Italy Proposes Astonishingly Sensible Rules To Regulate Government Hacking Using Trojans
from the benvenuto-al-registro-dei-captatori dept
As Techdirt has just reported, even though encryption is becoming more widespread, it's not still not much of a problem for law enforcement agencies, despite some claims to the contrary. However, governments around the world are certainly not sitting back waiting for it to become an issue before acting. Many have already put in place legal frameworks that allow them to obtain information even when encryption is used, predominantly by hacking into a suspect's computer or mobile phone. In the US, this has been achieved with controversial changes to Rule 41; in the UK, the Snooper's Charter gives the government there almost unlimited powers to conduct what it coyly calls "equipment interference."
One of the main tools for carrying out surveillance in this way is the trojan -- code that is placed surreptitiously on a suspect's system to allow it to be monitored and controlled by the authorities in real time over the Internet. There are clearly huge risks and problems with this approach, something that a legislative proposal from the Civic and Innovators parliamentary group in Italy tries to address, as explained by Fabio Pietrosanti and Stefano Aterno on Boing Boing. The draft law is the result of nearly two years' work by a group of experts from many fields:
a former speaker of the Parliament, civil rights activists, law enforcement officers, computer forensics researchers, prosecutors, law professors, IT security experts, anti-mafia and anti-terrorism departments and politicians.
Perhaps that breadth explains why the ideas are really pretty good, for once. The underlying principle is that a government trojan is only allowed to operate in ways that have been explicitly authorized by an Italian judge's signed warrant. For example:
A Telephone Wiretapping Warrant is required to listen a Whatsapp call.
A Remote Search and Seizure Warrant is required to acquire files on remote devices.
An Internet Wiretapping Warrant is required to record web browsing sessions.
The same kind of warrant that would be required for planting a physical audio surveillance bug is required to listen to the surrounding environment with the device’s microphone.
Those kinds of legal safeguards are welcome, but they are not enough on their own. Also needed are stringent technical controls that will limit the harm and risk of introducing government malware onto a system. The working group has addressed this too with a series of innovative requirements for trojan surveillance programs:
a. The source code must be deposited to a specific authority and it must be verifiable with a reproducible build process (like the Tor Project and Debian Linux are doing)
b. Every operation carried on by the trojan or through its use must be duly documented and logged in a tamper proof and verifiable way, using cryptographic time-stamping and digital signing, so that its results can be fairly contested by the defendant during the inter partes hearing [that is, with everyone involved present].
c. The trojan, once installed, shall not lower the security level of the device where it has been activated
d. Once the investigation has finished, the trojan must be uninstalled or, otherwise, detailed instruction on how to self-remove it must be provided.
e. Trojan production and uses must be traceable by establishing a National Trojan Registry with the fingerprint of each version of the software being produced and deployed.
f. The trojans must be certified, with a yearly renewal of the certification, to ensure compliance with the law and technical regulation issued by the ministry.
It's a remarkable list of technical and operational requirements that are surely unique in their attempt to minimize the key dangers of implanting clandestine surveillance software. Of course, it would be better if the use of government malware were avoided completely, and other methods were adopted. But realistically, the police and intelligence agencies around the world will be pushing hard for legislation to allow them to infect people's computers and mobiles in this way, not least if encryption does become more of a problem.
Given that trojans will be used, whether we like it or not, far better to constrain them as much as possible through well-thought out rules such as those drawn up by the Italian parliamentary group. Let's hope their proposals are adopted without significant amendments by the Italian parliament so that they can be used as a template for similar laws in other jurisdictions.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: government hacking, hacking, italy, regulations, trojans
Reader Comments
Subscribe: RSS
View by: Time | Thread
enforcement ?
Problem is that "ink-on-paper" (rules/laws) does not constrain THEM in day to day reality.
They don't follow the rules now -- so fine tuning "the rules" achieves nothing.
We have overwhelming evidence in the U.S. that law enforcement routinely evades the 4th Amendmentt basics-- and the courts rarely punish them for it.
So what's your plan to "enforce" all these astonishingly wonderful new rules ?
[ link to this | view in chronology ]
Re: enforcement ?
Uh, you did notice that the article is about the Italian (see what I did there?) criminal justice system, eh?
[ link to this | view in chronology ]
Re: Re: enforcement ?
[ link to this | view in chronology ]
Re: Re: enforcement ?
[ link to this | view in chronology ]
Re: Re: Re: enforcement ?
The italian legislature is extremely weak and have made for changing governments as often as others change underwear in the past...
[ link to this | view in chronology ]
Re: Re: Re: enforcement ?
...did you seriously just argue that because some people break laws, we shouldn't bother having any?
[ link to this | view in chronology ]
Re: Re: Re: Re: enforcement ?
[ link to this | view in chronology ]
Re: enforcement ?
This is a good start - reasonable rules. They should be praised and encouraged.
Now they have to be enforced. That's the next step.
The only way to make progress is to work at it.
[ link to this | view in chronology ]
Reverse Trojans
[ link to this | view in chronology ]
As a bonus, circumventing game DRM can then be claimed as a "NATIONAL SECURITY!!1!!1eleventy!1!!" issue.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
But ill say this, its the first time ive seen an ACTUALL attempt at trying to balance privacy and security, on the technological level, to the point of making me envious, considering the one sided balance we have today
[ link to this | view in chronology ]
How are they installed?
Many of the things seen so far have used publically-unknown security flaws to install themselves. All I see here about installation is:
Hoarding vulnerabilities wouldn't violate that, because of the "once installed" loophole—but it would still makes everyone in the world less secure. Do we know anything of Italy's plans?
[ link to this | view in chronology ]
Up until..
Suggesting "other methods" would be helpful. By definition, clandestine operations involve not letting the observed know what's happening, so you can't just go up and ask them for their data (and they'd just say no anyway.)
As written in your summary, this seems like the perfect response -- the ability for law enforcement to do their job but with the oversight in place to limit their ability to abuse the powers. As far as I've ever seen, that's basically exactly how the system should work.
Of course as always the devil's in the details so we'll see how things go as loopholes are discovered and whether Italy is willing to stand their ground if/when the US or EU decides to throw their weight around over some copyright claim or other.
But as the article title says, its astonishingly sensible and if you have better options its rather on you to suggest them. Leaving it to the imagination just makes it sound like "do nothing" is the only solution you'd be happy with and that's just not viable.
[ link to this | view in chronology ]
Re: Up until..
Off the top of my head, getting a warrant and requesting information from an ISP/e-mail host would be a good start.
[ link to this | view in chronology ]