The software developer Lilith Wittmann, who has been accused of various alleged offenses due to the discovery of security gaps in the app and database of CDU connect, is not being investigated any further. This comes from one detailed blog entry from Wittmann.
In May 2021, she had documented serious security gaps and reported them to the party as well as the BSI and the Berlin data protection officer. The app was previously taken offline by the party. CDU connect helped party supporters to coordinate their visits during the doorstep election campaign. In the process, however, personal data including political inclinations of citizens were evidently documented over the years. They ended up in a CDU database. CSU and the Austrian People’s Party ÖVP used identical systems.
That database, as Wittmann explains then and now, was completely unprotected: it was able to gain access via simple API calls without having to overcome the simplest mechanisms such as a password query. The Berlin Public Prosecutor’s Office now agreed with this view. In the documents that Wittmann has published in extracts, there is a note on the file from an investigator: “The data were therefore not protected from unauthorized access and, from a technical point of view, were publicly available.” This is the notorious “hacker paragraph” 202 a/b/c of the Criminal Code not applicable.
Criminal charges came from the CDU
The investigation had come about because Union Betriebs GmbH, including the CDU, had filed a criminal complaint against Wittmann. When she posted this on Twitter, there was a lively discussion. The CCC announced that it would no longer report any gaps to the CDU if investigative procedures were to follow despite the usual “responsible disclosure” procedure. Shortly thereafter, the CDU Federal Managing Director Stefan Henning stated that the complaint had been withdrawn – which did not help much in this case, because if a criminal offense was known, a public prosecutor must investigate without reporting a victim. That is now off the table. Wittmann also explained the process of developments up to then in an interview with heise online.
Despite the discharge from Wittmann, the entire affair still has two important secondary aspects: On the one hand, it was also accused of having published the data records collected with CDU connect on Pastebin. Wittmann always denied having saved or even published the data, and the public prosecutor’s office found no evidence of this either. It is therefore still unclear whether the data ever existed at Pastebin, and how they got there. According to the authority, it was also not possible to determine whether it was spread elsewhere.
Examination of the data protection officer is still ongoing
On the other hand, there is an ongoing process by the Berlin data protection officer. Now that a public prosecutor’s office has established that the personal data of citizens were unprotected on the web, this could be quite uncomfortable for the party. An end to the investigation due to possible violations of the GDPR is not yet in sight, as the authority announced to heise online at the beginning of August 2021.
In addition, the termination of the investigation against Wittmann should finally shed some light on the question of when the hacker paragraph is even applicable. The mere use of standardized access functions to data that are in no way protected online is no longer sufficient for this.