The CDU's leaky campaign app
When activist Lilith Wittmann drew attention to a security problem with a CDU app, the party pressed criminal charges against her.
Berlin-Lilith Wittmann has collected €2,000 in donations - to pay the deposit for the lawyer she might need to defend her against charges filed by Angela Merkel's Christian Democratic Union (CDU).
The Landeskriminalamt - a branch of the police focused on serious crime - is investigating the IT security researcher - as she calls herself. The CDU lodged a criminal complaint against Wittmann after she told the party about a security vulnerability in the CDU-Connect election campaign app. The activist has thus became the target of a paragraph in Germany's criminal code for which the CDU is chiefly responsible.
The "hacker paragraph"
Wittmann, 25, has worked in IT security for 10 years. She found the security leak in the CDU app in her spare time. And reported it voluntarily. She's not surprised by the legal action by the conservatives, whom she describes as "digitally disqualified".
Pouring salt on the wound, Wittmann added: "I can't remember any meaningful digitalisation initiative by the CDU."
The party was the driving force behind a push to add a "hacker paragraph" to the criminal code in 2007. The legislation was passed with a large majority. At the time, only Die Linke (PDS at the time) and a single SPD MP, Jörg Tauss, voted against it. Paragraph 202c makes the interception of data a punishable offence. The law is considered controversial because, depending on how it is interpreted, it also covers people who investigate security vulnerabilities in order to report them, not to exploit them. Thanks to §202, Wittmann could now stand trial.
On 3 August, Wittmann announced on Twitter that she was being investigated and posted a letter from the Landeskriminalamt stating she was being investigated in connection with the case of the CDU-Connect app. In short, the party had denounced her - in a worryingly archaic manner - as the bearer of bad news.
The bad news Wittmann had broken was as follows: Due to a security gap in the app software, data on around 500,000 people who had been visited by CDU door-to-door campaigners had been stored on servers without any major security barriers and was therefore basically open to public scrutiny. She could also access the data of about 18,000 users registered with the app - i.e. election workers - as well as 1,300 records of people who had indicated that they wanted to support the election campaign.
Wittmann had been alerted to the potential security vulnerability on Twitter back in May. She downloaded the app, looked at the system and found that she could easily access personal data such as city of residence, street, age, gender and political opinions of the respondents. "It was so easy that you can't even really call it a hack," says Wittmann. "Nobody thought about how to build that securely. For example, about a good log-in system that checks access rights. They didn't have anything like that."
Chaos Computer Club won't be warning the CDU
The news that Wittmann was facing criminal charges was greeted by a storm of indignation in the media last week. The hacker organisation Chaos Computer Club announced in a press release: "In order to avoid legal disputes in the future, we are unfortunately forced to refrain from reporting vulnerabilities in CDU systems." The CDU had shown itself to be "extremely ungrateful for the volunteer tutoring" in IT security.
On Wednesday, the CDU's national managing director Stefan Hennewig apologised to Wittmann on Twitter: "The mention of her name in the charges was a mistake for which I want to apologise. I have withdrawn the charges against her at the LKA."
Responsible disclosure: first report, then publish
Wittmann doubts that the charges against her could have been an oversight. Speaking to the Berliner Zeitung, she said: "I would actually rather accuse people of cluelessness than malice. In the meantime, however, I rather believe that in this case it was the latter." If the charges against her had been a "mistake", Wittmann says, the party would have had to bear responsibility and, for example, bear her likely legal costs. Because the investigations are ongoing, even withdrawing the charges won't help, she said. "Such an apology does me no good at all. And it's no good for the reputation of security researchers," said Wittmann.
The proceedings now initiated against her are the first case she knows of in which a volunteer IT security researcher has been reported by a political party for a responsible disclosure process. There is international consensus about such disclosures, says Wittmann. As a rule, activists point out security gaps to the responsible corporations or organisations, report them to the responsible authorities if necessary, such as the Federal Office for Information Security (BSI) in Germany. Wittmann did that, too. Only when the leak is fixed or the faulty system is offline are the vulnerabilities published to protect those affected. "Big corporations sometimes even pay a reward," says Wittmann. Not so the CDU.
The data protection officer on the case
Apparently, the CDU has used the campaign app for several years. The CSU, the Austrian ÖVP and the Swiss CVP are also said to have used the same system. When Wittmann drew attention to the vulnerability immediately after it was found, the application initially went offline. However, it is currently available in the Google Play Store.
Berlin's state data protection officer is investigating CDU-Connect for violations of privacy law. Wittmann says she already advised the party to stop using the system back in May because it was too flawed.
The CDU did not respond to repeated enquiries from the Berliner Zeitung on when CDU-Connect was back in use and whether and how the security problems had been resolved.