The Sueddeutsche Zeitung (SZ) reported on Monday that the Bundesnachrichtendienst (BND) will spend €28 million in 2015 on its 'Strategic Technical Initiative” (SIT).
A confidential report seen by the newspaper showed that spies have asked a parliamentary oversight committee for a total of €300 million for the SIT programme between 2015 and 2020. Over €6 million has already been spent in 2014 laying the groundwork.
They say that the aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.
Government spokesman Steffen Seibert confirmed to dpa on Monday that the BND had worked with French computer security firm Vupen, which is known to sell details of security holes to governments, in the past.
But the new money was being spent to "strengthen the available technical base" at the BND and reduce its reliance on outside contractors, he said.
Splashing cash on security grey market
Confidential plans seen by the SZ and broadcasters WDR and NDR show that the BND said it would spend €4.5 million to help it find security holes in the Secure Sockets Layer (SSL) protocol used by millions of web services to protect personal information.
There is a lively grey market online among hackers and security researchers for "zero day" exploits, so called because they are undiscovered and internet users have had no time to prepare for them.
But rather than fixing the security problems, the spies want to use them for surveillance.
The programme to penetrate SSL, codenamed Nitidezza, would also target the HTTPS protocol which is the standard for many banks, online shops, webmail providers and social networks.
“Holes in SSL need to be patched [fixed] because it is ubiquitous and everyone depends on it for their security," said Jim Killock of London-based digital rights NGO Open Rights Group.
"There is a real risk that failing to fix problems means criminal gangs will seek to obtain the same data using the same defects."
Killock's sentiments were echoed by internet activists in Germany, with German Pirate Party president Stefan Körner arguing that “we should expect that a responsible intelligence service would do everything to fix holes in our security infrastructure..
“If this is the strategy of the government for our security, we should fear them and their intelligence agencies more than the danger of cyber-terror that they're always hyping.”
Körner and other critics argue that the government should not be funding the grey market in internet security holes with taxpayers' money.
“Supporting the market for security holes is a very bad idea from the government's point of view,” Michael Waidner of the Fraunhofer Institute for Secure Information Technology told Spiegel.
Every weak point was a serious risk for the country's own citizens, government agencies and businesses, Waidner said, because it could never be certain who else had access to the loopholes.
'Attack on fundamental rights'
Activist hacker collective the Chaos Computer Club (CCC) released a statement saying that the plans were "a serious and unacceptable attack on our fundamental rights".
CCC spokesman Dirk Engling said that the government should not have an interest in keeping security holes open.
A BND spokesman contacted by The Local said the agency would not comment on operational matters.
While the BND is legally forbidden from conducting spying operations inside Germany, it has worked closely together with foreign intelligence agencies including the American National Security Agency (NSA).
Following the revelations by NSA whistleblower Edward Snowden about the NSA's far-reaching internet surveillance programmes, a recent poll showed that Germans believe foreign spies are the biggest threat to their liberty.
SEE ALSO: Snowden gives up Germany asylum hopes