Italy Proposes Astonishingly Sensible Rules To Regulate Government Hacking Using Trojans

from the benvenuto-al-registro-dei-captatori dept

As Techdirt has just reported, even though encryption is becoming more widespread, it's not still not much of a problem for law enforcement agencies, despite some claims to the contrary. However, governments around the world are certainly not sitting back waiting for it to become an issue before acting. Many have already put in place legal frameworks that allow them to obtain information even when encryption is used, predominantly by hacking into a suspect's computer or mobile phone. In the US, this has been achieved with controversial changes to Rule 41; in the UK, the Snooper's Charter gives the government there almost unlimited powers to conduct what it coyly calls "equipment interference."

One of the main tools for carrying out surveillance in this way is the trojan -- code that is placed surreptitiously on a suspect's system to allow it to be monitored and controlled by the authorities in real time over the Internet. There are clearly huge risks and problems with this approach, something that a legislative proposal from the Civic and Innovators parliamentary group in Italy tries to address, as explained by Fabio Pietrosanti and Stefano Aterno on Boing Boing. The draft law is the result of nearly two years' work by a group of experts from many fields:

a former speaker of the Parliament, civil rights activists, law enforcement officers, computer forensics researchers, prosecutors, law professors, IT security experts, anti-mafia and anti-terrorism departments and politicians.

Perhaps that breadth explains why the ideas are really pretty good, for once. The underlying principle is that a government trojan is only allowed to operate in ways that have been explicitly authorized by an Italian judge's signed warrant. For example:

A Telephone Wiretapping Warrant is required to listen a Whatsapp call.

A Remote Search and Seizure Warrant is required to acquire files on remote devices.

An Internet Wiretapping Warrant is required to record web browsing sessions.

The same kind of warrant that would be required for planting a physical audio surveillance bug is required to listen to the surrounding environment with the device’s microphone.

Those kinds of legal safeguards are welcome, but they are not enough on their own. Also needed are stringent technical controls that will limit the harm and risk of introducing government malware onto a system. The working group has addressed this too with a series of innovative requirements for trojan surveillance programs:

a. The source code must be deposited to a specific authority and it must be verifiable with a reproducible build process (like the Tor Project and Debian Linux are doing)

b. Every operation carried on by the trojan or through its use must be duly documented and logged in a tamper proof and verifiable way, using cryptographic time-stamping and digital signing, so that its results can be fairly contested by the defendant during the inter partes hearing [that is, with everyone involved present].

c. The trojan, once installed, shall not lower the security level of the device where it has been activated

d. Once the investigation has finished, the trojan must be uninstalled or, otherwise, detailed instruction on how to self-remove it must be provided.

e. Trojan production and uses must be traceable by establishing a National Trojan Registry with the fingerprint of each version of the software being produced and deployed.

f. The trojans must be certified, with a yearly renewal of the certification, to ensure compliance with the law and technical regulation issued by the ministry.

It's a remarkable list of technical and operational requirements that are surely unique in their attempt to minimize the key dangers of implanting clandestine surveillance software. Of course, it would be better if the use of government malware were avoided completely, and other methods were adopted. But realistically, the police and intelligence agencies around the world will be pushing hard for legislation to allow them to infect people's computers and mobiles in this way, not least if encryption does become more of a problem.

Given that trojans will be used, whether we like it or not, far better to constrain them as much as possible through well-thought out rules such as those drawn up by the Italian parliamentary group. Let's hope their proposals are adopted without significant amendments by the Italian parliament so that they can be used as a template for similar laws in other jurisdictions.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: government hacking, hacking, italy, regulations, trojans


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Vito, 17 Feb 2017 @ 4:44am

    enforcement ?

    >>>> "...far better to constrain them... through well-thought out rules such as those drawn up by the Italian parliamentary group. "



    Problem is that "ink-on-paper" (rules/laws) does not constrain THEM in day to day reality.

    They don't follow the rules now -- so fine tuning "the rules" achieves nothing.

    We have overwhelming evidence in the U.S. that law enforcement routinely evades the 4th Amendmentt basics-- and the courts rarely punish them for it.

    So what's your plan to "enforce" all these astonishingly wonderful new rules ?

    link to this | view in chronology ]

    • icon
      ThaumaTechnician (profile), 17 Feb 2017 @ 5:32am

      Re: enforcement ?

      Uh, you did notice that the article is about the Italian (see what I did there?) criminal justice system, eh?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 Feb 2017 @ 5:56am

        Re: Re: enforcement ?

