New German government coalition promises not to buy exploits

The three political parties set to form the new German government have agreed to stop buying zero-day vulnerabilities and limit the government's future use of monitoring software (spyware).

The Green Party, the Social Democratic Party (SPD), and the Free Democratic Party (FDP) entered into a government coalition last month, and their new joint government cabinet is expected to be formally elected to power later today following a vote in the German Parliament.

Their political collaboration was announced last month, on November 24, and the announcement was also accompanied by a 178-page document [PDF, archived] outlining the coalition's joint core governing principles on a number of social, political, and economic topics.

Among them were different IT, privacy, and cybersecurity-related issues, including two paragraphs that addressed the German's state penchant for acquiring zero-day vulnerabilities and using them in surveillance operations.

"The exploitation of weak points in IT systems is in a highly problematic relationship to IT security and civil rights," the three parties said in the section dedicated to national and internal security.

"The state will therefore not buy vulnerabilities or keep them open [to attacks], but will always try to secure them as quickly as possible in a vulnerability management program under the leadership of a more independent Federal Office for Information Security," the German government coalition said—in a statement that echoes a similar decision from the US National Security Agency a few years back when the agency concluded that keeping a large arsenal of zero-day vulnerabilities was more dangerous to US companies than the benefit it reaped for its offensive operations.

In addition, the future German governing coalition also promised to limit the use of monitoring software to a higher "intervention threshold" under guidelines provided by the Federal Constitutional Court. The three parties promised to amend the Federal Police Act to limit law enforcement's ability to use (abuse) its current wire-tapping and online warrant powers in investigations.

The document doesn't mention the type of monitoring software this applies to, but Germany is known for developing its own in-house spyware called the Staatstrojaner, used by its law enforcement agencies in a broad set of investigations, from national security to cybercrime tracking.

However, while both announcements are what most privacy experts would embrace, the decision was not welcomed by some cybersecurity experts, who are questioning if this would be a good decision in a market where more and more countries and threat actors are gaining access to advanced offensive and cyber-espionage toolkits.

But the reality is that the document is more akin to a pinky promise between rival political parties, and if the document will be followed through and through remains to be seen.

The chances are that it will not, or at least not letter by letter, as some other government agencies, rival political parties, and third-party experts will also be allowed to wade in before any of this gets voted into law.

Other views on privacy and surveillance mentioned in the same document also include promises not to support the use of broad video surveillance to replace local police forces, the broad collection of biometric data for monitoring purposes, and the implementation of upload filters for online content.