Security Watch

Keeping Track of patches and hacks in the IT security world.

Cops Packing Spyware - Abuse of Power?

An interesting little situation has cropped up across the pond in the UK, where it became public news late last week that new legislation makes it permissible for law enforcement types to use spyware to look-in on the citizenry without first obtaining a court-ordered mandate to do so. According to the

An interesting little situation has cropped up across the pond in the UK, where it became public news late last week that new legislation makes it permissible for law enforcement types to use spyware to look-in on the citizenry without first obtaining a court-ordered mandate to do so.

According to the BBC, the law was passed based on encouragement to adopt such practices across the governments of EU states.

Now, in a country where a state roughly the size of the entire U.K. - California - rose up to put a stop to a potential privacy exposure when someone merely suggested putting RFID tags on student IDs, one can't imagine that such a law would sneak into the books anytime soon (though, Patriot Act....). However, the maelstrom of controversy that has emerged in the U.K. over the new law is interesting food for thought for those of us over here States-side.

Let's consider the issue for a moment... what are the benefits?

So, conceivably if cops are allowed to legally use spyware to infiltrate the computers of suspected criminals, they could:

• Head off potential crimes or terrorist attacks sooner • Solve crimes faster • Better understand how criminals work together • Unfold money laundering schemes • Trace smaller crimes back to larger organizations • Catch more cyber-criminals

And those are just a few things that immediately come to mind. There are likely a million more advantages that someone in law enforcement or intelligence could cook up, and far more complex angles at that.

And now, on the flip side, what are the risks?

• Assumption of guilt before proof • Flagrant abuse • Total loss of personal privacy!

I mean, hey, I want the government and police to catch as many baddies as possible, but putting spyware on the computer of a "suspected" criminal to gather info on "suspected" activities? There are terrifying implications across the board.

It would seem that police in this nation are finally coming up to speed with the use of technology in crime, and law enforcement, but one can only imagine what the abuses of such a powerful tool might be if not at least checked by the need for something like a search warrant. Again, I'm ignorant to anything but TV law enforcement, but is it really that hard to gain the court's permission to follow known criminals? Are there so few of those types to follow that we have time to peek in on just about anyone?

The UK law does require that the LEO using the spyware must have some established grounds for doing so, but, with the number of cases we see dismissed each year in the U.S. based on unlawful search and seizure, etc., could we really expect any strict adherence to any related guidelines? I'm not sure that we could expect cops to do anything less than use the ability to load spyware to whatever extent possible, because they're really just trying to do their jobs 99 percent of the time, I'm sure, and they have to make the most of the tools that we give them.

But, the mind boggles at the potential for misuse, and, as pointed out in the U.K. online trade pub TechRadar, privileged insiders have already used the U.K.'s national Police computer to do things like spy on estranged lovers, pass out classified information to newspapers and stalk people who don't clean up after their pets.

According to story in the Times Online, UK police have already been using spyware for a while under the guise of something called "remote monitoring," without major incident, but now that the cat is out of the bag you have to wonder if the practice will survive.

Shami Chakrabarti, director of the European human rights group Liberty, told the newspaper that she would challenge the legal basis of the move.

"These are very intrusive powers - as intrusive as someone busting down your door and coming into your home," she said. "The public will want this to be controlled by new legislation and judicial authorization... Without those safeguards it's a devastating blow to any notion of personal privacy."

From a more technical standpoint, popular UK-based security blogger Graham Cluley of Sophos said:

"There is no doubt that high-tech criminals are able to use sophisticated technology such as encryption to help them commit their offenses, and that this does bring enormous challenges to investigators which may make the use of spyware and keylogging devices attractive. However, that doesn't mean that there shouldn't be strict guidelines and independent approval before this kind of police surveillance can take place. Law enforcement agencies should be forced to seek approval from a court, who would have to be convinced that there was sufficient reasons to surreptitiously break into a computer belonging to a member of the public."

See, now that sounds a lot more reasonable to my ears.

Cluley also said, quite interestingly, that Sophos would actively seek out and ID any police-bred spyware programs that it sees on its customers' machines, or in the wild. Now there's a new angle on responsible disclosure! But I'm with him, if it is spyware, it's spyware, pure and simple.

Like I said, I don't expect that we'll see any law approaching what the UK has apparently passed being adopted anytime soon in the U.S. We're seemingly much more vigilant about maintaining privacy here (see the massive number of CCTV cameras already watching every inch of London vs New York), and the ACLU and every other privacy rights group in the nation would be up in arms, without question.

We should all support whatever regulations we can that will help law enforcers go about doing their jobs, especially in the challenging world of IT.

But you have to draw the line somewhere.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].