Issues relating to law enforcement use of "trojans"

Introduction

Several countries, including Germany and the US, have apparently proposed the use of "trojans" by law-enforcement agencies[1] to collect data remotely from suspects. This essay looks at the technological and legal issues raised by this approach. The legal aspects are addressed from the viewpoint of UK law.

History

The most recent incarnation of this proposal became public in November 2006 when a German magistrate decided that the police could not use "hacking tactics" to investigate the computers of suspects without their knowledge; this decision was eventually upheld by the supreme court[2]. The government stated it would work to legalise the practice and, almost immediately, there were reports[3] that the police were working on developing "spyware similar to a Trojan".

However, the idea has been around for much longer than that. In 2001 a product called D.I.R.T. was on sale to law enforcement agencies around the world[4], marketed for tasks such as:

Scenario:

Your undercover online investigator makes contact with a suspected pedophile in a chat room. Suspect sends illegal image(s). You now have probable cause. You want to remotely monitor suspect and seize additional evidence from his computer.

What do you use?[5]

The previous year there were reports that the FBI placed a key-logger on the computers of one Nicodemo Scarfo while searching his premises[6]. This wasn't a trojan, but it was probably the first time that the idea came to the general public attention that law enforcement agencies could use malware and it no doubt acted as an inspiration for D.I.R.T. There were also reports that the FBI were working on a trojan system called "Magic Lantern"[7].

Terminology

The term "malware" carries a negative implication of wrongdoing and evil. Though, like normal malware, this software is installed covertly on a computer to carry out an action not requested by the owner, the motives are different and it is convenient to distinguish the two. Therefore I use the neologism "policeware" for such software used for legitimate law enforcement purposes[8].

Rationale

Why would law enforcement agencies want to use policeware and, in particular, trojans? The most often-cited reason is to find passwords for encrypted material (this was the purpose in the Scarfo case). When modern encryption is used correctly it is unbreakable and the only practical approach is to find out the password used as the encryption key. In turn, the easiest way to do this is to plant a key-logger on the machine and wait for the password to be typed in and recorded. Of course, policeware can be used for other purposes. If it can establish an Internet connection, it can allow the police to obtain copies of files or records of web pages visited without, in either case, tipping-off the suspect by seizing their computer. It can also provide copies of material transferred over encrypted connections (for which interception is nugatory) but not stored to disc; the obvious example of this is encrypted voice over IP, with Skype often suggested as a target[9].

Why use trojans? The answer is probably that, despite the name, that is not what is being proposed. Specifically, a "trojan" or "Trojan horse" is:

A malicious security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or (in one notorious 1990 case on the Mac) a program to find and destroy viruses![10]

However, the proposals are not specific to disguising a key-logger or some such software. Rather, they simply involve getting the policeware on to the suspect's computer in some way via some exploit[11]. In particular, some versions of Microsoft Outlook contain a vulnerability that allow incoming email to install software without being specifically instructed to, and it is likely that the term "trojan" is being misused to refer to software installed in this manner. Of course, the police will not care how it is installed provided that the suspect remains unaware.

Legal issues

Is it legal in the UK for the police to covertly install a piece of policeware on a suspect's computer? In general, it is illegal to install software on a computer without permission. The Computer Misuse Act 1990[12] was enacted precisely to forbid such actions and its very first provision is:

1(1) A person is guilty of an offence if
 (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured;
 (b) the access he intends to secure or to enable to be secured is unauthorised; and
 (c) he knows at the time when he causes the computer to perform the function that that is the case.

There is an explicit exemption for the police in s.10:

10 Section 1(1) above has effect without prejudice to the operation
 (a) in England and Wales of any enactment relating to powers of inspection, search or seizure; and
 (b) in Scotland of any enactment or rule of law relating to powers of examination, search or seizure.

However, this is clearly aimed at the execution of search warrants and looking at the resulting material, rather than covert key-logging. The main legislation on the powers of search and seizure is the Police and Criminal Evidence Act 1984 ("PACE") and its provisions are based around authority "to enter and search"[13]. Therefore it would appear that the police cannot use policeware.

If the policeware allows access to the content of a communication, such as with the proposals to give access to Skype, then a second law comes into effect: the Regulation of Investigatory Powers Act 2000 ("RIPA"). Under the RIPA definitions, the user's computer is a "private telecommunication system"[14] and interception of communications[15] in such a system is forbidden by s.1(2):

(2) It shall be an offence for a person -
 (a) intentionally and without lawful authority, and
 (b) otherwise than in circumstances in which his conduct is excluded by subsection (6) from criminal liability under this subsection,
to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of a private telecommunication system.

Subsection (6) excludes people with a right to control operation or use of the system from criminal liability (though s.1(3) gives them civil liability). More important, though, is the definition of "lawful authority":

(5) Conduct has lawful authority for the purposes of this section if, and only if -
 (a) it is authorised by or under section 3 or 4;
 (b) it takes place in accordance with a warrant under section 5 ("an interception warrant"); or
 (c) it is in exercise, in relation to any stored communication, of any statutory power that is exercised (apart from this section) for the purpose of obtaining information or of taking possession of any document or other property;
and conduct (whether or not prohibited by this section) which has lawful authority for the purposes of this section by virtue of paragraph (a) or (b) shall also be taken to be lawful for all other purposes.

Since part (c) is not relevant to the use of malware in this way, the interesting aspects are sections 3 to 5. It is important to note that these are the only ways to gain lawful authority.

Section 3 grants authority where either at least one party has consented or where the interception is for the purposes of operating a telecommunication service, none of which applies here. Section 4(1) relates to people outside the UK, section 4(2) addresses legitimate business practices[16], and the remainder of s.4 relates to various public institutions such as prisons and hospitals. This leaves section 5, which allows for the explicit issue of an interception warrant. If, and only if, such a warrant has been granted, the police are allowed to intercept the suspect's communications. However, it is not clear that the warrant would allow the installation of policeware as part of this. S.5(6) says:

(6) The conduct authorised by an interception warrant shall be taken to include -
 (a) all such conduct (including the interception of communications not identified by the warrant) as it is necessary to undertake in order to do what is expressly authorised or required by the warrant;

and the definition of interception includes the modifications implied by installing the policeware[17], but that does not, of itself, appear to override the unlawfulness under the Computer Misuse Act.

RIPA and surveillance

The other direction to address this from is the law enforcement powers on surveillance. These are addressed in part II of RIPA, which was created to provide a clear legislative basis for such activities by the state. Under this, installation of policeware on a computer would constitute surveillance that "is likely to result in the obtaining of private information about a person"[18] and so is "directed surveillance" under s.26(2). However, if the computer is in residential premises and the policeware classifies as a "surveillance device" (it is unclear whether software is a "device") then it is, instead, "intrusive surveillance" under s.26(3)[19]. However, the distinction does not matter for the purposes of this essay since, in either case, s.27(1) then says:

27(1) Conduct to which this Part applies shall be lawful for all purposes if -
 (a) an authorisation under this Part confers an entitlement to engage in that conduct on the person whose conduct it is; and
 (b) his conduct is in accordance with the authorisation.

Thus the use of the policeware to observe the activities of the suspect would be legal provided an appropriate authorisation has been granted under Part II of the Act. The provisions for granting authorisations take up several sections of Part II and depend on whether the specific instance is "directed surveillance" or "intrusive surveillance", but this is not relevant to the legality of the resulting actions. The only point that need be noted is that these procedures require that the authorisation is necessary and that the resulting conduct will be proportional to the expected results[20]. There is one rider to this: under s.48(4) of RIPA, surveillance that involves interception of communications can only be authorised under part II when one party to the communications consents[21] - this will not apply here.

It remains unclear whether the wording "lawful for all purposes" in s.1(5) and s.27(1) is sufficient to override the Computer Misuse Act. The one other place to look is the Police Act 1997 which states:

92. No entry on or interference with property or with wireless telegraphy shall be unlawful if it is authorised by an authorisation having effect under this Part.

and then goes on to set up an authorisation regime for entry on or interference with property. It would appear that a combination of authorisations under RIPA and the Police Act should suffice to make the installation and use of policeware lawful.

In summary, policeware would be legal if an appropriate authorisation was obtained. The exact form of authorisation required differs according to the details of the case; in particular, if interception of communications is involved, then the authorisation involves a warrant signed by the Secretary of State[22].

Technological issues

Having addressed the legal issues we now need to move to the technological ones. There are a number of areas where such issues can occur:

Initial installation

The first issue to consider is how policeware can be installed on the system without the knowledge of the suspect. One approach is to gain physical access to the machine and install the software directly. This is the most reliable approach - because there is no doubt that the software is in place and operating - but gaining the necessary access can be hard. It may even be necessary to burgle the premises as in the Scarfo case[23]. If the suspect could be persuaded to allow a third party access to the machine (e.g. to carry out a hardware upgrade) then that person could install the software. However, it would have to be a naïve suspect who did not carry out subsequent checks for malware.

The alternative approach is to install the software remotely, which bring us back to the original premise: the use of "trojans" by the police. There are two basic approaches to installing software in this way: either the suspect can be persuaded to install the software himself (a genuine "trojan") or some exploit is used to break into the computer and install it. Both of these run into the same problem: the modern-day computer user is bombarded with messages telling him never to open messages or files that arrive unexpectedly, to keep their firewall and anti-virus systems up to date, and to ensure security patches are installed. Thus it will not be possible to simply email the suspect a file and expect them to execute it. Up-to-date security similarly means that obvious exploits will not work because they have been patched or will be blocked by a firewall or anti-virus system. It will be necessary to find an exploit that works on the suspect's computer and has not been addressed yet, and then craft a targeted attack using it. This will be, at best, a hit and miss affair.

Detection by the suspect

Assuming that it is possible to get the policeware installed, there is an ongoing problem with ensuring that the suspect does not detect it. The presence of malware is normally detected in one of two ways, which can be called "signatures" and "effects".

