As regular readers of this blog will have noticed, one of the hottest topics in the world of online privacy is government access to communications. Essentially, the authorities want to be able to read encrypted information, but at the same time, they insist that they do not want to weaken the online security of law-abiding citizens. Experts have repeatedly and rightly mocked the contradictory nature of these two positions.
Nonetheless, many people would agree that the authorities should be able to gain access to the communications of those suspected of terrorism or serious crimes, provided there is appropriate judicial oversight. That being the case, how might this be done without undermining the strength and thus security of everyone’s crypto?
As we wrote last month, Germany has been using an alternative approach to penetrate computer systems: by means of a “Staatstrojaner” – a government trojan. Typically, a trojan is introduced onto a suspect’s smartphone or computer by means of an email that tricks the recipient into installing the malware. At that point, the authorities can either monitor all communications flowing to and from the system, or examine information stored on it – or both – depending on the needs and authorization.
Significantly, the new German law allows the authorities to use such malware routinely – until now, it has only been permitted for the most serious threats, such as terrorism. That broadening of the scope means that German police will now have the capability to bypass even the strongest crypto, without needing to break it.
Other countries are starting to take note of that fact. Just this week, the Austrian government published draft legislation that give police the authority to monitor messaging services. As an analysis (in German) of the document explains, ten out of the 16 pages of the explanatory