In the Digital Crosshairs of State Control
Governments around the world are building unprecedented digital surveillance infrastructures. This article documents the tools, methods and scale of state digital control — and what you can do about it.
The emergence of the modern surveillance industry can only be understood against the background of the historical continuity of state surveillance interests. Since their existence, states have attempted to control communication structures and collect information about their population, political opponents, or foreign actors. There are numerous historical cases of state postal control, telephone surveillance, or radio reconnaissance. These tendencies are less related to the temporally popular form of state than to the natural mechanisms of external, centralized authority — that is, the foundation of state power.
Whoever now believes that these phenomena died out with the Stasi and no longer play a role in “our democracy” will unfortunately be disappointed in the following sections. In the age of digitalization and so-called Industry 4.0, historically unprecedented possibilities are opening up for the state apparatus. Let us therefore take a look at the most recent findings on German surveillance methodology and the local market for spyware “Made in Germany.”
State Spyware
In the 2010s, a scandal erupted in Germany around the state spyware company group FinFisher. FinFisher, also called “FinSpy,” was a commercial surveillance software originally developed by the German-British company Gamma Group, which was later continued by other companies. The software was developed for and sold to police authorities, intelligence services, and state security apparatuses. Technically, it was a so-called state Trojan that, after infection, could enable deep access to end devices such as smartphones and laptops.
In 2011, the Chaos Computer Club reported on FinFisher and revealed that the state authorities had no intention of adhering to their own prescribed laws when it came to surveillance software for their own people. The covert extension of the functionality of the computer bug was designed from the outset for unconstitutional use. With the pre-configured functions of the Trojan alone, contents of the web browser, private notes, emails, or texts in web-based cloud services could be read. The Federal Constitutional Court had already set strict limits for state espionage as early as 2008. However, that is a different matter when the state apparatus is allowed to regulate itself.
At the time, state authorities were actually only permitted to conduct a source telecommunications surveillance. Such a “source telecommunications surveillance” is legally and technically limited to the interception of internet telephony.
In addition, the authorities’ Trojan could load functional extensions on command in order to use the malware for further tasks in the investigation of the affected information technology system. This full access to the computer could be used, for example, to plant forged, incriminating material or to delete files by unauthorized third parties.
A year later, the Berlin State Criminal Investigation Office concluded a contract funded with public funds amounting to approximately 400,000 euros with the FinFisher company group for the procurement of this software. As the headwind in Berlin became too stormy, the contract was cancelled in 2017. In the same year, the Bundestag approved the use of state Trojans. The FinFisher Group filed for insolvency in 2021/2022 and officially ceased its business operations after much public criticism. Since 2016, the BKA has been developing and using its own state Trojans such as “RCIS.”
Since 2020, all 19 intelligence services of the federal and state governments have officially been allowed to use state Trojans. With the Federal Police Act of 2021, Germany’s largest police force may even use state Trojans against persons who have not yet committed any crime. This is a so-called preventive telecommunications surveillance.
At the end of 2019, the Federal Criminal Investigation Office purchased the Israeli spyware “Pegasus.” This surveillance tool developed by the NSO Group can monitor the entire smartphone of the victim: from messages and location to camera and files. In a parliamentary inquiry committee in 2022, the NSO Group stated that approximately 50 governments use the state Trojan Pegasus 12,000 to 13,000 times per year to hack smartphones.
QuaDream Ltd. is another Israeli company that specializes in the development and sale of advanced digital attack technologies for government customers. The company is known for its spyware marketed under the name “Reign,” which according to reports uses zero-click exploits similar to NSO Group’s Pegasus spyware to hack into target devices. A zero-click exploit is an attack in which a device can be compromised without the affected person performing any action. It is neither necessary to click on a link, nor to open a file, nor to actively launch an app. The mere receipt of specially prepared data is sufficient to exploit a vulnerability in an app or operating system.
As became known through a parliamentary inquiry, the German federal authority for information technology in the security domain (ZITiS) has been in contact with QuaDream since 2019. Although no official public procurement is known, this does not necessarily mean that no deployment has taken place. In Germany, corresponding measures are regularly subject to confidentiality.
Data Analysis and Big Data
Alongside the acquisition of data through the targeted use of state Trojans and similar spyware, the collection of metadata across the entire population constitutes a further level of modern surveillance and analysis architectures. For example, the company ipoque, founded in Leipzig in 2005, specializes in the analysis and classification of network traffic. The core product of the company, acquired by Rohde & Schwarz in 2011, is Deep Packet Inspection (DPI) technology. With this, data streams can be recognized and evaluated in real time according to protocols, applications, and communication patterns. The software examines ongoing network traffic and generates metadata about communication relationships, protocols, and usage behavior. This technology is regularly used by telecommunications companies, security authorities, and intelligence services.
