Governmental spyware
by Ragnar Schierholz
In Germany there's currently much fuss about the use of spyware by agencies in anti-terrorism investigations. Satirically, that has been covered here already. A recent article in the journal "Computer Fraud & Security" looks at the same issue in a less satirical way. By using an example from a case where a teenager has been convicted based on evidence collected via spyware by the FBI the author points explicitly at a hypocrisy between the government's fight against cybercriminals and their tools on one side and the government's use of those same tools on the other.
Now back to Germany where the recently passed legislation often referred to as the "hacker paragraph" actually incriminates the mere possession of such tools. Defenders of this legislation have argued, that it of course would never be used against users with legitimate intentions. Who would have the authority to decide what legitimate intentions are remains unclear. However, several interviewees have stated that no attorney general or judge would investigate or rule against legitimate intentions.
But: what if someone sued the agency (or whoever uses such tools)? Wouldn't the attorney general be obliged to investigate? And if investigations aren't corrupted (which would be a crime itself, afaik) but show the possession and/or use of such criminal tools, wouldn't the judge then have to rule against even legitimate intentions, since the law does not allow for exempts?
I'm not an expert on legal matters, but maybe someone among the readers is more proficient and can shed some light?
Comments
This isn't the only legal oddity surrounding the German government's attempt of legalising the use spyware for police investigations.
A major legal loophole is that the spyware - of course - modifies the target's computer. In other word, it tampers the suspect's computer. Tampering with the scene of the crime is a major violation of any forensic investigation - and the same is true for computer forensics.
In court, the suspect's lawyer will most likely be able to reject any evidence collected through spyware, since spyware allows investigators to manufacture fake evidence.
Hanno, you are right. This covers the effectiveness of the spyware. If the evidence collected can't be used in trials, it's useless. I was looking more to the "hacker paragraph" side of it. Is the argument that no attorney general or judge would investigate or rule against a "legitimate user" sound? I have my doubts that this is really legal. Otherwise anyone with enough influence could legally escape investigation/trial. Wait, that's already... Oh well.
Also, I'd like to translate this because of its classic rethoric "it's only bad when it's not us doing it":
"The Remote Forensic Software we are talking about is not 'spyware', but a technical means to collect data" - German Federal Ministry of the Interior
(Note: The RFS _is_ a trojan which is controlled by investigators, as described by their own experts. The German BKA also claims that they will only search those areas of the target computer that does not contain "private" files and will oblige to search warrants issued by judgers overseeing the investigators' actions.)
"If chinese attackers spied computers of the German government, it's dangerous even if they had no access to secret data. 'You can find out a lot about your target - appointments, responsibilities, who works on what - that's the first step of classical espionage' said [Director of the NRW Office for the Protection of the Constitution] Möller"
(Note: There have been reports about spyware that was found on German government computers. German news made a big fuzz that those trojans were "from China", however, it appears to be no Chinese attack but just your average run-of-the-mill Windows spyware installed via hacked servers located in China.)
Ok, back to your original question :-)
Your question is wether possession of these software tools is illegal, even for government or police. No, it's not - you can legally own, develop and use hacker tools if you don't have criminal intentions.
The problem is of course who defines criminal intentions. After all, any software can be used for evil if you have criminal intentions.
The "hacker paragraph" is a result of a fight between lawyers and IT experts within the government. The lawyers won and now we have legislation so fuzzy, it isn't even funny.
The software installed on 1/3 of my company's computers is now illegal - or not - solely based on the assumptions of investigators or prosecutors about my employees' intentions.
And most legal practitioners will need a long lesson to understand the meaning of full disclosure for IT security.
@Hanno:
Note: The RFS _is_ a trojan which is controlled by investigators, as described by their own experts. The German BKA also claims that they will only search those areas of the target computer that does not contain "private" files and will oblige to search warrants issued by judgers overseeing the investigators' actions.
I've read the same and I am still wondering: who will actually believe that shit? Sorry to use such a dirty language, but anything else is inadequate. I do not believe that the BKA can distinguish between "private" files and files that are important in case of terror suspects, because there is no difference. Where else would you search but in private files?
@Hanno: ou can legally own, develop and use hacker tools if you don't have criminal intentions
So far, my understanding of the discussion was that exactly this is not addressed in the text of the legislation. My understaning was there is no exemption, but defenders have pointed out that the legislation will only be applied to criminal intentions. This would be a major difference, legislation must be applied to anyone, at least in something the we'd call a "Rechtsstaat" (constitutuinal state, free government under the law?).
