Remote search and the invisible elephant

The EU recently awarded someone 300,000 euros to implement a police web site indexing home computers - extending the "in plain sight" argument for police intervention on the street to the information highway. In reviewing what's been written about this the most striking thing is that everyone knows how this is done, but nobody wants to say it.
Written by Paul Murphy, Contributor

Here are the headline and introductory paragraph from a Tom Espiner piece for zdnet published on November 28th of last year, under the title EU fights cybercrime with 'remote search' strategy:

The European Union Council of Ministers has agreed to adopt measures to fight online crime that will include 'cyber-patrols' and remote searches of suspect systems by police.

The EU plans to implement the strategy within the next five years. Another measure will encourage police forces to set up joint cross-border investigation teams, according to a European Commission statement on Thursday. There will also be increased data sharing between the police and the private sector.

More, in this case from the EU statement referenced above:

Cyber crime is a growing threat to our societies today. EU member states suffer daily thousands of attacks against their information systems. Viruses facilitating stealing information from personal computers, spam, identity theft, and child pornography are increasingly widespread. According to recent reports, images of sexually abused children available on-line quadrupled in the last five years and half of all internet crime involves the production, distribution and sale of child pornography.

The European Commission has cooperated closely with the French Presidency and the Member States in the elaboration of a series of practical measures to fight cyber crime. The new strategy recommends reinforcing partnership between the police and the private sector by better knowledge-sharing on investigation methods and trends in cyber crime. It also encourages both parties to respond quickly to information requests, resort to remote searches, cyber patrols for online tracking of criminals and joint investigations across borders. The strategy also calls for the setting up of an alert platform in the short term, where reports on crime committed on the Internet, such as posting of illegal content, in EU member states would be pooled for cross-checking by Europol. The Commission earmarked 300,000 euro for Europol to implement the platform.

Over the next month and a half the references to "remote search" generated a loud murmur - even the BBC, for example, provided some carefully couched coverage before the EU spin machine damped down discussion while quietly bowing to American sensitivities by denying that any infringement of privacy or bypassing of judicial process was intended to take place.

Thus the canonical Wintel apologia, presented by Ars Technica, spins the whole thing as a mistaken tempest in a non existent teapot: here's the January 6th summary and introduction, by Julian Sanchez:

You can imagine a boot stamping on a human face forever, if that's your thing. But despite a spate of overheated headlines flowing out of the United Kingdom this weekend, you probably don't need to imagine it just yet. The impression created by the flurry of press reports is that police there have suddenly acquired new powers to hack private computers without a warrant. In point of fact, precisely nothing in British law has changed.

You could be forgiven for missing that detail with stories boasting such titles as Police set to step up hacking of home PCs, British police can now hack citizens' PCs,Government plans to extend powers to spy on personal computers: Police could routinely hack into personal computers without the need for a warrant under new plans from the European Union, and New powers for police to hack your PC. In fact, British authorities have not been granted any new powers, and at this point the predictions of "routine" warrantless hacking are, as a Home Office spokesperson put it, "pure speculation."

He's right, there is no change in principle or British law here: European respect for the American ideal of class transcending human rights has always had more in common with Canadian cops carefully reading people their Miranda rights than reality- to quote the BBC:

British law already allows police to remotely access computers under the Regulation of Investigatory Powers Act 2000, which allows surveillance to "prevent or detect serious crime".

A spokesman for the Association of Chief Police Officers (Acpo) told The Times newspaper that police were already carrying out a small number of these operations among the 194 clandestine searches last year of people's homes, offices, and hotel rooms.

Notice the invisible elephant? Sanchez did, and structured his response to highlight an assumed need for physical intrusion to plant key loggers - an explanation with lots of support from members of the Wintel community, but no basis in anything either the EU, or the British government, have said about this.

On the contrary, what the EU council actually announced was a 300,000 Euro contract to extend the concept of police street patrols to police "information highway" patrols, through the implementation of a google-like, network crawler based, police website secretly indexing the contents of home computers.

The announcement doesn't identify the "private sector" vendor they've selected for this, but such a crawler would have to be both very fast and very hard to detect -and because this is an implementation, not a pilot - my guess (as a good paranoid redneck with unrepented Republican tendencies) is that this can really only be Microsoft or an arms length organization with comparable access to Windows source.

Editorial standards