“Pegasus” spy software: Would you like a little more?

The Israeli company NSO wanted to sell the controversial espionage software “Pegasus” to German authorities. So far without success. The Trojan can do more than German law allows.

A rather unknown authority is located in an inconspicuous office building in the east of Munich. The Central Office for Information Technology in the Security Sector (ZITiS) was launched in 2017. It is something like Germany’s hacker authority. ZITiS describes itself as a “start-up” among the authorities and advertises with a relaxed working atmosphere. Employees do not have to wear a tie or jacket. If you want, you can bring your dog to work. Authority chief Wilfried Karl, a former BND man, even sometimes parks his motorcycle in the office in winter.

ZITiS is intended to help the German security authorities with the challenges of the future. The IT specialists in Munich are to research and develop – for example cyber tools with which the police and the protection of the constitution can monitor encrypted communication from potential terrorists or drug dealers. But it’s not just about research and development for a long time, market research is also one of the tasks of the still young authority. ZITiS should look around the world for products that could be worth buying.

Offer tour to German authorities

Shortly after ZITiS was founded, there were visitors from Israel. Representatives of the company NSO Group presented in Munich, they were on a kind of roadshow and presented their portfolio. Including the espionage software “Pegasus”, with which smartphones can be secretly monitored, completely spied out and even converted into bugs in order to record conversations unnoticed.

A year earlier, in October 2017, NSO presented to the Federal Criminal Police Office (BKA) in Wiesbaden. There were also talks with the BND and the Federal Office for the Protection of the Constitution. The representatives of the Israeli company even met twice with the cyber experts from the Bavarian State Criminal Police Office (LKA) in 2019. At another demonstration in September 2019 at the Ministry of the Interior in Munich, Minister Joachim Herrmann was even present, as a spokesman announced.

The German security experts were very impressed by NSO’s technology, report participants at the product demonstrations. After all, the dream of many investigators was presented here: software with which the entire communication on a target person’s mobile phone can be monitored unnoticed – whether text messages, e-mails or encrypted chats.

Photos and videos can also be searched and passwords read out. And all of this even remotely without physical access to the phone. According to its own information, NSO has already sold its products to 60 different authorities in 40 countries around the world, apparently for many millions of euros. In Germany, however, the Israeli company probably only received rejections.

“Pegasus” is too powerful

A survey by NDR, WDR, “Süddeutscher Zeitung” and “Zeit” among the federal states showed that at least the local police authorities did not buy any software from the company. On the other hand, most interior ministries did not provide any information about the constitution protection authorities. From Berlin and North Rhine-Westphalia it was said that the domestic intelligence service did not use any NSO products there either.

The reason for the reluctance of the German authorities to use the Israeli software is likely to be: “Pegasus” is simply too powerful, too potent. The Trojan can do a lot more than German law allows. Since a change in the Code of Criminal Procedure in 2017, police authorities have been allowed to use state surveillance software for criminal prosecution under a judicial order in order to read encrypted communications such as WhatsApp chats.

This form of surveillance is called source telecommunication surveillance (Quellen-TKÜ) and is subject to strict legal requirements. For example, only ongoing communication may be monitored, or those chats from the time of the judicial order.

However, if a smartphone or laptop is secretly searched with spy software, this constitutes an online search under German law. The legal hurdles for this measure are even higher, because the Federal Constitutional Court believes it is a very serious encroachment on fundamental rights. The judges in Karlsruhe decided to protect the “core area of ​​private life” – such as the love life of suspects.

“Tamed Version” – State Trojans

But how is that supposed to happen when software virtually fishes everything that is on a smartphone and is playing? “Pegasus” does not know the difference in the German legal situation between source TKÜ and online searches. With the Trojan, the entire cell phone can de facto be spied on, regardless of whether it is communication or stored data, photos or videos. In order for German authorities to be able to use it, the software would have to be changed, or slimmed down. However, the manufacturer does not have such a tamed Trojan on offer, say German security officials. The “German special requests” would have caused the Israelis to shake their heads.

The BKA has developed its own version of state surveillance software, a so-called “state Trojan”, over many years. However, this program does not work on all devices and only with a few apps and is therefore not very practical, which is why the BKA has also purchased a commercial product from FinFisher. So far, however, these “state Trojans” have rarely been used, and this has only been attempted in very few procedures.

It is still considered too time-consuming and complicated to apply the software to a target device unnoticed. Due to a change in the law, the German secret services – the BND, the protection of the constitution and the military shielding service – have recently been allowed to carry out the source TKÜ. The G10 Commission, a secret committee that decides on eavesdropping measures by the services, must, however, agree to such surveillance. It is still unclear which software the German services intend to use in the future, whether ZITiS should develop this Trojan itself or simply buy it. Likewise, whether the authorization is lawful at all.

The FDP parliamentary group filed a complaint with the Federal Constitutional Protection Court last week. The party’s legal and domestic experts consider the use of “state Trojans” by the secret services to be unconstitutional.