Alledged Skype Surveillance by German Police

By iddav at 11:54 pm on January 26, 2008 | 4 Comments

Documents posted today on WikiLeaks suggest that German police in Bavaria may have used a trojan for intercepting Skype calls as part of their surveillance of suspects. One document is an offer from DigiTask, a German company, to rent Skype surveillance technology at EUR 3,500 per month per instance. The other document is a letter between the Ministry of Justice and the Prosecutors office about distributing this cost.

As explained in the DigiTask offer, Skype uses 256-bit AES encryption for its communications, and the data captured with traditional dial-up or DSL surveillance methods cannot be decrypted. Instead, DigiTask offers a “Skype-Capture-Unit” to be installed directly on the suspects computer. The trojan, they claim, would then forward the pre-encrypted Skype data to an anonymous proxy server which in turn can forward the data live to police.

DigiTask also offers software for decoding SSL data with a Man-in-the-Middle attack, allowing SSL-encrypted data in an intercepted broadband connection to be decrypted and visualized by the police. According to the offer, dated September 4th 2007, they support SSL interception in both Firefox and Internet Explorer. Naturally, DigiTasks warns that it does not take responsiblity for the usage of the software or any damages caused by it.

Although these documents do not give evidence that the Bavarian police actually employed trojans and MITM attacks for surveillance, if valid, the leaks do shed insight on the scale of surveillance operations. The Bavarian police, for their part, did not seem to have qualms about such an intrusion and the very existence of DigiTask, a seemingly well-established company profiting from the secret sales of surveillance software, introduces (for me at least) a new adversary in the privacy arena. For those interested in the privacy of computerized data, the scales have just been jarred.

Filed under: Current Events,Privacy4 Comments »

4 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Max Aller

    January 27, 2008 @ 4:18 pm

    All I can say is…wow. So everyone hates spyware because stuff on your computer is supposed to be restricted to your computer unless you say otherwise. But what if you get spyware, and you discover it’s not sending personal data to some sketchy domain off in cyberspace — it’s sending it to your local police! This seems like a conspiracy theory waiting to happen, i.e. the Feds are already doing this in the States.

    Still, this makes a good point about the “weakest link” concept. It doesn’t matter if you have 23532621231257644-bit quantum encryption if you can get access to the data before it’s even encrypted. I’m not sure what the weakest link would be exactly, though…the user or the operating system.

    Selling SSL decryption as a service is also highly sketchy. As a regular civilian here, who’s not to say they wouldn’t attempt to sell the service to other authorities (or, gasp, malicious adversaries) to decrypt anything else SSL is used to protect (i.e. credit card number).

    As you allude to in your past paragraph, I’m more worried about the apathy regarding this company’s practices with respect to the local authorities than about what the authorities themselves could be doing, mostly for reasons mentioned in the previous paragraph.

    This whole idea is rapidly approaching the “uncool”-ness of mass-spamming, except that this falls under the supposed veil of legitimacy. Bastards.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by jerins

    January 27, 2008 @ 11:35 pm

    There have been many situations in the past in which particular parties have used these types of means in order to enforce some policy, or to gain some privilaged information.

    In another instance that was recently reported, Sony was faced with a similar accusation. It was stated that Sony had a rootkit on their CDs that would automatically install itself without the knowledge of the user. The purpose was to send information back to Sony about the legitimacy of the copyright information on the computer. Another example of a party (Sony) trying to somehow accomplish a goal (detect illegal use of their files) using invasive and questionable tactics.

    The thing that makes the story of this particular blog post even more scary is that the party that is performing the invasive activity isn’t just a corporation, but it is the very party we look to for protection from such activity, the law and the government that enforces it. It is one thing when a private company makes a mistake, and the law can help to prevent such activity in the future if need be. But if it’s the law that is taking the action in the first place, this is an even more serious situation.

    This is just another example of the balance between a company or the government trying to do their jobs effectively and protecting their assets, and the privacy of the private citizen that can be at stake.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Suchmaschinenoptimierung

    February 22, 2008 @ 10:16 am

    Hello,
    I am from germany, nice January all the internet connections are saved from the provider for about 6 month. This is a part of the new anti terrorism law.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by bavaria course

    January 28, 2009 @ 5:22 am

    hi there.
    i am from bavaria and i can tell you, there is no fun with the police. every little mistake is to be punished. driving by bike at night (2a.m.) in the wrong way: 50 €! so i can imagine that they have there trojans and stuff…

RSS feed for comments on this post