Online search

from Wikipedia, the free encyclopedia

The online search represents the covert criminal police or intelligence service access to third-party information technology systems via communication networks and should be used in the context of criminal prosecution , to avert danger or to obtain information .

It differs from conventional telecommunications monitoring in that not only is the data transfer itself tapped on the transmission path of the messages, but data is searched directly on the end device (computer, mobile phone, etc.) using spy software . Technically, this is hacking . The software used is called Remote Forensic Software (RFS, Fern Forensic Software ), colloquially known as the State Trojan and similar.

Online searches include both one-time access (online inspection) and online monitoring over a longer period of time . If access is limited to tapping ongoing communication on the device of a target person, one speaks of source telecommunication monitoring, i.e. monitoring at the source of the transmitted messages. The aim is usually to bypass the encryption of the data.

Forensic basics

Data transmission and telecommunications can be tapped on the transmission path in a variety of ways. The state access options to gain evidence or deeper insight into criminal machinations are regulated by regulations for network infrastructure operators, which data and interfaces must be available. In order to search through data that only remains in a closed electronic system, these devices must be accessed directly. Any encryption poses a particular problem . Cryptography was developed for security purposes. In order to circumvent it, the data must either be viewed before encryption or after decryption or the key itself must be obtained. This is also only possible directly on the device, with communication on the source or target device. Therefore, such a tool has to be installed either through electronic access or by observants personally in the apartment directly on the suspect's computer.

Reference was made regularly to the possible use of state malware , a type of Trojan horse . Colloquially, the terms “police trojan”, “state trojan”, “state trojan” and the most widespread term in Germany and Austria “federal trojan” are used for this software. Officially, the software as is remote forensic software (RFS, remote forensic software) refers. In the security industry such types of intrusive software as Govware (of English government , government 'and to govern , direct', 'control', 'influence'), respectively.

The software used by the state is subject to confidentiality, so the technologies are not generally known. In fact, these are program packages in which, in addition to rootkits and Trojans (in the real sense), various malware technologies can be used for the basic installation. According to officials from the German Federal Criminal Police Office (2007), a specific keylogger is used. Application platforms such as FinFisher include not only intrusion routines but also memory dump programs.

Situation in individual countries


The legal basis for online searches in Germany has been the new Section 100b of the Code of Criminal Procedure (StPO) since Article 3 of the Act on the More Effective and Practical Design of Criminal Proceedings came into force on August 24, 2017 .

Before the creation of the special legal regulation of Section 100b of the Code of Criminal Procedure, Sections 20k and 20l of the Federal Criminal Police Office Act (BKAG) formed the legal basis for averting threats from international terrorism (within the meaning of Section 4a BKAG). The procedural law relevant for other serious crime § 100a StPO old version did not expressly allow the installation of spy software, which is why u. a. the German Association of Judges demanded a decision by the legislature on the requirements and framework conditions for source telecommunications monitoring.

In the German federal government's program to strengthen internal security , the online search is described as a measure "to search remote PCs for process-relevant content without actually being present at the location of the device". Whether it is to be regarded as a search in the legal sense and to what extent it is to be equated with a search of an apartment or house (by which it would have to meet the constitutional requirements for laws encroaching on basic housing law , e.g. according to the German Code of Criminal Procedure ) is controversial among lawyers. The Supreme Court sees its judgment of 31 January 2007 in any case no legal basis in §§ 102, 105 Code of Criminal Procedure. Precisely the secrecy of the search does not correspond to the system of open searches in §§ 102, 105 StPO. Rather, § 100a StPO would come into consideration. But the BGH also rejects this. During the online search, there is currently no telecommunication surveillance, i. i. monitoring the flow of communication between the suspect and a third party. The Federal Government is of the opinion that online searches for special data types are already covered by applicable law. An authorization basis has z. B. the customs investigation service as the authority initiating the measure. For this purpose, a program for source telecommunications monitoring (also known as Quelle TKÜ, the monitoring of telecommunications on the computer before it is encrypted) is installed and used if the content is encrypted in traditional telecommunications monitoring. There is currently no legal basis for entering the apartment to install the software, which is why this option cannot currently be used.

