Privacy vs protection: Police and the right to hack
Australia's state police have been upping the ante on criminals who use technology to protect their activities, but is it the right way to go?
The governments of Victoria, Queensland and New South Wales (NSW) have moved to boost covert search and telecommunication interception powers that police can use in the fight against crime.
Privacy advocates have criticised such moves for giving police too much power. Meanwhile, law makers have justified the moves on the grounds they are necessary to reduce the cost of fighting crimes such as drug trafficking, terrorism and child pornography.
In January the UK government said it had agreed to work with the European Parliament on plans to extend police powers to remotely search computers. While the plan to allow police hacks is due to be implemented within the next five years, the Home Office said in January that no timetable or detail for the proposals had yet been settled.
Shortly after the German government discussed amending its laws to allow police to hack suspects' computers, Finnish security company F-Secure surveyed Europe and the US, collecting 1,020 responses to the question: 'Should police hack?'. Overall 23 percent were in favour, 11 percent were undecided and 65 percent were against it. However, responses varied significantly by country: around 91 percent of Germans were against it, while only 56 percent of Britons were against the idea.
In an email interview, ZDNet UK's sister site in Australia, ZDNet.com.au, asked renowned security researcher Mikko Hyppönen about the pros and cons of law enforcement using hacking techniques to fight crime.
Q: Is giving police the power to covertly and remotely access a suspect's computer a necessary weapon to fight crime today, given that criminals have adopted technologies such as encryption for hard drives and communications?
A: Remote access is used exactly to fight hard-drive and communication encryption. You can't bypass those unless you're allowed to hack the computer itself; then you can access the data even if it's encrypted in transit or when the computer is not in use.
What are the risks associated with allowing police to hack a suspect's computer?
Contaminating evidence, ethical problems related to surveying innocent suspects and getting caught while doing it.
What's the status in Finland and Sweden?
In Finland, police are not allowed remote evidence collection. Police aren't even allowed to wiretap internet traffic at all except in extreme cases.
In Sweden, the FRA [the military intelligence] has broad rights to intercept and read any 'foreign' traffic passing through Sweden. This includes large parts of all the traffic from neighbouring countries, including Finland and, to some extent, Russia. Which is what they're really after I guess.
What, in your view, is the biggest technological challenge for police in terms of collecting evidence in today's world?
The sheer amount of data.
What is F-Secure's position on giving law-enforcement agencies special access to customers' computers? Should it co-operate with police and not block attempts to hack a system?
We regularly work together with various law-enforcement agencies around the world to track virus writers and online criminals. So we're obviously 'for' any improvements the international police effort needs to cut down online crime.
Having said that, most of the rights discussed here would not be used against online criminals, but to investigate real-world crime that uses computers as a tool; drug trafficking, organised crime and so on. The circumstances would have to be quite serious before police would be granted such surveillance access.
We are selling products to protect our customers from attack programs — regardless of the source of such programs. Surely you could imagine a case where our customer would be innocent of any wrongdoing and by mistake he would be suspected for a crime he didn't commit. In such a situation he would have full expectation of his antivirus protecting him against Trojans, even if those Trojans would be coming from the police.
But the bill being introduced in NSW would give police physical access to the computer. Wouldn't that render any security provisions on a computer useless anyway?
Basically, yes. They could install physical keyloggers to get your passwords.
Having said that, we've never received a request from any police force or intelligence organisation anywhere in the world not to detect their Trojans. So if they use Trojans, they do not submit them to antivirus companies.
If we have received samples of such Trojans from the field [from customers], we have been unable to distinguish them from 'normal' criminal Trojans.
And even if an official would contact us, asking not to detect their Trojan, we would follow our guideline on this, published eight years ago in 2001. Please see our public statement on the topic.
It would be a slippery slope to stop detecting government Trojans. If the Australian police would ask us not to detect something and we would do it, then what? Should we avoid detecting hacking software used by governments... of which country? Germany? USA? Israel? Egypt? Iran?