State Trojan: BKA paid 325,666 euros to FinFisher​

The Federal Criminal Police Office (BKA) has illegally redacted many of the details in a contract for the purchase of the state trojan FinSpy from the Munich company FinFisher. This was decided by the Administrative Court of Wiesbaden in a judgment that has now been published on May 6th. According to this, the public may know, for example, that the police authority, including taxes, spent a total of 325,666 euros on the unsuccessfully used surveillance instrument (Az.: 6 K 924/21.WI).

The Netzpolitik.org portal revealed the BKA’s deal with FinFisher in 2013. The tender documents for the tender have been public since 2014, the first contract with the company since 2015. The BKA only released the documents after complaints based on the Freedom of Information Act (IFG), but blacked out a lot of the information in them – including the name of the sales partner and its managing director, although these were already public.

Netzpolitik and the transparency portal FragDenstaat then took the authority to court again. This gave the plaintiffs a more extensive right to disclosure of information. The BKA and the company Elaman from the Gamma Group, which is closely linked to FinFisher and through which the contract for FinSpy and its revisions were processed, have to pay the court fees and the extrajudicial costs of the activists.

“No interest in secrecy”

According to the original contract, the BKA spent 123,669 euros net for FinFisher in 2013, which corresponds to almost 150,000 euros gross. A less blackened addition to the contract that has now also been published includes a further 150,000 euros net. The BKA also initially wanted to keep this sum a secret. However, according to the court, a lump sum price is not a trade and business secret worth protecting: “There is no legitimate interest in secrecy here.”

The contract has 14 annexes. The BKA did not want to name the pure designation, from which the name “FinSpy PC” of the product actually purchased can be derived. The court could understand this just as little as the initial blackening of the header “Classified matter – only for official use”. Such a formal classification in itself is not enough to justify confidentiality.

The name of the signing BKA official remains blacked out. The court had already confirmed the secrecy of individual services, costs and deadlines as well as information on the source code in the first judgment in 2015. It feared that the use of the software and thus a source telecommunications surveillance (TKÜ) to combat terrorism could be prevented.

contract terminated

FinFisher had to overhaul the state trojan for five years in order to comply with legal protection regulations. The BKA was only allowed to use FinSpy in principle from 2018. In the same year, the spyware appeared on the devices of members of the opposition in Turkey, for example, whereupon the local police office canceled the contract again after a few months. FinFisher is now insolvent and is said to have been dissolved.

In recent years, the BKA has generally found it difficult to develop and procure software with which encrypted Internet telephone calls and messenger chats can be tapped and computers or mobile devices can be spied on. The federal Trojan, which was initially built by the police authorities themselves for 5.77 million euros, was initially only suitable for the source TKÜ. A more powerful version for more extensive clandestine online searches has been in the works for a long time. Last year it became known that between 2017 and 2020 the BKA did not use state trojans in any completed investigations or security procedures.

(vbr)