Since 2018, a number of constitutional complaints from lawyers, artists and journalists, including some members of the German Bundestag, have been pending at the 2nd Senate of the Federal Constitutional Court on the question of whether the changes to the Code of Criminal Procedure, in particular the The possibility of arranging the so-called source telecommunication monitoring and the online search by means of the so-called "state trojan" are constitutional.


At the same time as the discussion in Germany, thought was also given in Austria to the possibilities of online searches and surveillance. One argument of the proponents is the fight against terrorism, child pornography and organized crime - which is doubted by data protectionists, since it would also be possible to investigate petty criminals under the guise of counter-terrorism. On October 17, 2007, an agreement was reached in a meeting of the Council of Ministers and recorded in a joint contract paper. Accordingly, the "online search", as all investigative methods on private computers are called, should only be used for crimes that are punishable by more than ten years, and only if a court order is available. According to the Justice Minister, finds on computers without a judicial decision should not be allowed to be used.

As it became known in 2011, the Austrian Ministry of the Interior acquired a Trojan from DigiTask . This was used by the Federal Office for the Protection of the Constitution and the Fight against Terrorism and the special unit for observation without a legal basis.

On March 31, 2016, the Federal Ministry of Justice introduced a new legislative proposal as a ministerial draft to parliament, which is intended to create a legal framework for the "monitoring of messages transmitted via a computer system". This suggestion also explicitly allows monitoring via third-party software on the computer of the person concerned or one of their contacts. In the following week, there was massive criticism from numerous organizations, including the Greens , the AK supply and the data protection forum .

After 56 predominantly critical statements were received in the assessment process, Justice Minister Wolfgang Brandstetter told Pulse 4 that the plans in the proposed implementation would not make sense. Compared to, the ministry added on June 8, 2016 that a new draft was being worked on.

With the  2018 security package, some online search measures were introduced or expanded, including the legitimization of the federal Trojan.


Online searches are currently not expressly regulated by law in Switzerland.

Use based on Art. 280 StPO

After it became known that DigiTask had also supplied customers in Switzerland, the Federal Department of Justice confirmed in October 2011 that the federal and cantonal law enforcement authorities had used Trojans in individual cases to clarify serious crimes.

Digitask Trojans were used to monitor Andrea Stauffacher , who is accused of explosives and arson attacks, as well as in other terrorism and drug cases. According to the authorities, the operation was based on Article 280 of the Code of Criminal Procedure (StPO) or on analogous provisions applicable before 2011. According to Art. 280 StPO, the public prosecutor's office can “use technical monitoring devices to listen to or record words that are not spoken in public; Observe or record events in non-public or non-public places; or to determine the location of people or things. ”According to the lawyer Marcel Bosonnet , the Swiss federal prosecutor's office and criminal police applied for legal assistance to federal German authorities in order to have the Andrea Stauffacher case monitored online from abroad. According to the legal opinion of the Swiss Federal Prosecutor's Office, approval of the surveillance measure by the Swiss Federal Criminal Court was unnecessary.

Intended regulation in Art. 270 bis StPO

Whether Art. 280 StPO is sufficient as the legal basis for online searches is a matter of dispute in legal theory. The consultation draft of the Federal Council of June 1, 2010 on the revision of the Federal Act of October 6, 2000 on the Surveillance of Postal and Telecommunications Traffic ( BÜPF ) is intended to expressly regulate online searches. The Federal Council proposes to supplement the StPO with the following new Article 270 bis :

Art. 270 bis Interception and decryption of data (new)
1 If the previous measures were unsuccessful in monitoring telecommunications traffic or if other monitoring measures would be futile or would make monitoring disproportionately difficult, the public prosecutor's office can order the introduction of computer programs into a data system in order to intercept and read the data without the knowledge of the person being monitored . The public prosecutor's office specifies in the surveillance order what kind of data it wants to access.
2 The order requires the approval of the compulsory measures court .

The Federal Council explains that this method is of particular importance in the area of ​​monitoring Internet telephony or instant messaging , which is carried out from a portable computer or mobile phone with various prepaid SIM DATAS cards. In these cases the communication, even if it is not encrypted, can only be intercepted if a program is inserted into the portable computer or the mobile phone. If the IT program introduced cannot develop its effect because the monitored data processing system is equipped with an anti-virus program which neutralizes the IT program introduced, the monitoring method mentioned in Article 270 bis can be used to introduce an additional program into the monitored data processing system with which the anti-virus program circumvents becomes.


