HTTP existed. And it originally existed to protect government computers and financial institution networks, things related to national security and protecting the economy. Over time, it's been amended a number of times. And among the statutes at its core, it forbids 'unauthorized access' to a 'protected computer.' A 'protected computer' is basically anything with a microchip that's involved in interstate commerce. So, I mean, your coffee maker is probably a 'protected computer.' The phone you and I are talking on right now could, with the broad definition, be a 'protected computer.'
"He would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA."
What's problematic about the statute is that it no where defines what it seeks to prohibit, which is 'unauthorized access.' It doesn't define it anywhere. And the courts are continuously confused about that. So, they come up with a number of different interpretations that are arguably very problematic. You know, some courts have read 'unauthorized access' to mean that if you violated the terms of service of a website or Facebook or something, you know, you've engaged in unauthorized access.
In Andrew's case, what's so interesting about the case and why it's a major case is ... essentially, his co-defendant [Daniel Spitler] queried AT&T's publicly accessible iPad servers with a number that matched the number on the SIM card in an iPad. When he entered number in a URL directed to these iPad servers, it would publish an email address, if that number actually matched a customer's SIM card number, it would publish that customer's email address, and then ask you for a password. So, you know, he wrote a script that did that, that harvested like 114,000 email address – no personal information, nothing, no password was ever hacked. And now Andrew's been sentenced to 41 months for participating in this conspiracy to do this.
The problem at root here is basically that entering a number into a URL is what people do a lot every day on the Internet. And if you're not going to define 'unauthorized access' as bypassing a password or some kind of code-based restriction, the statute's potentially criminalizing what's considered normal computer behavior that people engage in every day. Now, is our federal government is going to prosecute millions of people for alleged computer crimes every day? No. But it allows them to pick and choose, and engage in these arbitrary prosecutions. 
In Andrew's case, AT&T wasn't telling people to change their email address. There was no spear phishing, or all that stuff. They were embarrassed. But the Department of Justice decided to go after Andrew and seek this harsh sentence. Same thing with Swartz; the courts.. even if it wasn't a technical violation of the statute, but there really was no harm involved. JSTOR and MIT really didn't want it to go down that path. The DOJ I think sort of has this mentality that hackers are evil, and it's kind of paranoia is reminiscent of the Red Scare. I think hackers are the new communists. 
So, it's just problematic because it's a really vague statute. And because it's so vague, it invited what I think are unwarranted prosecutions.
You can make an argument that what Google's search engine is doing is a violation of the CFAA because they're crawling the Internet with their bots for collecting links. And the theory of "unauthorized access" in Andrew's is "unauthorized access" because they're saying it was – AT&T says it was and the federal government says it was. But there's no notice or warning or pop-up saying, 'You don't have access to this website. It's forbidden or unauthorized.' So under this theory, you could have someone who does a Google search, clicks on a link, the website of it decides that, 'No, I don't want you at this website,' and you've potentially committed a felony. And I think that would surprise most people. 
How would you fix the CFAA?
Well, Congress is actually talking about making the law more draconian. Which I think is nuts. One thing I think they need to do is to make the punishment proportional to the actual harm. Like, right now with Andrew's case you've got somebody who's committed felonies, been sentenced to three and a half years, where there really was no harm. 
"Hackers are the new communists."
I would make most of the statute civil. Right now it's a criminal and civil statute. I think most of these cases could be remedied by having the companies sue the person, civilly, and don't involve jail time. I think they should reserve the criminal punishments for real harm to lives – national security or financial institutions, or messing with the 911 network, or taking out part of a hospital, or something with real harm.
Some sort of fear of the mysterious computer hackers that causes people to kind of get hysterical and call these punishments. There's a disconnect. Some people pointed out that in Matthew Keys's case, if what they're alleging is true, and that he's a disgruntled employee who tried to take revenge on his boss, that he would have been better off beating his boss with a lead pipe because the criminal penalties in the physical world are less draconian than the penalties under the CFAA. 
Why should the average Web user, who's never going to "hack" anything, who's never going to write any scripts of any type, care about the problems with the CFAA?
Well, they should just be concerned that their Google searches, and clicking on a website, is potentially criminal. If you go to some website that somebody doesn't want you there, you might have just committed a federal crime. I think, like what you see with Andrew, our government tends to go after unpopular defendants first. And Andrew, you know, he's a very controversial figure, and Internet troll. And so there they get this expansive reading of this statute, they get precedent after going after someone unpopular that nobody's really too concerned about. Now they can just go around and prosecute with these extremely broad theories.
It kind of plays into that book Three Felonies a Day, where the authors argue that because criminal law's become so expansive, most people are committing three felonies a day without knowing it. And so it puts you in a position where, should you be in the wrong place at the wrong time with a computer, the government can prosecute you at a whim, and you're going to end up in this unexpected Kafkaesque nightmare.
Is it just a coincidence that we've seen three high-profile CFAA cases – Aaron Swartz, Andrew Auernheimer, and Matthew Keys – become big news in the past three months, or is the government actively pursuing these more frequently?
That's a good question. And it certainly raises one's eyebrows that all of a sudden you're getting all of these Computer Fraud and Abuse Act prosecutions lately. And I think what's going on is there's this hysteria about hackers. You can't open up a newspaper, or turn on your computer and read the news, without finding a story about how the Chinese are hacking us, or the Russians are hacking us. ... And part of that I think is just fear of the unknown that scares people. And there's a bit of an overreaction there.
Given the rate at which technology changes, and the way we use technology changes, is it even possible to write "good" computer crime laws?
That's a good question. I think part of what's happening is you see the law struggling with this rapid technological change. I think you probably could write a decent law, but it'd have to be written by informed people who know about how general principles on the how the Internet and computers actually work. I think one really good suggestion to amend the Computer Fraud and Abuse Act is, define 'unauthorized access' as bypassing a password or some type of code-based restriction. And I think that's pretty simple. Passwords have been around for a long time. My 5-year-old son know what a password is, and that's sort of a line to draw. A company knows that, if I want to protect my information and prevent unauthorized access, I put up a password. That's not rocket science.
But, like you said, nobody can predict what's going to happen in the future. And I think it's tricky. It's tricky because you can write these laws with good intentions, but there's the inadvertent consequences. 
Photo by Katja Heinemann

Read more
The Digital Self: Fight the man, buy a CD
fist header

Don't even think about trying to re-sell any of those under-played MP3s on your computer – that would likely be against the law. This is according to U.S. District Judge Richard Sullivan in Manhattan, who ruled this week against Arizona-based company ReDigi, the "world's first" digital equivalent of a used record store, which allows people to buy and sell "used" music tracks and albums originally purchased through Apple's iTunes.
Sullivan's decision stems from a January 2012 lawsuit filed by Capitol Records, which asserted that ReDigi's business was based entirely on copyright infringement. ReDigi countered the claim, saying that its service abides by copyright law because it does not make any copies of the MP3 files it re-sells – instead, it simply transfers the original file to the ReDigi servers, and permanently erases it from the seller's hard drive. Because no copy is being made, ReDigi's argument goes, its business should be legal. Sullivan, of course, disagreed.
The ruling against ReDigi is seen as a win for Capitol Records and the music industry in general, and a loss for ReDigi (which may have to shut down entirely) and any other company that wants to make a business dealing with pre-owned digital goods – like Apple and Amazon. But the real losers here are the consumers. It's time we fight back the only (legal) way we can: Stop buying digital music.
Thwarted by copyright
The first issue here is something known as the "first sale" doctrine, which says you are allowed to "sell or otherwise dispose" of a copyright work that you've purchased without first obtaining permission from the copyright holder. "First sale" is what allows any secondary marketplace, like eBay, Craigslist, Amazon, or your local used book store, to operate legally.
When you pay for something, you should own it. You should be able to resell it, delete it, or play it on whatever device you wish. At least, that's the theory.
ReDigi claims that its business should be legal based on "first sale," a provision of copyright law that the Supreme Court reaffirmed just this month (PDF). Sullivan dismissed this argument based on the interpretation of the Digital Millennium Copyright Act (DMCA), which prohibits the unlicensed reproduction of protected works. What ReDigi was doing, says Sullivan, clearly violated the DMCA because copies were being made (even though ReDigi refutes that claim). As an alternative, Sullivan suggested that users could simply sell the hard drive on which the copyrighted file is stored. Yes, really.
The bigger issue at hand is the DMCA itself, which even the U.S. Register of Copyrights Maria A. Pallante believes is outdated and confusing. It is the DMCA that sits behind most of the copyright issues we have in the U.S. It's the law that killed Megaupload, and the one that makes it a federal crime to unlock your new smartphone. According to Pallante, Congress would do well to revamp U.S. copyright law to clear up the issue of "first sale" as it applies to digital goods.
Here's how Pallante explained the issue during a recent lecture at Columbia Law School:
"On the one hand, Congress may believe that in a digital marketplace, the copyright owner should control all copies of his work, particularly because digital copies are perfect copies (not dog-eared copies of lesser value) or because in online commerce the migration from the sale of copies to the proffering of licenses has negated the issue. On the other hand, Congress may find that the general principle of first sale has ongoing merit in the digital age and can be adequately policed through technology . . . Or more simply, congress may not want a copyright law where everything is licensed and nothing is owned."
Let me repeat that last bit: "everything is licensed and nothing is owned." This line perfectly explains the nut of the problem; when it comes to digital goods, we don't actually "own" anything. That album you just purchased off of iTunes isn't really yours – you've simply paid for a license to play the songs in the privacy of your home or car. The same rules apply to "your" ebooks, downloaded video games, apps, and any other software-based product.
Look at it this way
From copyright owners' perspective, this setup is completely understandable. While a physical book and an ebook might have the same content, it is virtually impossible for your average Web user to provide an infinite number of copies of the physical book to anyone who wishes to have it. The "licensed not owned" technicality is there to stave off piracy. Were that setup to disappear, say experts, it could "wreak havoc" on content publishers.
For consumers, licensing-only make much less sense. When you pay for something, you should own it. You should be able to resell it, delete it, or play it on whatever device you wish. At least, that's the theory. Unfortunately for us consumers, it's no longer the reality.
So, what are we to do? The first step is to contact your representatives in Congress and tell them to firmly establish the re-selling of digital goods as a legal practice. (Not a very satisfying option, I know.) As we wait for Congress to take action on this issue – it will be a very long wait – the only real way to fight back against the current system is to go analog-only. Only buy used books, used CDs or vinyl – not because you want to be a hipster, but because it's the only legal way to subvert a system that is designed specifically to make your life more difficult.
What other choice do we have?

Read more