Again @Hanno:
I think there is a slight translation hick-up. The restriction on surveillance and wire taps is on "private Lebensführung" which is not exactly "private files". Of course, the suspect would consider files containing plots of crime as "private" (in the sense of confidential). However, in this case they wouldn't qualify as "private Lebensführung" since it actually is of public interest. However, surveillance must be stopped, when the suspect turns to activities obviously not related to the crime under investigation as documented in the court order. E.g. imagine a female suspect and a male surveillant. If the suspect undresses to take a shower, in my understanding, it would be illegal for the surveillant to keep watching unless he could reasonably expect an action related to the crime. However he could continue listening, since that does not invade the suspects privacy (but he would have to stop that as well if an intimate conversation began). Of course, the enforcement of this is difficult, but at least it could lead to voiding of collected evidence.
@Moritz: IT experts don't believe that shit.
But IT experts just read blogs, IT newstickers and nerd forums where everybody is happy to agree with each other, but nobody of "us" goes out there and talks with the rest of the crowd. We are a rather silent minority in the public discussion of these issues.
Therefore, I suggest that IT experts should join the public discussion.
Maybe it's time the nerds do to politics what the ecology crowd did by founding the Green Party. Ecology issues used to be seen as anti-establishment hippie stuff, now it's mainstream.
Interesting and tempting thought, Hanno. Now let's figure out a common overall goal suitable for attracting supporters. The ecological movement had the "saving the environment we all live in" idea. What's it that the IT nerds lobby could bring to the common good of society?
- General understanding of IT which is so ubiquitous in our lives already but little understood by the common people?
- Working economical incentives for the involved business to develop and maintain products responsibly?
Now let's figure out a common overall goal suitable for attracting supporters.
You're right, that's a lot tougher than for ecology.
I'll give it a try: Privacy is a good thing.
(Oder um der CDU zu antworten, die in ihrem neuen Grundsatzprogramm anderes behauptet: Datenschutz ist kein Täterschutz, sondern Bürgerschutz.)
Computers and digital documents are part of every citizen's everyday live now. Therefore, privacy in the digital realm is a good thing and needs to be protected against misuse by mass data analysis.
(Yes, we do have laws for data protection. However, penalties are so low and irrelevant that there is no actualy incentive for government or corporations to avoid abuse of private data.)
I'd opt for: "Your Privacy in the World you're going to live in tomorrow" (Und wenn geht in Deutsch, sonst rafft's keiner ;). However, privacy in itself is a nerd topic so even with the ever increasing number of people using the internet as part of their daily live it's still a "non issue". In some discussions I had with online users the general consent is that "if that's going to fight terrorism it's ok. There's nothing on *my* computer to worry about so everybody can see everything I have on it." As shocking as this may sound, that's the feedback I got and the current "online reality".
Stefan, I think this is exactly Hanno's point. This was the case about ecology back the years when the ecology movement was so hippie and anti-establishment. And the foundation of the green party (among other things) helped to transform the society's view on this. And if you're just telling how shocking this may sound, isn't this exactly what Hanno (over at his own blog) means when he says that we as techy nerds should leave our own box and start to realize that we can actually change something if we can manage to address the rest of society in a way that they understand?
@Ragnar
"Intentions" (criminal and otherwise) always have been a integrated part of German legislation. If you have no criminal intentions you can't be sentenced for murder (but manslaughter) or damage of property (Sachbeschaedigung) (but you would still be liable to compensate the damage).
What is irking is that "Intentions" are much blurrier than actions or evidence.
The whole thing looks like "Eulen und Meerkatzen".
:-) stw
Ragnar, while I agree with your and Hanno's notion there's one major difference between a "Nerd Party" now and the Green Party back then. For the Green Party the time was ripe because there were some major environmental accidents right at that time - or should I say "at the right time"? That's when people will wake up but unfortunately no sooner I fear. Anyway, I didn't have time to check out Hanno's site thoroughly but in essence what he suggests is what I'm already doing, albeit in a different environment with a different audience - or target group, depending on the point of view. I'm just pointing out the problem we - as nerds - are facing but I'm not saying trying to educate either politicians or users is futile.
Stephan, but what about e.g. owning drugs. There is no check done on intentions, but just owning e.g. heroin would be considered illegal, right? And again, I am not an expert on legal matters, but my understanding so far was that already the possession of hacker tools is now illegal. Just as owning certain drugs is.
there were some major environmental accidents right at that time
We are having some privacy accidents every now and then already these days and the non-nerds are beginning to notice.
