Lawmakers have broadened German law enforcement's ability to use malware to circumvent encryption as part of active criminal investigations.
On 22 June, the Bundestag--Germany's parliament--passed legislation broadening the hacking capabilities of the country's police. German law enforcement can now incorporate what's known collectively as "state trojans", or state-owned malicious programs, into over 30 types of criminal investigations including drug trafficking and money laundering.
The ruling coalition of the conservative CDU/CSU and the Social Democrats SPD was the major force behind expanding German police's use of state trojans. Michael Frieser, domestic policy expert of the CSU party, feels the broadened capabilities help "facilitate efficient, cutting-edge law enforcement that's keeping us all safe."
"We often see that criminals communicate using encrypted ways. Encryption protects a right for private communication. But it is not a carte blanche for criminals."
Germany's interior minister is a known opponent of encryption. In August 2016, he voiced his support for legislation that would compel mobile operators to grant law enforcement access to encrypted content as part of terrorist investigations. He later announced that Germany was considering legislation that would empower authorities to decrypt and read encrypted messages. An amendment proposed by the European Parliament could block the law, however.
State trojans enable law enforcement to bypass encrypted messaging apps like Signal and WhatsApp. Via the malware, German police can hack a device directly and obtain messaging communication before Signal or WhatsApp has a chance to encrypt it. These capabilities have Jan Korte MP (Left Party) concerned. As cited by Spiegel:
"State-sponsored hacking is much worse than a big malware attack, because nowadays the entire private life is stored on mobile devices, including photos, contacts, SMS, emails as well as location and movement data."
Along those same lines, President of the German Lawyers Association Ulrich Schellenberg told RT he considered it wrong to hide a "serious infraction of civil liberties" inside of a "regular adjustment bill… [and] push it through quickly and without discussion."
Nefarious individuals do abuse encryption. But that doesn't mean Germany and other countries should grant their law enforcement carte blanche to circumvent encrypted messaging apps. Encryption helps companies protect their corporate and customers' data, but state hacking undermines such safeguards. In the interest of these companies' ability to maintain trust with their customers, Germany should respect organizations' legitimate use of encryption as well as their investment in solutions designed to prevent key and certificate misuse.