BKA spying software: Freedom activists file data protection complaint against use of Pegasus

A few weeks ago, it became known that the German Federal Criminal Police Office is one of the customers of the Israeli NSO Group and uses its Pegasus Trojan. The Society for Civil Liberties sees this as a violation of fundamental rights - and is calling for a review by the Federal Data Protection Commissioner.

The Society for Civil Liberties (GFF) has filed a complaint with the Federal Data Protection Commissioner Ulrich Kelber against the use of the Pegasus spying software in Germany. At the beginning of September, it had become known that the Federal Criminal Police Office had also procured the spying software from the Israeli company NSO Group and has been using Pegasus since the beginning of the year.

The BKA states that this is a heavily scaled-down version of the spying software. But even this version violates current regulations, according to GFF. "By using the Trojan, a private, foreign company, which presumably also spies on journalists and human rights activists on behalf of authoritarian states, gains access to highly sensitive data of citizens in Germany," said David Werdermann, GFF's procedural coordinator.

The Pegasus spying software and the NSO Group behind it have been notorious for years. Organizations such as the IT lab Citizen Lab at the University of Toronto have repeatedly demonstrated how authoritarian states have misused Pegasus to monitor human rights activists and opposition figures. As recently as July, research by Amnesty International and an international media consortium revealed the extent of this abuse. Journalists, human rights activists, lawyers, opposition figures, even government leaders were on a list of spying targets of NSO clients.

Kelber to examine slimmed-down version

At a hearing in the Interior Committee in early September, a representative of the BKA admitted for the first time that she had purchased the spying software from NSO Group in late 2019 and had taken delivery of it in late 2020. Until then, the government and authorities had refused to provide any information on the subject. In its complaint, GFF now doubts that the software meets the requirements that German law places on the use of state Trojans.

In fact, the BKA had a problem here because Pegasus can do much more than is allowed in Germany. For example, German law requires a separation between so-called source telecommunication surveillance (Quellen-TKÜ) and online searches. With the former, investigators are only allowed to read ongoing communications before they are encrypted, for example. In the latter case, they are allowed to search further data on the device. The BKA is not allowed to touch information from the "core area of private life", i.e. nude pictures or sexual messages.

NSO Group is therefore said to have agreed, after negotiations with the BKA, to develop a "Pegasus-Light" for the specialized needs of the Germans. The BKA said that in this German version, the protection of the core area is ensured by an immediate and separate data deletion, which was built in afterwards.

Assurances are not enough

However, GFF doubts that this can happen in a legally compliant manner. After all, the server infrastructure for Pegasus is provided by the NSO Group itself - and thus a company that is located outside the EU and has become known in the past for employees allegedly abusing the possibilities for spying. If intimate messages or nude images initially flow through NSO Group's servers and are only subsequently deleted, this violates fundamental rights, according to GFF. The organization sees this as a possible "insufficient protection against unauthorized use and knowledge."

According to the BKA, it has received a contractual assurance from the NSO Group that no data will flow to the company. However: "Such a contractual assurance does not meet the requirements for the protection of the Trojan and the data collected with its help." Exactly how the function of the purchased state Trojan was restricted is as yet unknown. As the German Tagesschau reports, the entire process is classified as "secret."

No ban, but possibly more information

With its complaint, GFF wants the data protection commissioner Ulrich Kelber to review the software and object to its use by the BKA. According to the BKA, Kelber has known about Pegasus since the end of 2020, but he was only informed about the purchase "during the acceptance process", i.e. at a time when the deal had long since been concluded. He could not check in advance.

A complaint by the data protection commissioner would not have any concrete consequences for the BKA for the time being - Kelber cannot ban the use of Pegasus. However, the government would then have to deal with the complaint. In addition, the association hopes that this will enable it to get more information about the deployment in the first place.

"The problem is that we have no insight and do not know the software in detail," says David Werdermann, who is coordinating the complaint at GFF. "That's why the commissioner is the appropriate contact for now, to shed light on the issue." A strategic complaint, as GFF otherwise often pursues, was not possible in this case anyway, he says, because it requires an affected person. In the case of Pegasus, no one in Germany is known so far whose phone was spied on. The BKA spoke to the Interior Committee of a "medium single-digit number" of cases.

