back to article Das tut mir leid! Germany's ruling party sorry for calling cops on researcher after she outed canvassing app flaws

A "left-wing" German infosec researcher was this week threatened with criminal prosecution after revealing that an app used by Angela Merkel's political party to canvass voters was secretly collecting personal data. Germany's respected Chaos Computer Club (CCC) announced it would stop reporting any weaknesses in the centre- …

  1. b0llchit Silver badge
    Facepalm

    Classical attack

    This is the classical go after the messenger, not the message attack. It sends a very strong signal to show who is "in charge" and what "may happen" when you try to challenge the status quo.

    It does not matter that they now apologize or backpedal. They have already sent the signal and it is ear deafening. The political affiliation or wing or side does not matter. This type of behavior is found on all sides and is typical of a bully wanting (to stay in) power. The way to fight a bully is to expose the bully with unified front.

    1. JohnG

      Re: Classical attack

      Also, those responsible for the app have almost certainly breached German data protection laws. Ms Wittmann had also informed the relevant data protection office of the issue, prior to her publication. The police should have gone after those who released and operated an app which failed to protect people's information (despite claiming the opposite) - but they went after the person who reported the actual crime instead.

      Ms Wittmann put her own report here (in German) AFTER the app was shut down: https://lilithwittmann.medium.com/wenn-die-csu-und-die-volkspartei-digitalen-wahlkampf-machen-6d9e245efefc

      1. Charlie Clark Silver badge

        Re: Classical attack

        Yep, almost certainly a breach of GDPR and so a fine will be in the post to Konrad Adenauer Haus.

        What the fuckwits probably don't realise is that this whistle has probably saved them from a much bigger one, when some of that data is either leaked or purloined.

    2. Irongut Silver badge

      Re: Classical attack

      > They have already sent the signal and it is ear deafening.

      Well you would be surprised if it was eye deafening, nose deafening or perhaps finger deafening.

      1. Clunking Fist Bronze badge

        Re: Classical attack

        Well, my legs are grey, my ears are gnarled, my eyes are old and bent.

      2. Anonymous Coward
        Anonymous Coward

        Re: Classical attack

        @irongut: "Well you would be surprised if it was eye deafening, nose deafening or perhaps finger deafening."

        I suspect that the post you are referring to was written by someone whose first language is not English, probably a German person, given the context of the article, and who may have translated a perfectly normal idiomatic phrase from their own language into English, and was simply unaware that it doesn't quite "fit right" in English.

        It's always better just to be thankful for someone's efforts to speak or write another language, rather than draw attention to minor errors (unless they have actually asked for constructive criticism, to help them improve their fluency).

    3. DS999 Silver badge

      Re: Classical attack

      Classic authoritarian attack. Demonstrates power, with the goal of making people afraid to call out abuses of that power.

      Unfortunately it looks like authoritarianism is infecting politics all over the west, mostly the (but certainly not limited to) more conservative parties (yeah I know what Germany considers "center right" is Bernie territory in the US)

      1. Geez Money

        Re: Classical attack

        The "sorry for the thing we didn't do" follow up is also an authoritarian classic.

  2. Anonymous Coward
    Anonymous Coward

    Ah yes the old: You've pointed out someone's mistake, and that someone responses with anger/finger pointing/lawsuits in your direction, rather than checking if they made a mistake and correcting it.

    The engineers mindset: When someone tells you you've got it wrong, initially believe them, go and check, have another someone verify it, fix if necessary (optionally) demonstrate to the initial someone you were right with the evidence to back up your claims (with politeness).

    1. Blofeld's Cat Silver badge

      "... engineers mindset ..."

      Very similar to the scientific method.

      In the early days of exoplanet research there was a press conference at which a research team announced that they had calculated the "year" of an exoplanet at 365.25 days.

      There was a pause, after which the team leader said something along the lines of:

      This is either a staggering coincidence, or we have got something wrong. We have checked our data many times and cannot find an error. Our research is all published on line and we would be most grateful if somebody could please point out where we messed up.

      1. A Nother Handle
        Holmes

        coincidence or cock-up

        So which was it? Or are they waiting for the JWST to give a second opinion?

        1. Yet Another Anonymous coward Silver badge

          Re: coincidence or cock-up

          IIRC routine that calibrated out the Earth's motion didn't use enough significant figures.

          Telescope was on Earth and was measuring very small shift in the position of another star, so had to take out the measurement point moving much more than the shift you are looking for.

      2. Richard Boyce

        The mice have commissioned a reserve planet, just in case the Vogons get a bit careless.

      3. eldakka Silver badge

        Poor science

        ... there was a press conference at which a research team announced that they had calculated the "year" of an exoplanet at 365.25 days.

        ... Our research is all published on line and we would be most grateful if somebody could please point out where we messed up.

        This science by press-release, it is piss-poor research process, it is not how science is done. They've done a BICEP2, made a press release before having a peer-reviewed paper prepared.

        For reference, BICEP2 announced to the world in a press-release (not via publishing a peer-reviewed paper) they had discovered gravitational waves in 2014, a few months later they had to retract that statement as it was shown to be more likely to be caused by space dust.

