It took security researcher Lilith Wittmann only a few hours to crack open the app of Germany’s ruling political party, the Christian Democratic Union (CDU).
In May, party campaigners were using the app CDU Connect to gauge public opinion in the lead-up to September’s federal election.
Some chatter online made Wittmann, 25, take notice.
“I was a bit like, ‘Wow, they are collecting, like, super personal data about people,’ … where they are living and what is their political opinion,” Wittmann told The World in an interview at a Berlin park.
When she downloaded the app, she quickly discovered that it lacked common security practices and its programming interface was surprisingly easy to penetrate.
The fallout from what Wittmann says was a well-intentioned hack to improve the app’s security highlights a long-standing concern for security researchers and ethical hackers in Germany, whose law does not differentiate between ethical and malicious hacking.
Wittman discovered that she could access a massive amount of data on the app that was supposed to be protected: the confidential, personal information of nearly 20,000 CDU members — and the political opinions of more than half a million people the party had door-knocked.
Campaigners’ canvassing visits, recorded in the app, were tied to voters’ locations and sometimes included notes with house addresses and names.
“They just didn’t have any kind of serious security measures.”
“They just didn’t have any kind of serious security measures,” Wittmann said.
“When you collect lots of this data, based on house coordinates, basically, then you can do a lot of bad stuff,” she said. “And you never want to have that out in the open.”
Wittmann reported her findings to German technology authorities and the CDU, adhering to the industry principle of “responsible disclosure” that security researchers and ethical hackers often use when they find vulnerabilities. She also posted about her findings online.
But this discovery — one of the biggest security findings of the young researcher’s career — may come at a personal cost.
‘It said that I am a suspect’
Shortly after her report, Wittmann received a phone call from the CDU’s federal managing director, Stefan Hennewig. She said he offered her a half-hearted thank you, a job offer she turned down, and then a warning that the party might file a criminal complaint against her.
A few weeks ago, she received an email from the Berlin police.
“[Police] said that I am a suspect in this investigation about the CDU Connect app and that they want to know my address.”
“It said that I am a suspect in this investigation about the CDU Connect app and that they want to know my address,” Wittmann said.
There is no dispute about what triggered the police investigation. The CDU, which yanked the app offline in May after admitting Wittmann found a security flaw, also admitted to filing a criminal complaint about the data breach and specifically mentioned Wittmann.
The party, pressured to backtrack after ensuing public backlash on social media, now says it has withdrawn its complaint, which Hennewig maintains was supposed to be about another alleged data breach — not Wittmann’s hack.
Wittman, however, said police have confirmed they are still investigating her.
“It is super absurd,” she said of the CDU’s complaint. “I really hoped that this wouldn’t happen when you report something to them.”
Change to hacking law
Wittman’s experience calls attention to gaps in Germany’s hacking laws, according to lawyer David Albrecht, whose Berlin firm represents both hackers and organizations that have been hacked.
“The German law doesn’t really differentiate between so-called ethical hacking and hacking that is with a bad intention.”
“The German law doesn’t really differentiate between so-called ethical hacking and hacking that is with a bad intention,” Albrecht said.
Previously, he said, Germany’s criminal code stipulated a person had to obtain secure data to have committed a crime.
Then in 2007, a CDU-led parliament broadened the law in response to rising cybercrime and to comply with EU legislation. The amended law clearly prohibits any form of hacking — regardless of intention.
“From that point on, it was sufficient that the offender only gains access to the data,” he said.
Albrecht said he hopes Wittmann’s case will prompt more discussion of a legal framework he called “not really adequate to handle cases of ethical hacking.”
‘We really should take care of this data’
Michael Prinzinger runs a security consulting firm and co-founded one of Berlin’s largest meetups of researchers and ethical hackers.
He said strong reactions like the CDU’s have become increasingly rare.
“The backlash on organizations that persecuted people [who] report vulnerabilities was, and — as we can also see in this case — is huge.”
“The backlash on organizations that persecuted people [who] report vulnerabilities was, and — as we can also see in this case — is huge,” he said.
Prinzinger hopes Wittmann’s experience doesn’t have a chilling effect on others doing work he says is vital.
“The message might be that people will feel like a criminal when they actually do the right thing and report a vulnerability that can lead to others suffering from privacy loss or data about them being leaked,” he said.
Berlin’s data protection authority is investigating CDU Connect and could level sanctions against the CDU if it finds the party did not adequately safeguard users’ data.
The CDU did not respond to several interview requests.
Wittmann, meanwhile, has hired a lawyer. She is steadfast in her belief she acted responsibly.
She said she realized what was at stake if the app’s data was left so vulnerable — even if it is politically damaging for the CDU to admit.
“There is half a million data points about public opinion in there,” she said.
“And so we really should take care of this data, or maybe it shouldn’t even exist.”