Identity theft, fraud, sale of private data between corporations - these things are happening to more and more "normal people". People are beginning to realize what a data shadow is.
Of course, I don't want to wait for a major privacy accident to happen. But all these minor accidents are piling up in the meantime and people will realize that yes, they do have something to hide and their privacy is something that is valuable in a society and should be protected.
Read http://blog.fefe.de (in German) and you don't have any more questions.
Ragnar, I do own drugs. In fact a lot of them. I actually consume them. But as long as it's alcohol and nicotine it's quite legal - not withstanding the fact that these are drugs. It's quite similar with the so called hacker tools. Some may be legal some may not and thanks to the very unspecific clause in the law nobody really knows where the border is to be drawn. Having said that I don't believe that this is a situation to be taken lightly or even tolerated and I'm fully in line with your arguments. So please don't try to convince the already convinced ;)
Hanno, you're both right and wrong. You're right, there are a lot of (minor) incidents already. Minor in the sense that they are far away enough for the general citicen to still feel safe and maybe inwardly even smile about those stupid folks who fell victim to credit card fraud or identity theft. And that's where you're wrong. The great lot of people weren't affected until now, there was no "global scale" incident - not even one that would have made the news on a global scale. And as long as it's not important enough for the entertainment industry we so conveniently call "the news" today to report about in massive way you - in my opinion - won't reach the "critical mass" of people. Which, again, doesn't mean we should stop to make people aware of the problem(s).
Hanno, Ragnar: I guess you've already seen this. If not, go reading.
@Stefan Rubner
I think we already had a major privacy desaster, it's called "Vorratsdatenspeicherung".
Imagine you have to wear a name-badge openly visible all the time. You go to a newspaperstand and the clerk there dutifully jots down notes: "Mr. R. came in and took a FAZ and a SPIEGEL (=newspapers). He then stared for a minute at the topshelf-tit-magazines and browsed two of them. He then paid for the FAZ and SPIEGEL and left." Outside, a friendly "Kontaktbereichsbeamter" (=police officer) notes: "Mr. R. left the newspaperstand and strolled towards the bus station. He stood with a group of men, consisting of Mr. T., Mrs. B., Mr. M (strongly under suspicion of jihadist intentions) and Mr. G (a convicted child molester). It is possible, but can not be said for sure wether communications ensued."
Busdriver: "Mr. R entered the bus at 11:43 in Platenstraße, took a seat beside Mrs. K. and left the bus five minutes later at Norddamm. He then proceeded to the office of the ureologist Mr. B. and went in."
For people living online, this world is real. Do you think others would be as uninterested if they were aware that this already happens? It's up to us bring it to their attention. If people still don't care, well, though luck.
@Stefan Rubner
I guess you've already seen this
Yes. That news item only adds to the confusion. We get totally conflicting information from those in charge regarding the new legislation, it is mind-boggling trying to follow.
@Stefan Keidel:
You're barking up the wrong tree ;) It's not me you've got to convince or argue with. It's the vast majority of people who *don't* believe that "Vorratsdatenspeicherung" is a major privacy desaster you've got to talk to. As far as most of them are concerned, the virtual reality of the Internet is just that: a virtual reality. They completely fail to see how the Internet, "Vorratsdatenspeicherung" and all the other stuff Hanno so nicely mentions could possibly affect their real live because for them that's still two seperate worlds.
To sum it up: it's completely irrelevant what you or I are thinking as long as "Joe Average User" doesn't see it the same way we do.
@ Stefan Rubner
I guess you are right, sad but true.
I can actually understand that most people are quite indifferent towards the "Online-Durchsuchung", if not for the "secret" part it might seem just like a normal house search. Most of the problems are only visible for people with a technical background, and if you are not strongly interested in privacy, are considered minor ones. Actually i'm surprised that there is some opposition among politicians and the media (and i strongly suspect that this is just for the fact that it was planned without court oversight).
But the "Vorratsdatenspeicherung" is something different, for people might not care about a targeted house search, but get uneasy about the idea of an all around surveillance. At least the people i spoke to did, but then again , these haven't been "no-Techs" but "low-Techs" (email, surfing & iTunes) and therefore have a basic grasp on the future impacts.
I still hope and think people would care if they knew the implications, the DDR (=GDR) was demonized too much to accept broad surveillance so easily.
A lawyers answers to the original question.