On February 8, 2011, France passed the law to strengthen internal security (Loi d'orientation et de programmation pour la performance de la sécurité intérieure). With this law, the French security authorities were given the power to carry out covert online searches.

United Kingdom

In the UK, online malware installations are carried out based on the Computer Misuse Act 1990 and the Regulation of Investigatory Powers Act 2000. These legal regulations also enable the police, if serious criminal offenses are suspected, to carry out covert house searches without judicial control and to examine computers and install keyloggers . Citing the strategic approach proposed at the end of November 2008 for a comprehensive and joint fight against cybercrime by the Justice and Home Affairs Council (JHA) of the EU Commission, the British Home Office is currently (January 2009) planning remote searches in cooperation with other EU countries (Remote Searches) throughout Europe and also to enable other states to do so in the United Kingdom without a judicial decision.

United States

At least since 2001 in the United States by the US Federal Police FBI a spy software called Magic Lantern used to spy out data on the Internet. Use of a program called CIPAV was first confirmed in 2007.


There is no reliable information about the situation in China. However, there are indications that Trojans are targeting groups that are undesirable to the government, such as B. the Falun Gong were declared. However, the technical descriptions are among the most detailed that exist.

Legal and technical problems, criticism

The online search raises a multitude of legal questions and has been and is criticized from various points of view.

Debate on fundamental rights and the surveillance state

In terms of data protection law , online searches are a massive invasion of privacy . The extent to which this is permissible within the framework of state authority is the basic debate.

A central point of criticism is also the secrecy as a contradiction to the nature of a rule of law investigation. Since the person concerned usually does not notice the surveillance, it is technically difficult to prove it himself and, depending on the legal situation, often does not have to be reported afterwards (see e.g. Article 10 of the Act ), there is no possibility of a legal review of the interference. However, the aspect of transparency and control of state action is inseparably linked to the core of the rule of law .

Another question is that government surveillance measures are always restricted to specific people. The monitoring of the communication of a suspect would, however, include the monitoring of a group of people of an unspecified number and possibly also non-suspects. The control must therefore not only include the approval of the surveillance, but also the use of the determined data material and, in particular, its storage as evidence to be secured.

In addition, there is a general further delimitation of public power from territories, national borders, private spaces and physical presence. The sociologist and philosopher Zygmunt Bauman characterizes this state of power as " post-panoptic ". The possibilities of monitoring with the help of electronic signals, which are invisible to the citizen, also mean that monitoring is possible without the direct presence of control personnel or the existence of defined or transparent guard times. Furthermore, it is also much more difficult to control, for example, the extent to which the data is passed on to foreign authorities in the context of international investigative cooperation and is then no longer subject to the original orders and controls. In spite of the legally compliant deletion of the surveillance data at one authority, further copies could be retained elsewhere after the investigation has been completed - an aspect that is common to the right to be forgotten of all data. Therefore, it requires a more extensive design of the legal, also international framework.

There is also a risk that citizens will generally lose confidence in official electronic communication ( e-government ).

Differentiation between data transmission and message transmission

Searching purely private data is a deeper invasion of privacy than monitoring interpersonal communication. Modern cloud computing also includes external storage on file hosting servers on the Internet. From a technical point of view, this data exchange is also a communication between two end devices, so the legislator must develop more precise definitions of "communication". For example, the question arises as to the extent to which automatic synchronization processes with the cloud as “autonomous communication between two devices without human intervention” ( M2M communication ) should still fall under an ordered monitoring system. Legal formulations such as that a message in the true sense should only include "data transmitted by a natural person " would also include uploads to cloud storage.

Technical aspects of govware and malware

The need for high-performance surveillance software that goes beyond the wiretapping interfaces that are already in use, which must be installed at every Internet provider to carry out telecommunications surveillance measures, arose in particular from the widespread use of encrypted telecommunications (e.g. Skype and WhatsApp ). In order to monitor these media, deeper interventions in the operating system of a device are required .

