Germany's Nice Hackers
June 24, 2008The Chaos Computer Club hit the headlines in a big way in the late 1980s. Not only had its hackers managed to access the US space agency's computer network. It also turned out that associates had sold stolen data to the Soviet secret service, the KGB. But things are very different today, according to club spokeswoman Constanze Kurz.
"The KGB hack was an absolute transgression. That was another era. There were very few networks, people wanted to try things out. They wanted to see what was possible. Today, more and more people have their own personal computers. Our role has changed accordingly."
The CCC's volunteers now apply their considerable energies to the cause of private data protection. Their Berlin office, which has all the scruffy charm of a student common room, is manned 24/7. There, club members work away feverishly trying to detect security loopholes in everything from electronic voting systems to debit cards. The empty crates of mate in the corner testify to long, sleepless nights.
Principled hackers
By day a researcher in Humboldt University's information technology department, the 34-year-old is keen to stress the group's good intentions.
"We have a hacker ethic. We want to distinguish ourselves from the criminals, who we call 'crackers,' who do it to earn money."
With computers governing most aspects of our daily lives, the group has assumed the responsibility of revealing just how open our digitalized society is to abuse.
"The protection of private data is becoming more and more of an issue. More and more technology is being used for surveillance and we are trying to resist that development," said Kurz.
Data protection is a hot topic in Germany. Last month, snooping scandals engulfed several big German companies. The CEO of telecommunications giant Deutsche Telekom called in state prosecutors after it was discovered thousands of calls between executives and journalists were being tracked in a bid to staunch press leaks. Subsequently, similar allegations were made against German railways company Deutsche Bahn and the airline Lufthansa.
The maximum fine for this offense is 300,000 euros ($465,000). Far too low, according to the Chaos Computer Club.
"These crimes should no longer be treated as peccadilloes. A company like Telekom can pay the maximum fine out of petty cash. They should face the threat of imprisonment. They are criminals and should be treated as such. It's possible to spy on someone's entire life with this data," said Kurz.
Who's the gamekeeper and who's the poacher?
The state can no longer be relied upon to play the role of gamekeeper, according to the club.
"They want to use the data themselves. They want to get access to the data of these firms -- the railways, the credit card companies," said Kurz. Last November, the German parliament passed a law that requires the storage of all telephone and cell-phone connection data for six months. Critics say it goes further than European Union requirements.
The spokeswoman believes the state also lacks the means to police firms effectively. Data protection authorities at both national and state level are, according to Kurz, ludicrously understaffed.
"We need data privacy laws to be tightened up and the existing ones to be better implemented."
Civil rights campaigners and data protection advocates fear that Germany's postwar achievements are being steadily eroded. The latest source of unease is the draft bill that the German cabinet agreed at the beginning of June. If the Bundestag were to approve it, it would give the police powers to conduct video surveillance of private apartments and sweeping online computer searches.
The CCC spokeswoman sees the current trend as a betrayal of the lessons learned from German history.
"I think Germany has another role to play because of its Nazi past. Data protection contributes to human dignity. Computerization in the form of punch-card machines made it possible for a kind of technological preparation for the Holocaust. There were firms that categorized people according to racial characteristics. There is also the background of East German history."
Germany no longer a shining example
While many countries have seen citizens' freedoms sacrificed to security concerns in the wake of the 9/11 attacks on the US, a report issued by the London-based NGO Privacy International showed that Germany had slipped in international rankings from the top spot to place seven within a year.
The true situation is far worse, according to Kurz. "The Privacy International comparison is based on what's on paper. They look at the existing legislation in various countries. But if you look at what's happening in practical terms, Germany is now the world champion when it comes to telephone tapping. We can beat the United States hands down. There's also massive Internet surveillance."
In this new climate, the work of NGOs is increasingly needed, according to Kurz. The club -- which sees itself as a form of extra-parliamentary opposition -- is conveniently based just minutes from the Bundestag and is in regular contact with most of the political parties. Awareness of the issues is, however, largely limited to the younger computer-literate generation of parliamentarians.
Over the years, the expertise of the CCC has won respect -- begrudging or otherwise. Its members speak before parliamentary committees and appeared as expert witnesses at Germany's constitutional court.
"The image of the hacker has changed. People no longer think we're the baddies with the hoodies," she said.
As well as pinpointing security loopholes, the group can contribute toward constructive solutions to computer security problems. Kurz is currently busy examining whether quality standards can be established to make electronic voting safe. All existing systems are vulnerable to manipulation, according to the CCC spokeswoman.
Games of cat-and-mouse
Despite their upright aims, the nature of their work nevertheless places them on the fringes of legality. The CCC had to resort to sleight of hand to obtain the electronic voting equipment in the first place. Neither state authorities nor manufacturers have an interest in having their systems literally pulled apart.
And subversive stunts attract media attention. This March, the CCC made news when they "stole" the fingerprints of Interior Minister Wolfgang Schaeuble (CDU), the architect of plans to increase state powers. After swiping a glass that he had used during a panel discussion, they recreated his prints with a little glue, a digital camera and a photocopier. The instructions were posted on their Web site.
The action was designed to demonstrate the ineffectiveness of biometric systems. Germany was the first EU country to add fingerprints to its passports -- an infringement of civil liberties as well as a dubious security measure, the group believes.
A groundswell is beginning to form against recent developments in Germany, according to Kurz. The CCC's own membership has grown by one-third since 2001 and now numbers around 2,000. It is also expanding abroad and recently opened a branch in Bristol in southwest England. And last September's anti-surveillance protest in Berlin attracted an estimated 10,000 to 15,000 participants from a broad social spectrum.
Besides political engagement, the CCC spokeswoman thinks people should be more aware of their powers as consumers to boycott firms that do not adhere to data protection standards. She would also like people to become more conscious of the personal data that they might be surrendering, often unthinkingly.
"We want to make people to think twice before they go out and get another loyalty program card."