Tuesday, January 6, 2009

When Is Hacking OK?

Here in the states, agencies such as the FBI are known to employ some nefarious methods to gather evidence of a crime, such as installing keystroke loggers or other spyware-like code on the computers of suspects. What's less clear is whether law enforcement agencies are required to obtain search warrants or court orders before implementing hacking techniques that would land the rest of us in the pokey.

It's not even a question in the UK anymore, as police there have been given permission to hack into the computers of suspects without the need for a court-approved warrant of any kind.
The technique is known as "remote searching", a nice euphemism for breaking into your personal computer(s) without your knowledge and removing items of interest that can later be used against you in a court proceeding. It follows a European Union (EU) decision to allow police across the EU to significantly expand the use of what had previously been a seldom used power involving warrantless intrusive surveillance of private properties. This would include the ability of MI5 or other police agencies to remotely search the contents of your computer hard drive from hundreds of miles away, whether you were at home, in your office, in a hotel, or working from a conference.

If that's not disturbing enough, consider that this ruling allows other agencies from the EU (French, German, etc.) to ask their counterparts in England to invasively search someone's UK computer and send back to them any information or material obtained in the remote search.
Concerned that the contents of your email, or your web browsing habits might be examined without your permission? You should be. It certainly makes you think twice before you decide to IM with friends, knowing that someone might be reading your keystrokes. Similarly, how about the people with whom you are communicating? Their information becomes part of the data mining too.

What are the requirements that need to be met before your privacy can be violated under this ruling? Well, if a senior officer "believes" that it is “proportionate” and necessary to prevent or detect serious crime, then all bets are off. That seems pretty subjective to me, and anytime you add subjectivity into the mix, the propensity for abuse of power is both real and well documented.

If there are any doubts, examine the American policy of National Security Letters instituted after September 11, in which federal agencies could go to the secret FISC court implemented under FISA - often after the fact - to obtain the needed permission to justify the search of a suspects property or information.

A 2006 US Justice Department report cited "issuance of NSLs [national security letters] without proper authorization, improper requests and unauthorized collection of telephone or Internet e-mail records due to FBI errors or mistakes made by NSL recipients." In 2006, FBI agents using NSL requests sought secret data on more than 11,500 U.S. citizens and resident aliens, compared to 6,500 in 2003, and there were also about 8,600 requests for information about "non-U.S. persons" that included visiting and illegal foreigners, which was actually down from 10,200 in 2003. Quite a black eye for the FBI, who struggled to get into compliance with the NSL requirements even after their abuses became public.

So what did the FBI do? In early 2008, reports surfaced that the FBI had sought approval from the very same Foreign Intelligence Surveillance Court to implement their CIPAV spyware program to support investigations into terrorism or foreign spying. Some of these FBI requests dated back to 2005, while the agency was still trampling the rights of citizens using NSLs.

What's CIPAV? The acronym stands for "computer and internet protocol address verifier," software designed to secretly infiltrate a suspect's computer and collect information, including IP address, MAC addresses (the card your network cable plugs into, as theoretically there are no two NIC cards with the same MAC address anywhere in the world), a list of open TCP and UDP ports, running programs, operating system type and serial number, default browser, the registered user of the operating system and the last visited URL, among other things.

Once this information is collected, it is secretly sent to FBI systems in Quantico, Virginia, where your machine is monitored, checking in regularly with the FBI to report your activity without your knowledge. Very Orwellian.

Civil liberties groups in both the UK and US have howled in outrage over not only the scope of information that can be obtained, but the cloak of secrecy and the lack of adequate oversight to ensure that the new rules are followed in this age of technology-aided sleuthing.

Many are questioning the different rulesets for searches of homes and physical property versus binary data, with good reason. As we're seeing in cases involving online music sharing litigated by the RIAA, intellectual property lawsuits, and other civil and criminal proceedings involving the use and transport of materials via 1s and 0s, there's a significant lack of maturity in the interpretation of laws intended for 20th century property when applied to modern electronic data than can span the globe in an instant.

Given the UK government track record on data breaches involving information in their care and control, there's an additional layer of risk I'd call out. One would hope that since the stated goal is to secretly obtain evidence for use during an investigation, a measure of data security above and beyond what it typically used would be implemented. Time will tell if that's a valid wish.

As someone with a background in investigation and prosecution before coming over to the dark side of information security, I can understand the desire to have many investigative tools available in the constant struggle of good vs. evil. I'm also pragmatic enough to support the theory that "absolute power corrupts absolutely," and I'm a strong believer in the application of oversight and the implementation of frameworks that include checks and balances. There's simply too much evidence that abuse occurs.

The UK implementation of the EU directive is a bad idea, even in a world filled with emerging threats and evolving technologies being put to use by radical elements and terror groups. Are we willing to surrender civil liberties when the tradeoff is a vague, unsubstantiated promise of safety?

Since these kinds of measures are being implemented globally, it sounds like the answer is yes. I hope we don't come to regret that decision any more than we do currently.


No comments:

Post a Comment

Please tell me what you think.