Blog Politics
Politicshaltungcommentary

When the Key Is Left in the Lock, Don't Blame the Lock

· David Krcek · 9 min read
When the Key Is Left in the Lock, Don't Blame the Lock

A commentary on the Signal phishing affair, the reflex response from a Bundestag Vice President — and the very loud silence of the Digital Minister

There are moments when German politics lifts the curtain and grants us a brief look at what hides behind all those Sunday-sermon speeches about “digital sovereignty.” The past few days have been one of those moments. Bundestag President Julia Klöckner, Education Minister Karin Prien, Construction Minister Verena Hubertz — all victims of a phishing campaign run through the messenger Signal. More than 300 people from politics, the military and journalism are in the attackers’ sights, according to the security services. Russian-backed, presumably. Active since at least September 2025, presumably. The Office for the Protection of the Constitution had warned the Bundestag and the Cabinet on 6 February. It clearly didn’t help.

What actually happened? Nothing spectacular. Nothing that warrants a foreign-espionage prime-time special. The attackers sent messages dressed up to look like notifications from “Signal Support.” Please type in your PIN here. Please click that link. Please scan this QR code to verify your account. This is — and it almost hurts to have to write this for a Bundestag President — the digital cousin of the man with the clipboard who rings your doorbell pretending to be from the energy company. If you hand him your bank details, you don’t have a problem with the door. You have a problem with yourself.

The Problem Isn’t in the Messenger. It’s in Front of It.

This is where Andrea Lindholz, Bundestag Vice President for the CSU, enters the stage. Of course she does. Whenever someone in this country answers a technical question with a political ban, the CSU is rarely far away. Her diagnosis: Signal has to go. Her prescription: ban the messenger from members’ and staff service phones. Use Wire instead — a competitor with servers in Switzerland and the EU. Reasoning: Wire doesn’t require a phone number, only an email address, and is therefore less susceptible to phishing.

If you read this, you rub your eyes. Not because Wire is a bad product — there are real conversations to be had about messenger architectures, metadata leakage and jurisdictions. But because the proposed switch doesn’t even touch the actual problem. Phishing is technology-neutral. That isn’t a footnote, it’s the entire point. Whoever clicks a fake link, scans a QR code without checking where it came from, or hands a code to a friendly stranger will do exactly the same thing on Wire. On Threema. On Element. On a custom-built, BSI-certified, Eifel-hosted solution with quantum-resistant encryption — doesn’t matter. The vulnerability isn’t the app. The vulnerability is the assumption that every message claiming to be from “support” is actually from support.

The fact that a Bundestag Vice President doesn’t appear to grasp this banal truth — or, worse, grasps it and still markets the platform switch as a solution — is hard to top in terms of IT incompetence. It is the political continuation of the logic by which one fights crime by replacing the door through which the burglar was politely invited in. It is security policy in petulant-child mode: if I don’t understand it, ban it.

The CSU Reflex: Banning What You Don’t Understand

It’s worth pausing to remember which corner this proposal comes from. Andrea Lindholz, long-time member of the Interior Affairs Committee, belongs to the party that has been hammering away at mandatory data retention for fifteen years — an instrument struck down by the Federal Constitutional Court in 2010, declared incompatible with EU law by the European Court of Justice in 2014, 2016, 2020 and 2022, on permanent legal life support in its German version, and revived by the CSU at every Conference of Interior Ministers like a ritual that has long since become an addiction. This is the party that pushes for the blanket retention of connection data of 80 million people because it might one day be useful, and that in the same breath champions state spyware, remote computer searches, automated facial recognition in public spaces and — through its EU sister party — the Chat Control regulation as a dignified compromise between freedom and security.

In other words: a political tradition whose brand identity rests on the systematic reading of other people’s communications is now demanding a ban on a messenger because its own leadership couldn’t recognize a phishing message. It would be pure comedy if it didn’t carry that unpleasant aftertaste — the casual ease with which, once again, the tool gets blamed instead of the user. Encrypted communication for citizens? A threat scenario, must be regulated. Encrypted communication for the Vice President? If it doesn’t behave the way we expect, ban it. Data-protection guardrails for state surveillance? An annoyance. Data-protection guardrails for a minister’s service phone? Suddenly the highest priority — provided one mistakes “data protection” for “switching platforms.”

