German Court Decision Re-ignites Online Surveillance Debate

The possibility of American intelligence and law enforcement services using what’s effectively known as malware to spy on potential suspects, has been looming over US citizens since before 9/11. What has mainly prevented such an environment from ever coming to fruition, quite ironically, seems to be these services’ inability to muster the technical knowhow to engineer an effective exploit.

In late 2001, just months after the terrorist attacks on US soil, the FBI indicated its willingness to deploy a kind of decryption program that came to be known as “Magic Lantern.” Exactly what form that program took was unclear, but press sources – perhaps overly agitated by catastrophic events just weeks earlier – were quick to declare the program a type of Trojan horse.

Immediately, Internet users were speculating about the possibility that US law enforcement was conducting clandestine surveillance. If it was, how come anti-virus programs weren’t detecting this Trojan? Was it because it didn’t exist, or perhaps were security companies cooperating with government officials?

Sophos was among the first security companies to start debunking and deflating the rumors. The dangers of government surveillance using real malware exploits, the company stated, included the fact that malicious users could easily reverse-engineer these Trojan horses, once discovered, and commandeer these exploits knowing that the manufacturer of the exploited software may be less inclined to patch the hole while legitimate agents were busy using it themselves.

“There's no reason why organisations targeted by Magic Lantern could not write a variant of the e-bug for their own use,” Sophos’ senior technology consultant Graham Cluley wrote at the time. “Before we know it, we’ll all be spied on by every Tom, Dick and Harry - the FBI could even become a victim of its own code!”

BetaNews asked Cluley today, if the German government truly did launch the type of program that opposition lawmakers speculate could be in the works, where certain exploits are “whitelisted” for exclusive use by law enforcement officials, and security firms are asked to leave those exploits alone – to prevent anti-virus from eradicating them – what would Sophos’ stand be?

“If legitimate computer crime authorities did begin to exploit vulnerabilities or write ‘spyware’ to observe the actions of criminals, then there is no way we would deliberately not detect such things,” Cluley told BetaNews. “The reason is simple: If a customer believes they are being monitored or have been hacked then they will send us the suspicious files. They probably won't know if it’s a legitimate computer cop snooping on them or a malicious hacker...and neither would we. After all, the computer cops are unlikely to put ‘Copyright (c) FBI Surveillance Division’ inside their code, are they?

“And even if we did identify it as known ‘copware,’” he continued, “what’s to say that it’s not code that has been purloined by a criminal for their own nefarious purposes? So, we have to add detection of it either as malware or a potentially unwanted application. And this is before we even begin to look into the issue where police in country X have written malware, and country Y asks us to defend against it. Are we supposed to take sides?”

In the seemingly unrelated debate over copyright protection, pirate sites have opted to set up shop in relatively lawless countries – even on disused offshore oil rigs – in order to circumvent international copyright laws. Where law enforcement is strengthened, those compelled to observe the law simply move elsewhere.

In the case of online surveillance, a similar, if not reverse, dynamic may apply: Where laws protect individual rights over states’ interests, the intelligence activities for those states could simply move their operations elsewhere – call it “outsourcing,” to a territory where rights are interpreted differently. Thus a certain measure will be debated fiercely in the German parliament this year that, if passed, could build that country into a veritable global supermarket of outsourced intelligence activity.