The Hackers Russia-Proofing Germany’s Elections
The Chaos Computer Club, a multigenerational army of activists, has made the country’s democracy a lot tougher to undermine.
By Vernon Silver
Jun 27 2017
The hack began as trash talk. Germany’s voting computers were so vulnerable to tampering that they could be reprogrammed to play chess, the hackers boasted. But then the machines’ maker dared them to try. Bound by honor and curiosity, the hackers got their hands on one of the computers and had it playing chess after about a month. “We have to admit,” they later wrote, “that it does not play chess all that well.”
This wasn’t just a prank. The hackers, several of them associated with the Hamburg collective known as the Chaos Computer Club, or CCC, also proved they could manipulate votes that the computers had recorded. As a result, Germany’s Federal Constitutional Court struck down the nation’s use of voting computers, citing CCC by name in its ruling. Oh, and this was in 2006.
From imperfect voting machines to the fake news that chokes social media, the U.S., the U.K., and France are only beginning to wrestle with the ways in which democracy can be hacked. In Germany, which is heading to the polls in September, CCC has been paying closer attention. Sometimes that means such stunts as reprogramming computer systems on a dare, but the loose confederation of about 5,500 hackers isn’t a bunch of bored teens in it for the lulz. Its 29 local chapters are stocked with professionals who run security for banks, head encryption startups, and advise policymakers. The group publishes an occasional magazine, produces a monthly talk radio show, and throws the occasional party, too.
All this has made CCC into something that sounds alien to American ears: a popular, powerful, tech-focused watchdog group, one whose counsel has been sought by both WikiLeaks and Deutsche Telekom AG. By exposing weaknesses in German banking, government, and other computer systems, CCC has helped make them more resistant to attack and contributed to a society that’s exceptionally careful about believing what it sees online. In the runup to their federal elections, Germans are tweeting a much higher proportion of real news—as opposed to campaign spin, amateur screeds, or outright b.s.—than Americans or Brits did during their latest political campaign seasons, according to researchers at the University of Oxford.
“The only way to save a democracy is to explain the way things work,” says Linus Neumann, a CCC spokesman and information security consultant. “Understanding things is a good immunization.”
Co-founded in 1981 by Wau Holland, an activist who anticipated the security concerns that computers could bring, CCC was most famous in its early years for an incident in 1984, when the group warned Germany’s state-run postal service that its early pay-per-page internet service, Bildschirmtext, had a hole in its security. The postal service ignored the warning, and CCC members exploited the flaw to electronically steal 134,694.70 deutsche marks (about $48,000 at the time) from a local bank in tiny increments, using the bank’s identity to access a pay-per-view site CCC had set up. The hackers then called a press conference and returned the money on camera.
After the Berlin Wall came down, CCC went on to expose a series of major security flaws in other electronic systems, including early cell phone encryption and biometric identification. About a decade ago, the group circulated a fingerprint of Wolfgang Schäuble, then the minister of the interior, to demonstrate that the use of biometric data in German passports wasn’t the incredible security advance Schäuble had claimed. Copies of the fingerprint, which CCC published on pieces of plastic inserted into one of its magazines, easily fooled electronic ID readers.
“The CCC has greatly contributed to having an informed discussion on cybersecurity and internet governance in Germany,” says Jan Philipp Albrecht, a German member of the European Parliament who’s vice chairman of the legislature’s committee of civil liberties, justice, and home affairs. “Their work on the security issues of voting machines has saved German elections.”
The group still doesn’t exactly work hand-in-hand with the German government. In 2011, more than a year before Edward Snowden revealed the scope of the National Security Agency’s internet monitoring, CCC exposed German government use of Trojan malware to spy on citizens’ computers, incidentally creating a new German word: Staatstrojaner. Spokesman Neumann, who has testified before Germany’s Parliament a half-dozen times, made his most recent appearance before the legislature on June 1, during a hearing on a proposed law that would govern police use of the spyware. In 2014, CCC member Jan Krissler, a university researcher who goes by the handle Starbug, copied another government minister’s fingerprints—this time, it was the defense minister—simply by zooming in on stock photos of her.