Should Police Hack?

Opinion: At some level, it's reasonable for police to monitor computers if they have proper authorization. But it's hard to see how they could do it the right way.

We know from court decisions in the last few years in Virginia and California that its OK for third parties (anywhere in the world) to hack into your computer to hunt for kiddie porn. The police encourage them and the courts look the other way. But what about the police?

A recent F-Secure blog by the inquisitive Mikko Hypponen explores the question of whether police should hack into suspects computers. He starts by citing recent surveys in Europe that show a deep antipathy to the idea, although he also implies that the opposition is less fierce if police get a proper warrant.

I take that as a given: Of course the police shouldnt be hacking into peoples computers without a warrant. But what about with a warrant?

/zimages/3/28571.gifThe Mac has a reputation as hack-proof, but things may be changing. Click here to read more.

I see two broad hacking issues here, roughly analogous to non-computer issues. First, there is just an intrusion, an attempt to determine what is on the computer. This may be a matter of monitoring communications or an attempt to read local files. The other issue is the installation of monitoring software—a keylogger, for example—on the suspects computer.

I see these as analogous to searching a house on the one hand and tapping a phone line, or bugging a house, on the other. None of the computer intrusions are any more offensive to the suspects rights than the physical searching and monitoring. Yet those actions clearly can be performed with a proper warrant. By the same process, police may seize incriminating evidence in such a search. So in that sense I dont see why police shouldnt hack.

This puts me to the right of the German courts, which in February banned the police from performing such actions because of the lack of a legal framework. This raises the possibility of such a framework being established.

I asked attorney Joshua Dratel about the legal issues surrounding it. He said he is unaware of any legal standards governing the issues involved, a situation similar to Germanys.

"There is no statute, and the case law is minimal and rather unsophisticated in analysis. There is ample treatment of computer searches and protocols in the U.S. Attorneys manual and related manuals, but those publications, to my knowledge, do not cover much of the subject [of hacking into computers]," Dratel said.

Personally, I would bet that law enforcement in the United States is not anxious to establish legal standards, lest they be constrained by them. Once again, as Dratel puts it: "Back in the 1960s when the special and heightened intrusions attendant to telephone wiretapping [around for decades, but not addressed frontally] were finally addressed by Congress, Title III was enacted. It set a higher floor than the Fourth Amendment [which still acts as the constitutional floor], and established particular rules and requirements for eavesdropping warrants [i.e., minimization—that efforts would be made not to record or monitor non-pertinent conversations], and still applies today. Perhaps the same type of comprehensive approach is needed in the police hacking field as well."

I have two real problems with police hacking: One is that its too easy for them to cause ancillary damage to the computer, making it unstable. The introduction of what is essentially malware may also make the system vulnerable to attack by third parties. The second is that it puts them in an excellent position to fabricate evidence.

The second concern can be mitigated by the establishment of procedures and standards of the sort mentioned by Dratel. This problem is at least as true of the vigilante hackers I mentioned up top, but of course this concern finds no sympathy in the courts.

The damage problem is harder to address. Its one thing to install (and remove) a microphone hidden in a house. Its another to install a keylogger or trojan horse that the user wont detect. In all likelihood the police would have to use a rootkit to try to evade detection. Down the slippery slope we slide.

I have to figure a large percentage of police malware and hacking would be detected by criminals, and that wouldnt do the authorities any good. This leaves them with the less elegant solution of seizing the computer and performing forensics on it, but at least everything can be saved in such cases. Its more likely to be practical considerations that keep the police out of hacking than legal ones, and perhaps thats just as well.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer