German Proposal Gives A New Perspective On 'Spyware'

from the big-brother-is-hacking-yo dept

Tue, Nov 27th 2007 5:10pm — Timothy Lee

A VoIP expert has unveiled new proof-of-concept software that allows an attacker to monitor other peoples' VoIP calls and record them for later review. Unencrypted VoIP really isn't very secure; if you have access to the raw network traffic of a call, it's not too hard to reconstruct the audio. Encrypted traffic is another story. German officials have discovered that when suspects use Skype's encryption feature, they aren't able to decode calls even if they have a court order authorizing them to do so. Some law enforcement officials in Germany apparently want to deal with this problem by having courts give them permission to surreptitiously install spying software on the target's computer. To his credit, Joerg Ziercke, president of Germany's Federal Police Office, says that he's not asking Skype to put back doors in its software. But the proposal still raises some serious question. Once the installation of spyware becomes a standard surveillance method, law enforcement will have a vested interest in making sure that operating systems and VoIP applications have vulnerabilities they can exploit. There will inevitably be pressure on Microsoft, Skype, and other software vendors to provide the police with backdoors. And backdoors are problematic because they can be extremely difficult to limit to authorized individuals. It would be a disaster if the backdoor to a popular program like Skype were discovered by unauthorized individuals. A similar issue applies to anti-virus software. If anti-virus products detect and notify users when court-ordered spyware is found on a machine, it could obviously disrupt investigations and tip off suspects. On the other hand, if antivirus software ignores "official" spyware, then spyware vendors will start trying to camouflage their software as government-installed software to avoid detection. Ultimately, there may be no way for anti-spyware products to turn a blind eye to government-approved spyware without undermining the effectiveness of their products.

Hence, I'm skeptical of the idea of government-mandated spyware, although I don't think it should be ruled out entirely. That may sound like grim news for law enforcement, which does have a legitimate need to eavesdrop on crime suspects. But it's important to keep in mind that law enforcement officials do have other tools at their disposal. If they're not able to install software surveillance tools, it's always possible to do it the old-fashioned way--in hardware. Law enforcement agencies can always sneak into a suspect's home (with a court order, of course) and install bugging devices. That tried and true method works regardless of the communications technology being used.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: germany, skype, spyware, voip, wiretapping

8 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

TSO, 27 Nov 2007 @ 5:57pm

Such a business opportunity for Russian antivirus vendors! I bet their products will happily detect US govt spyware!
[ link to this | view in chronology ]
Evil Mike, 27 Nov 2007 @ 6:28pm

I believe the German police are not talking about Spyware in the "traditional" sense--more than likely it'll be some bit of hacked together code that exists only to appear innocuous and also, well, spy.

Wait, I guess that would by spyware, nevermind then.
[ link to this | view in chronology ]
Anonymous Coward, 27 Nov 2007 @ 7:26pm

Like I've always said; If you send it out over the Internet you are making it public domain. Don't want people to see/know something? Don't put it on your computer.

If I were planning some sort of illegal activity I sure as hell wouldn't be doing it on my computer and I certainly wouldn't be sending the details over the net, via VOIP or any other method. If you're stupid enough to do that you deserve to get caught!
[ link to this | view in chronology ]
- Rocket, 27 Nov 2007 @ 8:35pm
  
  Re:
  I don't think that the government is gonna be catching Osama or any other threats to the nation by monitoring this way. If those people haven't been caught, something tells me they won't found through internet messages or calls.
  [ link to this | view in chronology ]
Anonymous Coward, 28 Nov 2007 @ 3:28am

You're sure right that they're not going to catch Osama.

It's even very naive to think that all this terror madness is really about terrorism. Up until now all antiterror laws have been used to attack peaceful demonstrations, different political standings, and cultural difference.

If you google it, you'll see which people and acts have been targeted by antiterror laws.

Thinks like poverty climate change have caused 10000 times more deaths than terrorism. So did antiterror wars. Spent antiterror money on people and you'll eliminate terrorism.
[ link to this | view in chronology ]
David M, 28 Nov 2007 @ 5:18am

What happens if I use NetBSD?
Why do some people insist a suspects gets what they deserver with the side effects of an investigation or with arresting when that person is harmed? It is as if a person that is accused is already guilty and any thing that happens to them is fair game, even if the situation is worse then the appropriate sentencing under law.

If a person is already guilt then why investigate them? Why bother going to trail even? While we are at it, cops should just shoot to kill any one they think is out of line. That will lower the crime rate.

We have due process for good reasons, and many people in the general public need to pick up a high school law book. And while we are at it, so should most of the police force. You can not be the home of the brave and free, if we have to coward at the hands of our masters in order to prevent being a victim.

(pardon, I started nodding off as I write this, my engilish mite be a bit a ruff)
[ link to this | view in chronology ]
4-80-sicks, 28 Nov 2007 @ 7:05am

I'm glad the "old-fashioned" method was mentioned. It must be understood by law enforcement (as well as government, corporations, individuals, well, everybody) that just because technology makes something possible does not give permission to take that action. "Bugging" is an accepted tactic. A microphone can't do anything but hear what's in the room. So where is the line between monitoring Skype calls and monitoring everything else when a computer is involved? There is none. Software monitoring a Skype call is likely capable of monitoring all traffic. Law enforcement may say "oh but we wouldn't use it for that," but that goes out the window the first time they think it could be useful.
[ link to this | view in chronology ]
Lawrence D'Oliveiro, 28 Nov 2007 @ 7:16pm

Heh
Why should the Government need to "encourage" vendors/developers to leave security holes in their software? They seem quite capable of doing that on their own. :)
[ link to this | view in chronology ]