Status: 01/31/2023 11:29 am
The Central Office for Information Technology in the Security Sector (ZITiS) is to develop tools and methods for the police and secret services. So far, however, it has been working without a legal basis. That should change now.
It presents itself as modern and hip, the German “hacker authority” ZITiS. The abbreviation stands for: Central Office for Information Technology in the Security Sector. One is the “start-up” among the authorities, as the boss likes to describe it, and so advertises for staff. And things are actually a little more relaxed in the offices of ZITiS in Munich. Hardly anyone wears a suit and tie here, there are cozy seating areas and even dogs are allowed. However, ZITiS is missing something crucial so far – its own law.
The authority was established in May 2017 by ministerial decree by the then Interior Minister Thomas de Maizière. ZITiS aims to research and develop technical tools and methods for the police and intelligence services, or look out for suitable products on the commercial market. Such skills are becoming increasingly important as investigators increasingly reach their limits when it comes to averting danger and prosecuting law enforcement.
So far, ZITiS is not allowed to investigate itself
Encrypted communication or hard drives, for example, are a growing challenge, as is the evaluation of particularly large amounts of data. ZITiS aims to remedy this. Strictly speaking, however, it is not an authority, but only a “body” subordinate to the Federal Ministry of the Interior. The ZITiS, which now has around 300 employees, has not yet been allowed to take part in investigations itself, for example working with confiscated data carriers or carrying out wiretapping measures.
This could change now. The federal government wants to provide the authority with its own legal basis. It should be determined what ZITiS is allowed to do, when and for whom the specialists from Munich are allowed to work. The Federal Ministry of the Interior has presented a key points paper, which the coalition partners SPD, Greens and FDP will now discuss. A first draft of the law should be in place by the end of March. The portal netzpolitik.org reported about it first
According to the paper, ZITiS will continue to act as the higher federal authority for the Federal Criminal Police Office (BKA), the Federal Office for the Protection of the Constitution (BfV) and the Federal Police, and coordinate an annual work program with these “needs”. The security authorities should explain to ZITiS what they need and what technical problems need to be solved. Now it is to be checked whether the authority can also work for the Federal Intelligence Service (BND), the Customs Criminal Police Office and the military counter-intelligence service.
More tasks are to be added
So far, the tasks of ZITiS have included the work areas of telecommunications surveillance, cryptanalysis, forensics and big data analysis. If the Federal Ministry of the Interior has its way, another task will be added in the future: “Support for users by providing and operating IT services”. This means the provision, maintenance, care, further development and hosting of “the technical solutions developed by ZITiS”.
In addition, the “hacking authority” is to be given additional powers. ZITiS should be allowed to examine “information technology products and systems” that are bought on the market by the security authorities. For example, spyware, so-called “state trojans”, with which computers and mobile phones can be monitored.
There is also the “need for the trial application of the monitoring functions” of such programs. According to this, ZITiS should also be allowed to carry out eavesdropping measures itself in order to check whether the IT tools are also working as desired.
The criticism that ZITiS is primarily a “procurement office” for the police and secret services, that it develops little itself and rather searches for commercial surveillance software worldwide, has always been rejected by the authorities’ management in the past. In fact, however, market exploration is definitely one of the tasks of ZITiS.
Contact also with controversial manufacturers
In recent years, ZITiS has been in contact with several companies that make spyware, including the controversial Israeli company NSO Group, which sells the “Pegasus” software. “Pegasus” was researched by an international research cooperation – including NDR, WDR and SZ – against members of the opposition, media representatives, human rights activists and even heads of state and government.
Most recently, research by SWR and “Welt” announced that ZITiS was apparently also interested in the “Predato” software from the Cyprus-based “Intellexa” consortium. In Greece, among other things, several opposition politicians and journalists are said to have been monitored with this program by order of the head of government. A parliamentary investigation has therefore been initiated in Athens.
More parliamentary control?
The planned ZITiS law should also strengthen parliamentary control – at least a little. Once a year, the Federal Ministry of the Interior is to inform the Interior Committee of the Bundestag about the activities of the ZITiS. In recent years there has been repeated criticism from Parliament. ZITiS is a “black box” and almost nothing is known about its work. A big secret is kept about everything, and there were often hardly any answers even to questions from MPs.