Not to be confused with cyberwarfare or cyber espionage, the use of a Government Trojan is centered upon gathering information on a country’s own citizens. As with most Trojans, a Government Trojan is usually disguised as an attachment or a link that when clicked, installs software on the user’s machine. This can take the form of keylogging software, the ability to access audio or visual controls, decryption keys, or file access.
The following are well known cases of nations using Government Trojans to monitor their internal activities:
United States: In 2001, the FBI answered a Freedom of Information Act request about a Government Trojan known as “Magic Lantern.” This software was intended to harvest decryption keys so that the FBI could access suspected criminal activity. Needless to say this created an uproar among both privacy advocates and anti-virus companies. The latter would have to decide if they would flag Magic Lantern as part of their security software. More recent examples of US government trojans, if any, have been less publicized.
Germany: In 2007, the “Bundestrojaner” (which literally means “Government Trojan”) was used by German federal agencies to spy on criminal internet activity—namely, suspected terrorists and those capable of potentially causing harm to its citizen’s and state. The implementation of Bundestrojaner was subsequently limited when the German courts system required that a warrant be first issued. In 2011, another trojan, the R2D2, was discovered and allegedly used to log Skype conversations and the use of a computer’s webcam (it was actually traced to German and American servers). Finally, in 2017, the German government passed an amendment to the criminal code permitting the use of Bundestrojaner by police to access suspected individuals’ computers, mobile devices, and internet activity—including chat and text records.
Mexico: At some point prior to January 2015, the Mexican government purchased the Pegasus spyware from NSO Group Technologies, an Israeli cyberarms company, with the intention of spying out drug cartels and other criminal enterprises. This spyware, however, would ultimately be used to monitor a variety of individuals, including outspoken critics of the Mexican government and anti-corruption journalists. By exploiting smart phone vectors, a user’s cell phone activity—including its camera, speaker, calendar and contacts data—could easily be accessed. This breach of privacy was eventually uncovered by a human rights activist who reported a suspicious link to Citizen Lab, a web security research organization at the University of Toronto. The links that most users received were said to be innocuous, with information like directions to a funeral or wake, a missing child alert, or information on visa status. Others were more menacing, threatening to expose proof of extramarital affairs, sexual exploits or other embarrassing secrets. What makes Pegasus unique is that it encompassed both domestic and international targets, breaking from the internal capacity in which Government Trojans are typically implemented. And, because of its design, identifying the culprit is nearly impossible. While the Pegasus spyware is only sold to governments; and while the Mexican government did, in fact, purchase Pegasus for its own use; there remains no proof that an entity under its explicit direction was ordered to deploy Pegasus in a manner which violates privacy rights.
The use of a Government Trojan remains controversial, pitting fear against trust and the right to privacy. As technological capabilities evolve, balancing the privacy and protection of a nation’s citizens will require both analysis and compromise, as well as input from experts in Law, Ethics, Psychology, Social Science, and the many disciplines of Computer Science.