These metadata are then evaluated together with all other available information from internal registers and other sources by large analytics platforms such as Palantir Technologies. The American company was founded in 2003, among others, by Peter Thiel and Alex Karp. The German-American entrepreneur and billionaire Peter Thiel was also a co-founder of PayPal and an early investor in Facebook. As a politically influential actor, he is considered one of the best-known representatives of technocracy in Silicon Valley. Palantir was promoted primarily through the early investments of In-Q-Tel, the venture capital arm of the Central Intelligence Agency (CIA).
The Palantir software Gotham is particularly well known. It is used by police and intelligence services to link and evaluate different data sources. It serves to link data from police databases, telecommunications information, resident registration offices, vehicle data, or open sources in a common analytical environment, making relationships between persons, places, events, and communication patterns visible. Unlike state Trojans such as Pegasus or FinSpy, Gotham does not itself penetrate end devices but processes already existing data stocks. In Germany, this technology is already deployed in several federal states: In Hesse it is used under the name “HessenDATA,” in North Rhine-Westphalia as “DAR” (Cross-Database Analysis and Research), and in Bavaria as “VeRA” (Cross-Procedural Research and Analysis Platform).
Location Tracking
So far we have dealt with targeted surveillance through so-called state Trojans as well as with the infrastructural data analysis by means of Deep Packet Inspection (DPI) or Palantir. Unfortunately, we are not yet at the end, for in fact the mass passive collection of advertising data now also plays a superordinate role in the state desire for more surveillance and control.
The internationally recognized research institute Citizen Lab of the University of Toronto has specialized, among other things, in the analysis of global geolocation and surveillance systems such as Webloc. Webloc is a spyware originally developed by the Israeli company Cobwebs Technologies, which is now distributed by its American successor Penlink. It works on the basis of data evaluation from consumer apps and digital advertising and can surveil hundreds of millions of people simultaneously. The US Immigration and Customs Enforcement (ICE) already uses this software, for example.
Based on its extensive investigations, the Citizen Lab concludes that this privacy-invasive and legally questionable, advertisement-based surveillance is being used by military, intelligence, and law enforcement agencies through to local police units in several countries worldwide. In addition to other potential product servers, eight active servers in Germany were also identified that are connected to the product infrastructure. Moreover, the American company now also has a German subsidiary with Pen-Link GmbH. There is so far no publicly accessible evidence that federal or state authorities have acquired or deployed Webloc. A parliamentary inquiry on the matter was left tellingly unanswered by the federal government with reference to security interests.
Conclusion
As we have been able to show, the digital age opens up unprecedented state surveillance and espionage possibilities. This trend will increase exponentially with every further step in the direction of a fully digital world. The state’s drive for surveillance is historically continuous and natural. The technologically escalating form of it, however, is uncharted territory and deeply troubling.
And even if these methods can of course also be used to combat actual crimes, as a society we are thereby marking a new era of state power. Particularly critically to be assessed is the preventive surveillance by means of so-called state Trojans, legally anchored since 2021. When the citizen is surveilled before they are under suspicion, they are under general suspicion. This suspicion is from now on linked to statistical profiles and official risk assessments.
This furthermore creates a so-called chilling effect. When citizens cannot know whether their communication is being monitored, they tend toward self-censorship in political expressions, journalistic research, and civil society engagement. Such a surveillance architecture thus has a repressive effect on any criticism of the state.
What results from all this is a technically highly developed, largely legally secured, and privately financed surveillance regime. The long-existing state surveillance need is being covered by private service providers. The products of companies such as Gamma Group, NSO Group, or Palantir have hardly any legal or economically relevant sales market outside of state security apparatuses. Spyware for the covert compromise of smartphones, IMSI catchers, zero-day exploits, or systems for mass communication analysis are not consumer goods for an open market, but highly specialized tools for police, military, and intelligence services. Without state demand, many of these companies would have no economic basis and would simply not exist.
This creates a market that is factually largely indirectly financed through public funds. The development, procurement, and use of such surveillance technologies occurs predominantly through state security budgets and thus ultimately through taxpayers’ money. The state thereby not only creates the demand but also simultaneously legitimizes it through security laws, anti-terror measures, or expanded investigative powers.
Solutions
And once again, the overwhelming question arises: what can we do? We can first of all talk about it and point out the dangers. We can give the whole topic a stage through demonstrations and petitions. Such measures are sensible and useful up to a certain point. But one will never be able to combat permanently the natural tendencies of every state toward more surveillance and control. Equally, technological progress in the leading society cannot be halted.
The only long-term sensible path is here again to take one’s own responsibility. Inform yourself about state surveillance and espionage methods and try to protect yourself against them. Get yourself a smartphone or laptop with appropriate security precautions, a GrapheneOS operating system, and encrypted communication. Find your own means and ways to successfully participate in building a parallel, freer society. You will find further information on this website.