In addition to the legal and political objections, experts question the technical feasibility: Antivirus programs would treat all malicious programs equally. Tjark Auerbach, Managing Director of Avira said: "A Trojan is and will remain spy software". As soon as the software manufacturers become aware of the structure, it would be included in a directory of known viruses and blocked by the programs. Andreas Lamm, Managing Director of Kaspersky Lab , said about the possibility of cooperation with government authorities, "It would be a massive intervention in the entire IT security industry, which from our point of view would not be imaginable or feasible". However, virus protection programs only offer limited security through the detection of typical behavior and already known program patterns using generic and heuristic procedures, since state Trojans spread atypically and must first be known to the manufacturers in order to be able to reliably identify them in their virus protection programs using current virus signatures . To make matters worse, Trojans or spy programs depend on the cooperation of the operating system (and must be specially tailored to this).

Regardless of the technology used, it was doubted whether targeted online searches in particular could be promising when using common communication technology such as routers , firewalls and anti-virus scanners. However, experts were of the opinion that the provider-side eavesdropping interfaces could be reprogrammed without major problems to inject Trojans during any unsecured software download - a classic man-in-the-middle attack against which even the best firewall is powerless . In order to rule out such an attack, one would have to restrict oneself to signed files when downloading programs . Many free operating systems do this with the GNU Privacy Guard anyway. However, very few Windows software vendors sign their downloads. You also need a guaranteed real version of the respective public key. Antivirus program manufacturers such as Avira and Kaspersky Lab have already ruled out cooperation with authorities.

General IT security, appropriateness and potential for abuse

In general, the state gets into a conflict of interests through the use of Govware, as it wants to promote general IT security on the one hand , and on the other hand it could endanger it through the measures for online searches.

It is considered unlikely that the objective of combating terrorism or organized crime can be achieved with online searches, since it is precisely these groups of people who will presumably protect themselves against such attacks. This “arms race” is inherent in all measures taken by the state. It should also be borne in mind that it is not possible for the supervising authority to check whether the govware was recognized and manipulated by a technically gifted criminal. In this case, this could transmit fake data to the authority. In contrast to conventional telephone monitoring, this interference would not even be detectable afterwards. Its use to obtain evidence is therefore questionable. The proportionality is called into question, since this software undetected remain only technically unbegabteren terrorists, and these ranged conventional investigative techniques. The legislature hopes to take this necessity into account by explicitly authorizing any surveillance.

Furthermore, misuse of the various monitoring powers cannot be ruled out. For example, in August 2007 it became known that an employee of the German Federal Intelligence Service was using the technical possibilities for private purposes. It cannot be ruled out that the technical possibilities of the monitoring software are misused to falsify evidence. In this way, compromising material (such as child pornography or fake attack plans) could be uploaded to their computer unnoticed by the victim (and undetectable afterwards) . This danger can emanate from governments themselves (for example in unjust states ), but also from criminal secret service employees.

Even without a specific intention of abuse by the employees of the authorities, the existence of a facility that has access to the information systems of citizens or organizations represents a considerable weakening of national IT security, since malicious third parties could gain access to this facility, and then this facility itself could use for spying. For the economy in particular, this represents a serious risk. Therefore, the authority - like every software distributor - must regularly validate and update the govware in order to ensure its functionality. This means that further privacy interventions are necessary even after installation.

Another problem area is that the installation of malware technologies that goes unnoticed by the user is always based on a security gap. It is actually the intention of everyone who is interested in the security of citizens and organizations that such security gaps are identified as quickly as possible and then closed. For the operation of this software, however, the state has to rely on the secrecy of certain exploits and therefore actively participate in the stockpiling of discovered exploits for its own purposes, which is considered to be exploit trading as one of today's core crime scenes. The state is thus entering into direct competition with the crime for the information technology resource of the exploits (and possibly even financing them). Since the weak points are accordingly not closed, criminals can find them sooner or later and exploit them themselves. This is what happened with the WannaCry virus, which was based on a backdoor that the American NSA used for years for one of its state Trojans .

