The fact that helping is not always worthwhile is shown by a recent example that has now become public in times of the election campaign. For example, IT expert Lilith Wittmann alerted the Christian Democratic Union (CDU) to glaring security vulnerabilities in its party-owned app called “CDU Connect.” However, the elaboration of the questionable vulnerabilities threatened at the beginning of the week to bring severe consequences for the woman. Thus in the meantime even a preliminary investigation against it had been introduced. The people’s party with the chancellor candidate Armin Laschet rowed back in the meantime however again.
Mail from the Berlin LKA
When Lilith Wittmann had taken a look in her e-mail box at the beginning of the week, she certainly didn’t look bad when a digital letter from the Berlin LKA was to be found there. Special investigators for the field of cybercrime informed the young software developer in their letter that she was a defendant in an investigation. The linchpin of the case, they said, was the special app “CDU Connect.” When Wittmann published the e-mail on the short message service Twitter, a huge outcry went through the network community.
In particular, the Chaos Computer Club (CCC) showed solidarity with the IT expert. The investigation against the young woman was not initiated by the LKA. Instead, the CDU itself admitted on Wednesday, 04.08.21, that the party had filed charges. Thus, the federal manager of the CDU, Stefan Hennewig also published on Twitter a statement on the Causa Wittmann. Here he wanted to clarify that it had been quite clearly a mistake to file the complaint with the name Lilith Wittmann in focus.
Wittmann is rightly incensed
It is hardly surprising that the IT expert is very incensed about the entire process. Wittmann made the following comments to the SPIEGEL news portal:
“First threatening me with an ad because I didn’t want a consulting contract with them and then withdrawing because of public pressure, I find a bad joke.”
She sees the party’s apology as absolutely meaningless and even calls it “non-apology”. For themselves, this behavior is also but again a proof of how remote the CDU is from the digital world. But that hardly surprises her, according to her own statements. After all, the CDU’s candidate for chancellor, Armin Laschet, already publicly described her as a hacker in May. At that time, the security leak in the CDU app became known.
Digital doorstep campaigning thanks to app
Corona has shaken up the entire social life. This has also affected the election campaign for this year’s federal elections. The classic doorstep campaign as it is essential for traditional parties a la CDU can only be carried out with extremely high hurdles. Accordingly, the popular party launched its “CDU Connect” app in May. With this, the party wanted to recruit and capture potential campaigners. It was also intended to be able to record successful door-to-door visits. The basic idea is perfectly understandable, but the implementation was extremely questionable.
And here we are already at the cause of the problems Wittmann had with the Berlin LKA. After all, the IT expert reported in a blog entry in May about a glaring security hole she had found in the CDU Connect app. In particular, this gap compromised sensitive personal data of registered campaign workers. In number, 18,500 people were affected. But not only that. The data of more than 3,000 supporters of the party, who had already been registered by the helpers, was also at risk. People with criminal energy could have done terrible things with this personal data.
Wittmann has nothing to reproach himself for
For its part, Germany’s best-known experts on data security and IT, the Chaos Computer Club, wants to draw consequences from the CDU’s questionable behavior. This hardly surprises anyone in view of the thoroughly correct behavior of Lilith Wittmann. After all, once the app vulnerability was discovered, the IT expert pointed out her extensive concerns about data security to the CDU itself, in addition to the responsible data protection authority in Berlin and the Cert-Bund. It was only afterwards that the problem was published on Twitter on their part.
In IT circles, this is referred to as “responsible disclosure.” Ethically correct IT professionals adhere to this exact order to keep potential criminal hackers from reacting quickly. Accordingly, Hennewig from the CDU also clarified in his Twitter statement that Wittmann himself had nothing to do with the charges filed by the CDU. Rather, it was a criminal investigation against other people who exploited this data gap and published sensitive data from the app.
CCC fails to provide future assistance to CDU
The CDU may have harmed itself with its actions. After all, in a statement Wednesday, the well-known CCC attacked the CDU for its actions in the matter and announced consequences.
“Unfortunately, the CDU has thus unilaterally terminated the implicit ladies-and-gentlemen agreement of Responsible Disclosure.”
This means that the Chaos Computer Club will no longer alert the party to any corresponding data leaks in the future. Given the questionable behavior of the CDU, this is quite understandable. Since the work of the CCC in matters of data protection and prevention of cybercrime is recognized nationwide, the popular party has shown itself to be appropriately remorseful. CDU politician Thomas Jarzombek, who specializes in digital policy, announced that he respects the CCC and holds it in high regard. On Twitter he wrote
“Responsible Disclosure is essential for the hygiene of our IT infrastructure and help for those affected.”
