A "left-wing" German infosec researcher was this week threatened with criminal prosecution after revealing that an app used by Angela Merkel's political party to canvass voters was secretly collecting personal data.
Germany's respected Chaos Computer Club (CCC) announced it would stop reporting any weaknesses in the centre-right wing Christian Democratic Union's (CDU) web-facing infrastructure to the party after it procured a criminal prosecution against Lilith Wittmann.
"I got an email from the Cyber Security Police of Berlin," she told The Register. "Could you please provide us your address, so we can send you... legal documents? And then I was like, that's weird. I didn't do anything wrong. Let's tweet about that. Let's find a lawyer who can look into that."
Although the prosecution is due to be withdrawn after an apology from the CDU, the episode shines a light on some German politicians' attitudes to vulnerability disclosures.
In May, during federal elections in Germany, the CDU equipped its door-knocking activists with an app called CDU Connect. The app was used for recording data on homeowners: did they welcome political activists knocking on their doors to find out who they were going to vote for? Did they shoo the CDU's foot soldiers away, or did they invite them in for a cuppa and a chat? At the time, Wittmann told us, the CDU insisted that data collected in the app was anonymous.
This was incorrect, Wittmann said. The researcher revealed her findings in a blog post (auf Deutsch), explaining on a phone call with The Register that all she did was sniff an API token, "man in the middle" style, "to figure out how the API works." Having done that, she discovered personal data was indeed being processed by the app.
- The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public
- C'mon, biz: Give white hats a chance to tell you how screwed you are
- Google, Facebook, Chaos Computer Club join forces to oppose German state spyware
After Wittmann reported the exploitable vulns to the CDU, the party shut down CDU Connect. There was, so the infosec researcher said, no specific agreement between her and the political party about what details could or could not be included in a public writeup so she included them all. Local media picked up on it at the time, and then the moment had passed. Or so everyone thought.
A few days ago the police got in touch, said they were following up on the app breach, and asked for Wittmann's postal address.
We're sorry for that thing we definitely didn't do
German daily newspaper Die Welt reported yesterday that CDU managing director Stefan Hennewig confirmed the party had told police of an alleged data theft and denied the party had accused Wittmann of stealing data – but then apologised anyway for naming her in the CDU's police report.
Unsere Anzeige richtet sich NICHT gegen das Responsible Disclosure Verfahren von Lilith Wittmann. RD-Verfahren sind ein guter Weg, um Betroffene auf Sicherheitslücken aufmerksam zu machen. Ich halte diese Verfahren für einen wichtigen Baustein, um IT-Sicherheit zu erhöhen. (2/5)— Stefan Hennewig (@StefanHennewig) August 4, 2021
Netzpolitik, a left-wing political collective with strong links to Germany's hacker community, berated the CDU in a blog post titled "Screw up. Back Down. Repeat" while declaring that "conservatives have understood neither decency nor the basic principles of digital society".
Wittmann told us she considers herself "far left." We're not sure if that translates well into English but she attributed the CDU's police report to her political leanings and previous criticism of the conservative party.
"And also in my report, in the end, I told them how incompetent I think they are from a political perspective," she said. "I'm a security researcher... but in other perspectives, I'm also a political activist."
While the immediate reaction in Germany has averted any negative consequences for Wittmann, her approach may not have been the wisest. Regular readers might compare this to the Apperta saga, when a responsible disclosure went wrong thanks to pre-existing disagreements. Similarly, political disagreements saw a female-focused social media network threaten to sue a British infosec firm which pointed out its entire user database was publicly accessible.
Some things never change in infosec. ®