New Pegasus case in Hungary

Meanwhile, it became known yesterday that another journalist in Hungary has been spied on with Pegasus. Dániel Németh is a photojournalist from Budapest who was mainly involved in documenting the luxurious life of the Hungarian elite surrounding Victor Orbán. As reported by the Hungarian investigative portal Direkt 36, two of his phones had been spied on with Pegasus.

Németh had turned to security researchers at Citizen Lab after it became known in the summer that Pegasus had been found on the phones of several Hungarian opposition figures, lawyers and journalists. A forensic analysis of his phones subsequently confirmed that he had also been tapped. Amnesty International researchers were later able to confirm the infection.

According to Direct 36, the attacks on his phone took place in July of this year, shortly after Németh returned from a trip to Naples, where he wanted to take pictures of Lőrinc Mészáros, a childhood friend of Prime Minister Orbán, who is now considered one of Hungary's richest men. Earlier, the consortium had revealed that five other journalists had been spied on in Hungary, two of whom are investigative reporters on the editorial staff of Direkt 36, a portal that regularly reports critically on the Hungarian government and Orbán's entanglements.

Comments

Post a Comment

Popular posts from this blog

Chrome targeted by criminals: Why users need to update quickly now

A security vulnerability in Google Chrome is currently being exploited by cyber criminals. Malware could land on your PC through it. Read here how you can protect yourself. The Google Chrome browser is currently struggling with some security vulnerabilities. In a blog post , Google warns about a total of seven vulnerabilities, with the majority of these gaps being classified as a "high" threat to users. The vulnerabilities have been fixed in the latest version of Chrome for Windows, Linux and macOS. If you have Chrome version 90.0.4430.85 installed, it can no longer be exploited. If you have an older version of the browser installed, you should update urgently. You can find the download of the new version below these lines. Smartphone users do not have to be afraid of the security vulnerability. Google has not had to take any security measures here for the time being. The security vulnerability probably remained undiscovered by cyber criminals for the time being. So far, noth...
Read more

Face and voice recognition: Why TikTok wants to be allowed to collect biometric data in the USA

TikTok's privacy policy for the US now mentions the collection of biometric data from faces and voices. The background is likely to be a legal dispute that cost the company $92 million. Neue Datenschutzbestimmungen sind oft eher etwas für Juristen, doch die jüngste Aktualisierung von TikTok sollte alle Nutzerinnen und Nutzer in den USA aufhorchen lassen. Denn in den am 2. Juni aktualisierten Datenschutzbestimmungen für die USA ist ein Abschnitt enthalten, den es zuvor nicht gab. Er lautet übersetzt: »Wir sammeln möglicherweise biometrische Identifikationsmerkmale und biometrische Informationen, wie sie im US-Recht definiert sind, wie etwa von deinem Gesicht und deiner Stimme, aus deinen Inhalten.« Im englischsprachigen Original ist von »faceprint« und »voiceprint« die Rede. »Bevor wir damit anfangen«, frage man jedoch nach dem Einverständnis, wenn dies gesetzlich nötig sei, fügte noch TikTok hinzu. In response to an initial inquiry from "TechCrunch" about the ba...
Read more

Microsoft Teams, Zoom, WebEx: Berlin authority warns against popular video systems

After an initial data protection audit, some video service providers have made improvements to their offerings. But the Berlin data protection commissioner still sees serious shortcomings. The State Commissioner for Data Protection in Berlin (Germany), Maja Smoltczyk, advises against using leading video conferencing systems such as Microsoft Teams, Skype, Zoom, Google Meet, GoToMeeting, Teamviewer and Cisco WebEx. The reason is a retest of various offerings. After a number of services had already failed a test of data protection requirements last year, a new test of the major providers did not reveal any substantial improvement. Smoltczyk said that she was pleased "that our comments had persuaded so many providers to improve their offerings, in some cases very significantly, in terms of data protection". There are now enough legally compliant services for a wide range of purposes that there is no reason to break data protection law for video conferencing. However, if a provid...
Read more