The alternative is to work directly with the operating system and application software manufacturers in the implementation of at least one interface to Govware. This, too, requires a comprehensive, and in particular international, legal framework, and raises a multitude of further questions (official inspection or intervention in proprietary software or transfer of competence to the private sector, dealing with open source communities). In addition, the problem remains that every (even intentionally built) security gap makes the systems more insecure for all users - even those who are not monitored.


Liability for damage caused by interference with the information system that has not been agreed with the operators is unclear, so that those affected may suffer considerable economic damage that is not compensated for. Software manufacturers usually exclude liability for damage caused by third-party interference in their software, so that the investigating authorities, even if they are aware of all the software used on the target system, can only be guaranteed by a prior seizure and complete examination of the system could still face the problem of having to coordinate the search solution with all software manufacturers involved in order to rule out such damage.

See also



Web links

Individual evidence

  1. Maik Bunzel: The criminal procedural access to IT systems. An investigation from a technical and constitutional perspective . Logos Verlag Berlin GmbH, Berlin 2015, ISBN 978-3-8325-3909-2 , p. 45 (459 pp.).
  2. Questionnaire of the Federal Ministry of Justice. (PDF; 283 kB) Federal Ministry of the Interior , August 22, 2007, p. 2 , accessed on February 14, 2016 .
  3. Christian Rath: Start at the perpetrator's computer. Interview with BKA boss Ziercke. In: . March 26, 2007, accessed February 14, 2016 .
  4. Detlef Borchers: Civil rights activists are discussing online searches with the chief of the BKA. In: . September 22, 2007, accessed February 14, 2016 .
  5. a b c Erich Möchel: "Federal Trojan 2.0" with new technical contradictions. In, February 26, 2018.
  6. a b c "Federal Trojan" is now supposedly called "Remote Forensic Software" . heise-online, August 3, 2007.
  7. message., October 8, 2006
  8. Sophos: We will also stop government Trojans .
  9. Federal Trojans are ready to spy . Spiegel Online, network ticker.
  10. Law on the more effective and more practical design of criminal proceedings , Federal Law Gazette I p. 3202 (pdf), BT-Drs. 18/11277 (pdf)
  11. The Federal Criminal Police Office and the hacked, Drucksache 18/5779 Hacking Team. (PDF; 173 kB) German Bundestag, August 17, 2015, accessed on June 23, 2017 .
  12. Opinion on the ministerial draft of a law on the more effective and practical design of criminal proceedings. German Association of Judges V., June 2017, archived from the original on August 17, 2017 ; accessed on June 23, 2017 .
  13. Online search: is the hard drive an apartment? Heise Online, July 25, 2007
  14. BGHSt 51, 211.
  15. Printed matter 16/6885 answer of the federal government to the small inquiry of October 30, 2007 (PDF; 81 kB).
  16. Printed matter 16/7279 Response of the Federal Government to the request for Bundestag printed matter 16/6885 (PDF; 74 kB)
  17. (PDF).
  18. Federal Constitutional Court: Overview for 2019 Second Senate, No. 26
  19. Skeptics not convinced. SPÖ and ÖVP are satisfied. In: ORF .at. October 17, 2007, archived from the original on October 19, 2007 ; Retrieved October 17, 2007 .
  20. a b Peter Mühlbauer : Austrian Pirate Party calls for the stop of the domestic state Trojan: DigiTask also delivered its controversial surveillance software to the Alpine republic. In: Heise online . October 12, 2011, accessed October 13, 2011 .
  21. ^ Emil Bobi: Trojan Morals. In: . Retrieved October 23, 2011 .
  22. BMJ: 192 / ME (XXV. GP) - Federal law amending the 1975 Code of Criminal Procedure and the Public Prosecutor's Office Act: In: Austrian Parliament. Retrieved March 31, 2016 .
  23. Mag. Barbara Wimmer: The state trojan is a gateway for criminals. In: Retrieved April 8, 2016 .
  24. 192 / ME (XXV. GP) - Code of Criminal Procedure 1975, Public Prosecutor's Office Act, amendment. In: Retrieved July 21, 2016 .