It is, with respect, repeated proof that a substantial part of CSU security policy is not drawn from insight but from reflex. The reflex runs: if something digital goes wrong, we write a law against it. Not: let’s look at what actually went wrong. A party that has been processing its own data-retention trauma for fifteen years is conditioned to misread every digital question as a regulatory question. Phishing as a training gap? Too quiet, too boring, too unfit for press releases. Phishing as an app ban? Finally, a slogan for the next campaign weekend.

That this party of all parties now wants to define the digital security architecture of the Bundestag is not just embarrassing. It is political proof that IT incompetence and the appetite for surveillance are two sides of the same coin. People who don’t understand the Internet either want to regulate it or ban it — anything but seriously understand it.

A Masterclass in Reality Avoidance

The affair itself would be survivable. There are phishing victims everywhere, including in the United States, in corporate boardrooms, even among security researchers. Nobody is immune. What turns this episode into a textbook case is the response. It unfolds in three acts, and all three are documents of cluelessness.

Act One: the ministries say nothing. Prien’s spokesperson states they will “provide no information on government communication channels.” The Construction Ministry refers to “clear principles.” What that means, no one knows. Probably not even the ministry itself.

Act Two: Lindholz demands a Signal ban. With it, she politically codifies what is technically wrong — and tells the public the real scandal is the choice of app, rather than the fact that people with access to the most sensitive information have apparently not been trained well enough to spot a phishing message whose pattern has been documented since the late 1990s.

Act Three — and this one is the genuinely worrying part: Karsten Wildberger, Digital Minister, says nothing. The man who runs the newly created Federal Ministry for Digital Affairs and State Modernization, the former corporate executive who took office promising to drag the administration into the 21st century, the minister who launches into “digital sovereignty” the moment a microphone appears nearby — this minister of all people stays silent while one cabinet colleague after another walks into a trap that the constitutional protection service had warned against in writing three months earlier.

Why Is Wildberger Silent?

The answer is uncomfortable, but it lies in plain sight. If Wildberger were to open his mouth, he would have to say what’s actually true: this affair is not evidence that Signal failed. It is evidence that a security culture has failed — one in which top officials mix service phones with private apps, in which security training apparently consists of PowerPoint slides from 2014, in which warnings from the constitutional protection service evaporate somewhere between outbox and inbox. He would have to publicly contradict the Vice President of the Bundestag — an influential voice within his own coalition’s sister party. He would have to explain that the problem doesn’t live in the app store but in the heads operating the service phone. He would have to, in short, ask the political class to listen to the truth about itself. And that is precisely what someone who only recently learned, as a lateral hire, how the German civil service actually works tends to avoid.

So instead the Digital Minister stays silent, lets the IT debate be conducted by politicians who treat phishing as a platform problem, and leaves the public with the impression that the solution to Germany’s cybersecurity problems consists in migrating to a different vendor. This is not just a missed moment. It is a declaration of bankruptcy for digital literacy.

What Would Actually Help

Anyone taking this affair seriously would do the opposite of what is currently happening. Mandatory, recurring — not one-off — training on social engineering, run not as an email attachment but as a permanent, cross-departmental process. A clear separation between official and private communication, technically enforced rather than left to the discipline of individual ministers. Hardware security keys as a second factor, the kind that turn a stolen phishing code into a dead end. A culture in which a phone call to IT support before the click is the norm, not the exception. And — the most demanding exercise of all — a political class that accepts digital literacy as part of the job description, the way reading files or speaking on camera already are.

All of that is harder than calling for a ban. It packages worse into a press release. It produces no punchy “we are taking action” line. But it is the only path that doesn’t end up in the same hole at the next phishing attempt — over a different messenger, by email, by SMS, by phone, by spoofed website.

Coda

A country in which the Bundestag President falls for a QR code, the Vice President responds by demanding a messenger ban and the Digital Minister prefers to keep studying the file in the back office does not have a cybersecurity problem. It has an education problem. And as long as it refuses to recognize that, it will remain what it has been for years: a country moving through the digital age like someone stepping onto an escalator for the first time — queasy, gripping the handrail, vaguely hoping that someone competent will be waiting at the top.

Spoiler: nobody is.

Sources: netzpolitik.org, taz, Spiegel, basicthinking.de, heise online (April 2026)

David
David
AI, Apple Silicon, coding experiments, SwiftUI, and attitude.
Read more