The Hackers Russia-Proofing Germany’s Elections

The Chaos Computer Club, a multigenerational army of activists, has made the country’s democracy a lot tougher to undermine.

At its Goulash Programming Night in May, CCC ran a pop-up, high-capacity network to meet 800 hackers’ bandwidth needs, while mammoth drums of stew filled their bellies.

Photographer: Antoine Bruy for Bloomberg Businessweek

The hack began as trash talk. Germany’s voting computers were so vulnerable to tampering that they could be reprogrammed to play chess, the hackers boasted. But then the machines’ maker dared them to try. Bound by honor and curiosity, the hackers got their hands on one of the computers and had it playing chess after about a month. “We have to admit,” they later wrote, “that it does not play chess all that well.”

Featured in Bloomberg Businessweek, July 3, 2017. Subscribe now.
Photographer: Ian Teh for Bloomberg Businessweek

This wasn’t just a prank. The hackers, several of them associated with the Hamburg collective known as the Chaos Computer Club, or CCC, also proved they could manipulate votes that the computers had recorded. As a result, Germany’s Federal Constitutional Court struck down the nation’s use of voting computers, citing CCC by name in its ruling. Oh, and this was in 2006.

From imperfect voting machines to the fake news that chokes social media, the U.S., the U.K., and France are only beginning to wrestle with the ways in which democracy can be hacked. In Germany, which is heading to the polls in September, CCC has been paying closer attention. Sometimes that means such stunts as reprogramming computer systems on a dare, but the loose confederation of about 5,500 hackers isn’t a bunch of bored teens in it for the lulz. Its 29 local chapters are stocked with professionals who run security for banks, head encryption startups, and advise policymakers. The group publishes an occasional magazine, produces a monthly talk radio show, and throws the occasional party, too.

All this has made CCC into something that sounds alien to American ears: a popular, powerful, tech-focused watchdog group, one whose counsel has been sought by both WikiLeaks and Deutsche Telekom AG. By exposing weaknesses in German banking, government, and other computer systems, CCC has helped make them more resistant to attack and contributed to a society that’s exceptionally careful about believing what it sees online. In the runup to their federal elections, Germans are tweeting a much higher proportion of real news—as opposed to campaign spin, amateur screeds, or outright b.s.—than Americans or Brits did during their latest political campaign seasons, according to researchers at the University of Oxford.

GPN was held in a cavernous former munitions factory. Other CCC events draw as many as 12,000 participants, to both work and hang out.
Photographer: Antoine Bruy for Bloomberg Businessweek

“The only way to save a democracy is to explain the way things work,” says Linus Neumann, a CCC spokesman and information security consultant. “Understanding things is a good immunization.”

Co-founded in 1981 by Wau Holland, an activist who anticipated the security concerns that computers could bring, CCC was most famous in its early years for an incident in 1984, when the group warned Germany’s state-run postal service that its early pay-per-page internet service, Bildschirmtext, had a hole in its security. The postal service ignored the warning, and CCC members exploited the flaw to electronically steal 134,694.70 deutsche marks (about $48,000 at the time) from a local bank in tiny increments, using the bank’s identity to access a pay-per-view site CCC had set up. The hackers then called a press conference and returned the money on camera.

Photographer: Antoine Bruy for Bloomberg Businessweek

After the Berlin Wall came down, CCC went on to expose a series of major security flaws in other electronic systems, including early cell phone encryption and biometric identification. About a decade ago, the group circulated a fingerprint of Wolfgang Schäuble, then the minister of the interior, to demonstrate that the use of biometric data in German passports wasn’t the incredible security advance Schäuble had claimed. Copies of the fingerprint, which CCC published on pieces of plastic inserted into one of its magazines, easily fooled electronic ID readers.

“The CCC has greatly contributed to having an informed discussion on cybersecurity and internet governance in Germany,” says Jan Philipp Albrecht, a German member of the European Parliament who’s vice chairman of the legislature’s committee of civil liberties, justice, and home affairs. “Their work on the security issues of voting machines has saved German elections.”

The group still doesn’t exactly work hand-in-hand with the German government. In 2011, more than a year before Edward Snowden revealed the scope of the National Security Agency’s internet monitoring, CCC exposed German government use of Trojan malware to spy on citizens’ computers, incidentally creating a new German word: Staatstrojaner. Spokesman Neumann, who has testified before Germany’s Parliament a half-dozen times, made his most recent appearance before the legislature on June 1, during a hearing on a proposed law that would govern police use of the spyware. In 2014, CCC member Jan Krissler, a university researcher who goes by the handle Starbug, copied another government minister’s fingerprints—this time, it was the defense minister—simply by zooming in on stock photos of her.

Neumann says CCC’s more important outreach is to ordinary Germans through marathon coding meetups fueled by an energy drink called Club-Mate, youth-centric events that focus on beginner-level programming, and parties that help set the group’s agenda. The annual conference, Chaos Communication Congress, draws a sold-out crowd of 12,000 from around the world.

Regardless of the international element, CCC events are undeniably German. At Gulaschprogrammiernacht (Goulash Programming Night), a recent event at a former munitions factory in the southwestern city of Karlsruhe, about 800 participants ate industrial amounts of the stew, both meat and vegan. Many took a break from their coding to screen an episode of My Little Pony: Friendship Is Magic, because the collective includes a lot of the cartoon’s superfans. (Purists clutching rainbow-colored stuffed ponies insisted the episode be shown in the original English.) When night fell, the meetup’s organizers mixed case after case of Havana Club three-year-old rum with limes, sugar, ice, and a liberal splash of Club-Mate to make the signature CCC cocktail, Tschunk. It tastes a lot better than it sounds.

Photographer: Antoine Bruy for Bloomberg Businessweek

Shortly before dinner on Goulash Programming Night, a couple of days after he made international news by faking out the iris-scanner lock on Samsung’s new Galaxy S8 phone, Krissler acknowledges that CCC’s efforts to fend off antidemocratic horrors such as Nazism or the Stasi aren’t always simple. WikiLeaks, for example, first gained traction as an idea at CCC’s annual conference in 2008, and a CCC-linked foundation continues to help fund it. WikiLeaks has made world politics more transparent, but it has also, perhaps inadvertently, given ammo to reactionary right-wing leaders around the world, including in the U.S.

As a decentralized gaggle of coders, CCC isn’t in the best position to reconcile those dissonances. The group has a tough enough time making any kind of lasting gains against the rising tide of surveillance, Krissler says, shrugging. “All the stuff will happen in the end,” he says. “Maybe I’m too skeptical about our influence.”

In a way, that’s a good sign for German democracy. As the CCC has demonstrated, skepticism is its strongest weapon.

Photographer: Antoine Bruy for Bloomberg Businessweek
Photographer: Antoine Bruy for Bloomberg Businessweek
Photographer: Antoine Bruy for Bloomberg Businessweek
Photographer: Antoine Bruy for Bloomberg Businessweek
Photographer: Antoine Bruy for Bloomberg Businessweek