  25. ^ Ministry of Justice on the State Trojan: "Take criticism seriously". Retrieved July 21, 2016 .
  26. National Council approves security package with federal Trojan. Parliamentary correspondence No. 443 of April 20, 2018 (on
  27. Peter Mühlbauer: Swiss Pirate Party demands clarification about possible illegal use of state trojans: The company DigiTask also delivered according to its own information to the Confederation. In: Heise online . October 13, 2011, accessed October 13, 2011 .
  28. a b Swiss authorities sniffing with espionage software , Der Bund , October 12, 2011
  29. ^ Nico Ruffo: Swiss authorities confirm the use of Trojans. In: Swiss television . October 13, 2011, accessed October 13, 2011 .
  30. ^ "State Trojan" used in the Stauffacher case , Neue Zürcher Zeitung of October 15, 2011
  31. Art. 280 of the Swiss Code of Criminal Procedure of October 5, 2007 (Code of Criminal Procedure, StPO, SR 312.0)
  32. ^ Peter Mühlbauer: Staatstrojaner »used in the Stauffacher case: Federal Prosecutor's Office spying on the Zurich activist's computer. In: Neue Zürcher Zeitung . October 13, 2011, accessed October 13, 2011 .
  33. Martin Steiger: Federal Trojans without a legal basis in Switzerland .
  34. Ongoing consultations and hearings. Internet presence of the federal authorities, accessed on June 24, 2010.
  35. Report on the template (PDF; 366 kB) p. 42 (text in the public domain).
  36. PROJET DE LOI d'orientation et de programmation pour la performance de la sécurité intérieure. February 8, 2011, accessed February 28, 2011 (French).
  37. Stefan Krempl, Volker Briegleb: France receives web bans without a judge's reservation. In: heise online. February 9, 2011, accessed February 28, 2011 .
  38. ^ Computer Misuse Act 1990 (c. 18). Office of Public Sector Information; Retrieved January 5, 2009.
  39. ^ Regulation of Investigatory Powers Act 2000. Office of Public Sector Information; Retrieved January 5, 2009.
  40. ^ Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime . (PDF; 157 kB) Principaux résultats du Conseil justice affaires intérieures, 2987th Justice and Home Affairs Council meeting. 27.-28. November 2008.
  41. Police set to step up hacking of home PCs , Times, January 4, 2009.
  42. ^ Government plans to extend powers to spy on personal computers , Telegraph, January 4, 2009.
  43. Maarten Van Horenbeeck: Targeted Attacks: Case Study Falun Gong . "Matrix", Ö1, report on Futurezone, February 2008
  44. Maarten Van Horenbeeck: Crouching Powerpoint, Hidden Trojan, An analysis of targeted attacks from 2005 to 2007 , associated presentation (PDF; 2.5 MB) CCC, 2007.
  45. ^ Titan Rain - How Chinese hackers targeted Whitehall . In: The Guardian , 2007
  46. Zygmunt Bauman: Fleeting Modernity . Edition Suhrkamp, ​​Frankfurt am Main 2003 - According to Bauman, the surveillance of society in the modern age was subject to local, physical, spatial and temporal conditions. This form of power characterizes the Panopticon .
  47. cf. z. B. BVT affair in Austria: German protection of the constitution fears disclosure of secret service data. Alexander Fanta in:, March 21, 2018.
  48. a b Quote from the Federal Government of Austria: Explanations on 17 dB on the government bill 17 dB / XXVI. GP to the Criminal Procedure Law Amendment Act 2017, February 22, 2018, p. 2, fourth resp. last paragraph (pdf, on
  49. tagesschau: "The federal Trojan is unimaginable" ( Memento from February 14, 2016 in the Internet Archive )
  50. Virus programs recognize the state trojan . Spiegel Online , October 10, 2011
  51. Hacking for the State . In: Die Zeit , No. 21/2007
  52. Digital eavesdropping - Federal Trojan in the computer . ( Memento from December 15, 2006 in the Internet Archive )
  53. Federal Trojan: Goes what - what goes: Technical options for online searches .
  54. The state as a burglar - clandestine online searches are possible . Telepolis
  55. Attack on the Unsuspecting . Mirror online
  56. Official under suspicion . In: Berliner Zeitung , August 31, 2007.
  57. cf. Federal Trojan hardly vulnerable. Petra Tempfer in: Wiener Zeitung online, March 19, 2018, section Monitoring surveillance .