State-Sponsored Spyware

By: chrisc on 13 September 2007
Posted in Surveillance

In the past two weeks, there have been two reports of pending legislation authorizing law enforcement officials to install spyware directly onto target computers. In Germany, news outlets recently obtained details of a proposal being considered by the legislature to authorize law enforcement authorities to "plant spyware on suspects' hard drives through e-mail messages appearing to stem from official sources." In Mumbai, India, police appear to be considering requiring that all cybercafes "install programs that will capture every key stroke [and] at regular interval screen shots, which will be sent back to a server that will log all the data."

Though both proposed laws concern "client-side surveillance," they are otherwise very different. In Mumbai, police seek to install commercial software to monitor the Internet use of any cybercafe visitor, not merely suspected criminals or terrorists. For those Internet users who rely on cybercafes for (high-speed) access - as an uncertain number do; one source states that 39% of Indian Internet users primarily use cybercafes, while another states that only 1.4% of Internet users in India exclusively use cybercafes. - the proposed law amounts to full surveillance of all online activity, including financial and other private data as well as communications. One blogger has already labeled the proposed program "Orwellian" and discusses the risk of police misuse of information so obtained; even absent actual abuse or misuse of information, the simple knowledge that all activity in cybercafes is being monitored may limit the appeal of such cafes as points of access to sensitive information for poorer residents.

In Germany, the situation is different. The proposed legislation emerged as a response to a court ruling earlier this year prohibiting police from using spyware to monitor personal computer usage. The Court's prohibition turned on the absence of legislation authorizing such surveillance, authorization that the proposed law would provide. Further, the draft law would require judicial approval of any such surveillance and limit surveillance to specific targets.

The German legislation, if passed, is likely to be challenged on constitutional grounds, but at present the more pressing questions are technical: how would the police deliver the Trojan programs to a suspected terrorist's computer? Even less sophisticated computer users generally avoid clicking on attachments from unrequested emails, which is the delivery mechanism described in the draft legislation - although one can easily imagine other methods of delivery, the simplest and likely most reliable being obtaining physical access to the computer and manually installing the software.

Virus protection has been suggested as another threat to police spyware; although anti-malware programs often rely on "signatures" of viruses, which are less likely to be identified for carefully deployed trojans, such programs could also identify government spyware through other mechanisms. Would computer security companies comply with a government request not to identify and remove government spyware? A recent survey of major anti-malware firms shows that such firms generally have policies in place to detect spyware of any sort, although the firms would comply with a legitimate court order. (Open source anti-malware programs may not even be susceptible to court orders.)

Governments have a legitimate reason to want to install spyware directly on a computer, as doing so is the only reliable method of obtaining the content of communications that are encrypted in transit. The challenges of doing so in a responsible fashion that respects civil liberties are considerable, however. Mumbai's proposal appears to cross that line, recording financial and personal details of all cybercafe users without court oversight. Germany's proposed law raises fewer (though still many) concerns about civil liberites, but leaves as an open question whether the government can effectively deploy and use such tools without creating security holes that could be exploited by the very terrorists the program is designed to identify and monitor.