Entrance area of the Konrad-Adenauer-Haus
CLEMENS BILAN / EPA
The app "CDU Connect" was supposed to make the party's election campaign easier and more efficient, but so far it has mainly given the CDU negative headlines.
In the app, election campaigners of the party could enter the door at which they have already rung and how the residents feel about the CDU.
In May, however, security researcher Lilith Wittmann revealed that personal data stored in the app was poorly protected and could easily have been accessed by unauthorized persons.
Among other things, "personal data of 18,500 campaign workers, including e-mail addresses, photos, and some Facebook tokens" could have been stolen, Wittmann wrote at the time.
Wittmann informed the CDU, however, before they made their findings public.
This procedure is called “Responsible Disclosure”, a tried and tested procedure in the IT security community to help affected departments to close the vulnerability and to make the network more secure overall.
(Read more about the background to the incident here.)
In response, the CDU temporarily took the app offline - and reported the security researcher, first to the Federal Criminal Police Office and then to the Berlin public prosecutor's office.
This finally initiated investigations on the suspicion that Wittmann could have unlawfully spied out data.
That emerges from documents that SPIEGEL was able to see.
As part of their investigations, the public prosecutor's office, in cooperation with cybercrime investigators from the Berlin State Criminal Police Office, found that there really was a security gap in the app.
It was not necessary to overcome security features or access security in order to access internal data in the app, according to the authority.
This assessment could also be of interest to the Berlin data protection officer.
The CDU itself had reported the data breach there in May.
In the meantime, the Berlin data protection officer has initiated an investigation into the incident.
Controversial "hacker paragraph"
According to SPIEGEL information, the CDU's complaint led to an investigation into a regulation against Lilith Wittmann that was feared by IT security researchers: Section 202a of the Criminal Code, known as the "Hacker Paragraph".
The regulation was introduced by the grand coalition in 2007 and has been sharply criticized by security researchers for making their work considerably more complicated.
"I still think it's the very last thing to deliberately let security researchers run into an advertisement," said Wittmann in an interview with SPIEGEL.
Something like that destroys the trust in the community to report weaknesses in a trustworthy manner.
"I also think it's an absurd waste of resources that authorities have to deal with investigations against researchers," said Wittmann, criticizing the CDU's approach.
Carsten Hoenig, who legally represents Wittmann in the case, assesses Paragraph 202a as "simply poorly crafted." The regulation "threatens to criminalize security research and is simply formulated too vaguely," says Hoenig.
Written withdrawal of the advertisement six days after Twitter announcement
Only after Wittmann made the investigation against her public at the beginning of August and, among other things, the Chaos Computer Club sharply criticized the CDU, did the party row back.
CDU Federal Managing Director Stefan Hennewig apologized publicly to Wittmann and wrote on Twitter that he had withdrawn the ad.
The case made headlines across Germany at the time.
Six days later, the party declared in writing to the public prosecutor's office that it would withdraw the criminal complaint against Wittmann, as can now be reconstructed.
Apparently, however, there had already been a phone call between the CDU and the investigating State Criminal Police Office.
However, since Section 202a is a so-called relative complaint offense, the public prosecutor's office must continue to investigate in this case even if the CDU has withdrawn its complaint.
In the meantime, the Berlin public prosecutor's office has actually closed the investigation against Wittmann.
However, less because of the withdrawal of the criminal complaint by the CDU, but because it simply could not find Wittmann to be guilty.
Because the CDU Connect app did not have to overcome any special technical safeguards, it could not have violated the "hacker paragraph", according to the authority's argument.
Leaking links to nowhere
At the same time as the criminal complaint against Wittmann was withdrawn, the CDU filed a complaint against unknown persons because third parties could have allegedly published data from the election campaign app. As an indication, the CDU referred to a link on the Pastebin platform, on which content can be published anonymously. This link should be called »pastebin.com/cduconnect«, the party apparently feared a leak here. However, the party could not check whether information was published under the link because the link led nowhere.
In fact, it seems practically impossible that this Pastebin page ever existed, because the platform generates randomly generated links for every new piece of information published there - a specific name with "cduconnect" is therefore not possible.
"I would have expected the Cyber-LKA to clarify with expert knowledge that this URL cannot exist," says Wittmann.
The Berlin public prosecutor's office has now also stopped investigations into unknown persons.