        Maybe they thought it was the Italian Americans that had proposed this. The Mafia was mentioned after all. I could just imagine this in an episode of the Sopranos.

        link to this | view in chronology ]

      • icon
        JoeCool (profile), 17 Feb 2017 @ 7:36am

        Re: Re: enforcement ?

        It doesn't change his point, which is a good one. Government officials already don't follow clear laws with no or very limited punishment. What are more laws (to ignore) going to accomplish? This is true (nearly) everywhere, including, but not limited to, the US, the UK, Australia, Germany, France, Spain, Italy, Russia, China, etc, etc...

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Feb 2017 @ 8:53am

          Re: Re: Re: enforcement ?

          Oh, the italian court system is very autonomous. Actually to the point of being clearly political left-leaning and very biased in several cases.

          The italian legislature is extremely weak and have made for changing governments as often as others change underwear in the past...

          link to this | view in chronology ]

        • identicon
          Thad, 17 Feb 2017 @ 11:30am

          Re: Re: Re: enforcement ?

          Government officials already don't follow clear laws with no or very limited punishment. What are more laws (to ignore) going to accomplish?

          ...did you seriously just argue that because some people break laws, we shouldn't bother having any?

          link to this | view in chronology ]

          • icon
            JoeCool (profile), 18 Feb 2017 @ 8:13am

            Re: Re: Re: Re: enforcement ?

            No, I clearly said that making something MORE illegal is stupid. We already have laws covering it (which they just happen to be ignoring), so it's wasting everybody's time to make more laws on the same thing (which they'll ignore as well). It's like proposed laws to make killing cops against the law - it's stupid since killing anyone (not withstanding things like self-defense) is already illegal.

            link to this | view in chronology ]

    • icon
      OldMugwump (profile), 17 Feb 2017 @ 8:19am

      Re: enforcement ?

      Vito, we have to start somewhere. If your attitude is "nobody follows the rules" then rules don't matter and we have chaos where the strong crush the weak.

      This is a good start - reasonable rules. They should be praised and encouraged.

      Now they have to be enforced. That's the next step.

      The only way to make progress is to work at it.

      link to this | view in chronology ]

  • identicon
    Châu, 17 Feb 2017 @ 5:03am

    Reverse Trojans

    Wonder if can people can hack this malware and use it spy police and government phones. People have right spy government officials because government officials force people pay them tax.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2017 @ 5:17am

    Hmm... spying tools are commonly trojans... PC game DRM methods are essentially trojans... how long 'til we see the feds co-opt game publishers to adapt their DRM so that when it calls the home servers to keep the game unlocked, it also sends your data to the NSA?
    As a bonus, circumventing game DRM can then be claimed as a "NATIONAL SECURITY!!1!!1eleventy!1!!" issue.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2017 @ 10:19am

    Fuck non consented surveillance in general, ill always earn for the day where none of this is required........goodluck to the generation who has to force their government to give up a functional yet cancerous limb, given up on that being our generation

    But ill say this, its the first time ive seen an ACTUALL attempt at trying to balance privacy and security, on the technological level, to the point of making me envious, considering the one sided balance we have today

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Feb 2017 @ 12:26pm

    How are they installed?

    Many of the things seen so far have used publically-unknown security flaws to install themselves. All I see here about installation is:

    c. The trojan, once installed, shall not lower the security level of the device where it has been activated

    Hoarding vulnerabilities wouldn't violate that, because of the "once installed" loophole—but it would still makes everyone in the world less secure. Do we know anything of Italy's plans?

    link to this | view in chronology ]

  • identicon
    Erin, 17 Feb 2017 @ 2:17pm

    Up until..

    > it would be better if the use of government malware were avoided completely, and other methods were adopted.

    Suggesting "other methods" would be helpful. By definition, clandestine operations involve not letting the observed know what's happening, so you can't just go up and ask them for their data (and they'd just say no anyway.)

    As written in your summary, this seems like the perfect response -- the ability for law enforcement to do their job but with the oversight in place to limit their ability to abuse the powers. As far as I've ever seen, that's basically exactly how the system should work.

    Of course as always the devil's in the details so we'll see how things go as loopholes are discovered and whether Italy is willing to stand their ground if/when the US or EU decides to throw their weight around over some copyright claim or other.

    But as the article title says, its astonishingly sensible and if you have better options its rather on you to suggest them. Leaving it to the imagination just makes it sound like "do nothing" is the only solution you'd be happy with and that's just not viable.

    link to this | view in chronology ]

    • identicon
      Thad, 17 Feb 2017 @ 2:47pm

      Re: Up until..

      Suggesting "other methods" would be helpful.

      Off the top of my head, getting a warrant and requesting information from an ISP/e-mail host would be a good start.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.