New German Government Coalition Promises Not To Buy Exploits

The three political parties set to form the new German government have agreed to stop buying zero-day vulnerabilities and limit the government's future use of monitoring software (spyware). From a report: The Green Party, the Social Democratic Party (SPD), and the Free Democratic Party (FDP) entered into a government coalition last month, and their new joint government cabinet is expected to be formally elected to power later today following a vote in the German Parliament.

Their political collaboration was announced last month, on November 24, and the announcement was also accompanied by a 178-page document outlining the coalition's joint core governing principles on a number of social, political, and economic topics. Among them were different IT, privacy, and cybersecurity-related issues, including two paragraphs that addressed the German's state penchant for acquiring zero-day vulnerabilities and using them in surveillance operations. "The exploitation of weak points in IT systems is in a highly problematic relationship to IT security and civil rights," the three parties said in the section dedicated to national and internal security.

And we will believe them

[Alain Williams]

Not.

It's possible

[jd]

It's not a terribly efficient approach, likely costs more money than other methods of spying and has an unpredictable shelf life.

Re: It's possible

[saloomy]

Promises? Hah. Citizens of Germany, it is your government. Have your legislature put a law in place with prison time for offenders against spending money on it.

Re:

[Sique]

This law might run afoul some constitutional barriers. Of course you are allowed to pay money for information about the security weaknesses of your devices. If you set your engineers and software forensic experts on the case and find weaknesses, you are practically doing the same. If you pay a third party to do the audit and hand over their results, you do so too. If someone tells you about a security weakness he found or has heard of under an NDA, and you pay him for that information, you do so.

So a law

Re:

[fazig]

Politicians putting their money where their mouth is?
Politicians making laws that could be used to hold them accountable for what they do.

Yeah, that'll be the day!

Re: have they given up?

[jd]

Not that many terrorists get caught by such exploits.

Here's an idea.

[NFN_NLN]

They should force the company that the exploit exploits into buying the exploit. That would create a negative feedback loop on the source of the exploits.
You either pay internal staff to test code for exploits or you pay a third party based on results. Either way the exploits are caught and not put into the wild.

Never trust naive assumptions

[jd]

They may have a better and/or cheaper option. They may find that Big Data/pattern analysis is sufficient for their needs. They may have decided that spyware installed by private companies and monitoring of chat rooms/websites is sufficient.

We don't know their reasoning, so it's as much a mistake to assume they're lying as it is yo assume they're completely honest.

Re:

[fazig]

I suspect that their reasoning is to (virtue) signal that they'll be different from the Christian Democrats, that have governed Germany most of the time since WW2.

Subsets of Christian Democrats regularly and openly pushed for more surveillance, mainly using the Four Horsemen of the Infocalypse [wikipedia.org] as a rationale and to stifle criticism with the also popular "nothing to hide, nothing to fear" mantra.
Some agree, many others were concerned and went on demonstrations (I've been in some of them myself). Because s

Re:

[Yvanhoe]

They probably honestly believe it and that's probably also a bad move.

make our own

[awwshit]

We've gotten good enough at making our own and no longer need to buy them.

Counterproductive and silly

[couchslug]

Sploits WILL be sold either way and better to have own-side operations buy them than otherwise.

The general public are "emotional thinkers" (a contradiction in terms which negates the "thinker" aspect) so the non-techy room temperature will be pleased.

Meantime the Cold War is inevitably accelerating (nations compete because they must, life is competitive) and every useful tool should be available to wage it. The EU is under threat from the NeoSoviets under Putin and that threat is merely an aspect of the hi

The promises of the propaganda kings

[gacattac]

Hi everyone!

The other people were horrifying, in part because the did $bad. Sheesh. Terrifyingly abusive.

I am much better. I will stand apart from them by double promising that I will ONLY do $bad if it's really, really, really, really justified.

In the event that I am found to do $bad, I will therefore be very happy to point out why those I did it against were dangerous, reactionary, subversive enemies of the state and why it was very justified to do $bad against them.

The world is therefore better with me i

Either

[argStyopa]

....they're willing to sacrifice a useful intelligence resource on moral grounds (aka "Gentlemen do not read other peoples' mail"), or
They're lying, and will continue to do it through a more rules-lawyering of whatever legislation is passed. (ie a 3rd party company "Not a government entity!" will buy the zero-days and use them to provide intel to Germany)

Personally, I can't see a meaningful country forgoing useful intel. Vanuatu, sure.

I dunno

[grave367]

Not even a single shell company with ties will?
Do they pinky swear?

All governments lie

[VeryFluffyBunny]

-- R. F. Stone