  3. Santa from Exeter

    Not exactly a standard vuln report then

    She used it as a means to get a political dig in, not the actions of an ehtical hacker. IMHO she got confused and let the 'political activist' take over.

    Political Leanings have bugger all to do with Infosec and should be kept separate.

    1. Cederic Silver badge

      Re: Not exactly a standard vuln report then

      You've been heavily voted down so I thought I'd post agreement with you.

      By all means provide the party with feedback on their political stance and why you feel it's wrong. Feel free to offer suggestions on policies that you think they should adopt, particularly if you think it's aligned to the political views of their supporters.

      But do that separately to providing a security vulnerability report. It's a different audience, for a different purpose.

  4. elsergiovolador Silver badge

    How did this happen?

    After so much evil, it seems like majority of population got amnesia and think Germany is the most virtuous country in Europe now.

    Do you think Stasi and their methods disappeared overnight?

    Do you think they are no longer plotting with Russia?

    They are only half asleep, because in the end they got what they wanted - they rule the Europe, and Slavic people work for their factories on near poverty wages.

    Make no mistake, as soon as the crisis crosses the tipping point, all bets are off with them.

    1. GrumpenKraut Silver badge
      Facepalm

      Re: How did this happen?

      Yeah. Right.

    2. Dan 55 Silver badge

      Re: How did this happen?

      In your head, in your head, they're still fighting...

    3. Yet Another Anonymous coward Silver badge

      Re: How did this happen?

      Obviously what they should do is quit Europe so that they can then make up their own data protection laws and the ruling party can simply declare this legal because sovereignty.

      As a side effect they would then automatically rule the world.

      1. Anonymous Coward
        Anonymous Coward

        Re: How did this happen?

        @Yet Another Anonymous coward "quit Europe so that…"

        Johnson, I think you've blown your cover! :-P

    4. Irongut Silver badge

      Re: How did this happen?

      Take your 1940s attitudes back to the last millenium where they should have stayed.

    5. cosmodrome

      Re: How did this happen?

      Ach goddamit! Ze schöne plan has leaked.

  5. Anonymous Coward
    Anonymous Coward

    Of course the data collected by Connect isn't anonymous - it would be pointless if it was. The entire point of collecting canvass data is to find out who will or is likely to vote for you - as in the individual people. It's pointless having data that says "156 people in Division 22 say they will vote for you" without knowing *who* those 156 people are. You need to know who your pledges are so you can remind them that they are your pledges, and follow them up to confirm they have acted on their pledges. And, importantly, who supports other candidates so you can do everything to avoid reminding them there's an election. This is basic "elementary school" level election campagning, see Bob Heinlein's account of the 1934 election.

    Anon, I use the UK version of Connect and have worked with people who have used the US and the Canadian version of Connect.

    1. lglethal Silver badge
      Stop

      And that would be fine if they had openly declared that was what they were doing, rather than claiming that they didnt collect any personally identifiable data.

      Although even if they had declared that it would have been behove of them to actually secure said data so that a man-in-the-middle attack couldnt actually sniff out the data so easily.

      So first they lied about what the app did, and what data they collected. Then they failed to secure said data. Then they went after the person who pointed out those things. All round fails...

      1. Charlie Clark Silver badge

        No, it still wouldn't be legal without informed consent: including a signature in this case.

      2. Anonymous Coward
        Anonymous Coward

        re. All round fails...

        but not surprising, is it?

    2. Version 1.0 Silver badge

      Maybe the next move would be to create fake accounts and feed the app fakes. These days we're stealing peoples data, selling the data, and faking the data to make money from whoever wants to think that they are in control - politics is simply a financial world.

      1. Yet Another Anonymous coward Silver badge

        That could be fun.

        Tory candidate: According to our app all the residents of this council block in Skelmersdale would welcome visits from our people.

  6. Doctor Syntax Silver badge

    "Some things never change in infosec."

    And not just in infosec. Paging Ms Streisand.

  7. Lil Endian

    Merkel is Petruchio?!

    I say it is the moon that shines so bright.

    Claiming to apologise without admitting fault is a logical fallacy.

    Cambridge: apology (noun) - an act of saying that you are sorry for something wrong you have done

    By definition an apology can only be proffered with an admission of culpability. Claiming otherwise is patronising and narcissistic: we're bigger than you, what we say is right and you don't have a leg to stand on.

    Yes, in the States there's the "I'm Sorry" law, but that proves nothing as a law is its own definition and laws are, well, a law unto themselves. And laws can be "wrong".

    Apologising for something you've not done is akin to attempting to take out insurance for something in which you have no vested interest, you just can't.

  8. Mike 137 Silver badge

    Tactics?

    "... announced it would stop reporting any weaknesses in the centre-right wing Christian Democratic Union's (CDU) web-facing infrastructure to the party after it procured a criminal prosecution ..."

    A more effective tractic would be to step up investigation and reporting to a maximum to force them to back down in princuple.

    1. A.P. Veening Silver badge

      Re: Tactics?

      A more effective tractic would be to step up investigation and reporting to a maximum to force them to back down in princuple.

      Partly correct, but the reporting should be done to the GDPR authority, making this kind of idiocy extremely costly to the CDU.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021