State Trojan Horses

German police will get sweeping new powers to hack into people's home computers with 'Trojan' viruses sent through the internet.

Under a compromise between the hardline Interior Minister Wolfgang Schaeuble and dissenting MPs, Germany's Parliament is put unprecedented power in the hands of the Federal Criminal Police (BKA). Under the compromise, the police will need a judge's approval before using the Trojans, even in an emergency.

Trojans will carry Remote Forensic Software that can search hard drives and send evidence back to investigators without their having to enter the suspect's home.

Rolf Tophoven from the Institute for Terrorism Research and Security Policy said: We need this. The masterminds among the terrorist groups of today are highly qualified, very sophisticated people. The police need as much power as we can give them so that they can remain at the technological level of the terrorists. After all, the terrorists already have a huge advantage: they have the first shot."

Based on article from theregister.co.uk

In practical terms there are many potential drawbacks to this Trojan approach.

For starters, infecting the PC of a target of an investigation is hit and miss. Malware is not a precision weapon, and that raises the possibility that samples of the malware might fall into the hands of cybercrooks.

Even if a target does get infected there's a good chance any security software they've installed will detect the malware. Any security vendor who agreed to turn a blind eye to state-sanctioned Trojans would risk compromising their reputation, as amply illustrated by the Magic Lantern controversy in the US a few years back.

The UK Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives a coach and horses through privacy laws.

The hacking is known as remote searching. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

A remote search can be granted if a senior officer says he believes that it is proportionate and necessary to prevent or detect serious crime — defined as any offence attracting a jail sentence of more than three years.

However, opposition MPs and civil liberties groups say that the broadening of such intrusive surveillance powers should be regulated by a new act of parliament and court warrants. They point out that in contrast to the legal safeguards for searching a suspect’s home, police undertaking a remote search do not need to apply to a magistrates’ court for a warrant.

Shami Chakrabarti, director of Liberty, the human rights group, said she would challenge the legal basis of the move. These are very intrusive powers – as intrusive as someone busting down your door and coming into your home, she said.

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state. He said the authorities could break into a suspect’s home or office and insert a key-logging device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. It’s just like putting a secret camera in someone’s living room, he said.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or malware. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

The Association of Chief Police Officers (Acpo) said such intrusive surveillance was closely regulated under the Regulation of Investigatory Powers Act. A spokesman said police were already carrying out a small number of these operations which were among 194 clandestine searches last year of people’s homes, offices and hotel bedrooms.

Dominic Grieve, the shadow home secretary, agreed that the development may benefit law enforcement. But he added: The exercise of such intrusive powers raises serious privacy issues. The government must explain how they would work in practice and what safeguards will be in place to prevent abuse.

The Home Office said it was working with other EU states to develop details of the proposals.

Update: In Denial

6th January 2009. See article from theregister.co.uk

The Home Office has denied it has made any change to rules governing how police can remotely snoop on people's computers.

Any such remote hack - which normally requires physical access to a computer or network or the use of a key-logging virus - is governed by Ripa - and the rules have not changed.

But European discussions on giving police more access are underway - we reported on the meeting of ministers in October. But despite this Sunday Times story, no change has yet been made. The paper claimed the Home Office: has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers.

A spokesman for the Home Office told the Reg that UK police can already snoop - but these activities are governed by the Regulation of Investigatory Powers Act and the Surveillance Commissioner. He said changes had been proposed at the last Interior Ministers' meeting, but nothing has happened since.

The German Interior Ministry explained at the time that almost all partner countries have or intend to have in the near future national laws allowing access to computer hard drives and other data storage devices located on their territory. But the Germans noted the legal basis of transnational searches is not in place and ministers were looking for ways to rectify this.

Police in New South Wales may be given authority to search homes and hack into people's computers for as long as three years without their knowledge.

The Australian government has already enacted similar practices, though its Supreme Court ruled such searches illegal in 2006.

New legislation to expand investigative powers was introduced last week in the Australia Parliament by Minister Nathan Rees. The measures allow police to apply for cover search warrants in order to gather evidence in what are deemed as serious crimes, according to ZDNet.

The laws allow for the search of computers and computers networks related to the site of a search. Rees said police will be allowed remote access to computers for five days up to a total of 28 days, with possible extended periods beyond that time, depending on an investigation.

Critics are calling the legislation much too broad, but law enforcement insists secrecy will keep criminals in the dark.

Police Minister Tony Kelly explained each application must go before a Supreme Court judge, who would initially OK secret investigations for as long as six months, but police could apply for delays as long as 18 months and even three years, pending the nature of the case.

Australian Council for Civil Liberties president Terry O'Gorman is among those opposing the law, reports ABC.net: Clearly, if the police are able to search a person's home without anyone being present, the police will be in the position to plant evidence. That's a big worry. This particular announcement extends police powers hugely without putting in any checks and balances against those powers being abused.

The laws will apply to offences punishable by at least seven years in jail, including statutes applying to homicide, kidnapping, assault, drugs, firearms, money laundering, hacking, organized theft and corruption.

Germany's Pirate Party and the Free Democratic Party have declared that they believe the use of state spyware to track criminals was unconstitutional.

According to hackers from the Chaos Computer Club, who hacked the police viruses last weekend, the so-called state-trojans can be used not only as surveillance but to completely control computers remotely. The German constitutional court has previously declared this unconstitutional.

German Interior Minister Hans-Peter Friedrich has now advised the individual German states not to use the software in question.

Sebastian Nerz, chairman of the Pirate Party, who have campaigned for internet freedoms, said, It is absolutely impossible to install a trojan that meets legal requirements. He added that because of the state trojans, a judge would never be able to tell whether evidence allegedly found on the computer of someone under surveillance had not been altered or fabricated later.

The FDP, junior coalition partner to Merkel's governing coalition, has also joined the growing political furor against police spyware. FDP legal spokesman Marco Buschmann told the Neue Osnabrucker Zeitung, The newly uncovered state-trojan feeds substantial doubts that the use of spy software is possible under the German constitution.