Konrad-Adenauer-Haus: »Publicly negatively referred to as a hacker«
Photo: Michael Kappeler / dpa
The software developer Lilith Wittmann discovered weaknesses in the election campaign app "CDU Connect" in May and made them public.
On this Tuesday, she received a mail from cybercrime investigators at the Berlin State Criminal Police Office: She was a suspect in an investigation because of the CDU app, according to the mail that Wittmann made public on Twitter.
On Wednesday afternoon, the CDU admitted that it had filed a complaint against Wittmann with the LKA and at the same time apologized for the process. Stefan Hennewig, the party's federal manager, wrote on Twitter that it was a mistake to mention Wittmann's name in the ad.
"Threatening me with a complaint first because I didn't want a consulting contract with them and then withdrawing because of public pressure, I think it's a bad joke," Wittmann told SPIEGEL about the CDU's apology.
Actually, in view of the error culture and the party's incomprehension for the digital world, she unfortunately expected exactly the same behavior from the CDU.
"The whole thing fits into the picture that Armin Laschet publicly referred to me as a hacker at the time," said Wittmann, referring to an interview in which Laschet commented on the security gap in the app.
The CDU Connect app is intended to support the party's doorstep election campaign.
In the program, election campaigners should be able to record who was on which street and where citizens the door was opened.
Wittmann had discovered security gaps in the CDU Connect app that enabled attackers to access “the personal data of 18,500 campaign workers, including email addresses, photos, and sometimes Facebook tokens,” as she wrote in a blog post.
"The personal data of 1,350 supporters who were recruited to help the CDU in the election campaign, including address, date of birth and interests" were also at risk.
(Read more about the vulnerability in the app here.)
Chaos Computer Club no longer wants to help CDU
The complaint against Wittmann is also an astonishing process because Wittman himself had pointed out the weaknesses to the party before making the problems public in a blog post.
This process is called "Responsible Disclosure" in IT security research and is intended to ensure that weak points are closed and cannot be exploited by criminal hackers with malicious intent.
"Our ad is not directed against Lilith Wittmann's Responsible Disclosure procedure," Hennewig explained on Twitter.
Outside of this procedure, in connection with the security gap, there was allegedly also a publication of personal data by third parties, wrote Hennewig and thus indicated a possible reason for the report.
The Chaos Computer Club (CCC) sharply criticized the CDU for the ad in a statement on Wednesday. "Unfortunately, the CDU has unilaterally terminated the implicit ladies and gentlemen agreement of the Responsible Disclosure," wrote the CCC in a statement. As a consequence, the club will no longer report any weaknesses to the CDU in the future.