Anti-virus, anti-spyware, and similar packages mostly detect malware through "signatures". That is, they look for a particular file or a particular pattern of bytes within the file that is characteristic of the malware but not of any genuine file[24]. Such systems will not detect a genuine police-only piece of "malware" because they would not be aware of it and therefore do not have an example to analyse and add to their signature database. However, it is possible that the policeware could be discovered in some other way and then reported to security software vendors. These would then have an ethical issue to deal with: should they include this specific software in their databases and risk compromising a police investigation, or should they explicitly exclude it and risk their reputation if the policeware is misused for illegal purposes subsequently[25]. The reported views of the industry vary. On the one hand:

Finnish security company F-Secure[26] says it will add detection for the software should it ever be found in public, and takes a dim view of the project: 'We will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools.'[27]

and Sophos[28], responding to enquries about an FBI trojan, took an international view:

customers outside the US would expect protection against the Trojan. Such a move also creates an awkward precedent.

Cluley adds: "What if the French intelligence service, or even the Greeks, created a Trojan horse program for this purpose? Should we ignore those too?"[29]

On the other hand, Symantec[30] were willing to trust law enforcement agencies:

"If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it - we wouldn't detect it," said Chien. "However we would detect modified versions that might be used by hackers."[31]

This, of course, side-steps the question of the original - rather than modified - version being used by hackers.

Interestingly, more recently the tide seems to have turned against policeware. In a 2007 survey of the 13 top security software companies[32], all said that it was their policy to detect policeware. 9 of them stated that they had not received court orders to suppress the signatures of policeware, 2 were unsure, and 2 refused to answer (of course, such a court order could include a requirement that the company lie if asked about it).

The second approach to detecting malware is through its effects. This can then be subdivided into internal effects and external effects. Detection systems that look for the internal effects of malware do things like looking at the system calls that programs make and attempt to identify patterns of illicit behaviour.[33] However, these are aimed more at compromise of existing programs (e.g. through buffer overflows) than at additional software running on the system. Such systems can also look for changes to existing files or the creation of new files in unusual places. However, it is very easy to blind the user through excessive false positives (for example, a system that reported every new file would overwhelm someone attempting to surf the Internet because of the number of files added to the browser cache) and so such systems have to have deliberate "blind spots" in which malware could be hidden. The most likely time for malware to be detected by such systems is when it is first installed; once the program is "known" to the system it is likely to be ignored. Therefore the policeware author needs to determine how common detection systems record applications as known and insert themselves into those records.

Detection of malware through its external effects, on the other hand, is considerably simpler - the malware will attempt to communicate over the Internet and these communications can be detected. Many users nowadays run firewalls that report on unexpected outgoing Internet traffic as well as incoming. For example, the ZoneAlarm[34] firewall reports on all unauthorised outgoing traffic and Windows XP will ask whether new software is allowed to connect to the Internet, remembering the response. This makes useable policeware harder to write. Whether it is going to be contacted from outside to report its results or will "phone home" of its own accord, the connection may be spotted and reported.

Preventing such detection is, again, done in two parts. Firstly, the connections must be made to look like normal network connections. Thus the policeware should send its data in emails, or make standard HTTP queries to some site, rather than using a proprietary protocol. Incoming instructions could be in the replies to these queries or in other emails crafted to look like spam to the reader but also intercepted by the policeware (for example, if the email is in MIME multipart format[35] then the "boundary" parameter - which is a random sequence of up to about 50 characters - can encode several bytes of data). Secondly, the policeware needs to make itself appear as legitimate to the detection systems; this is the same problem as above and, again, needs to be done as part of the installation process.

Misuse by third parties

If a machine has policeware on it that can be controlled externally, there is a risk that others may discover its presence and make use of it. For example, if the policeware allows - or can be manipulated to allow - other programs to be installed and executed, then the discoverer could use it to install their own software and then delete the original. The result is that the police no longer have access to the suspect's computer and, instead, it has become part of a spam distribution network or a zombie botnet. Furthermore, even if the machine is later seized by the police for forensic examination, the presence of the other malware will make the results unreliable because the police will not know what effect it will have had. At worst the other malware will affect the computer to the extent that the suspect has it reinstalled from scratch, destroying much of the evidence available to a forensic examination.

Preventing misuse by third parties is, ironically enough, an objective of "conventional" malware authors and the same techniques can be used by the police. For example, the policeware can be programmed to only accept commands from a specific IP address or range of addresses, or require those commands to be digitally signed with a specific key. If done properly (which does, of course, make writing the policeware more difficult and expensive) then misuse by third parties should not be a problem.

Unintentional damage to the target

A risk that must be considered when installing any kind of covert software on to a computer is that the software will affect it in an unexpected way. This could be because of a bug that causes it to overwrite some other file by accident, an unforeseen interaction between the program and another over some resource, or something else. Again this is a problem both because it can lead to the policeware being detected and because it damages the evidential quality of the information gained by its use.

This is both a simple and an impossible problem to solve! It is simple because it merely requires the software to be written properly so that it does not have these problems. It is impossible because nobody has yet managed to find a way to write software without bugs[36].

Breach of authorisation

A problem specific to policeware is that the authorisation may limit the ways in which it can be used; it is preferable to encode these limitations into the software than to attempt to apply them retroactively to the results - an example of the "code v. law" argument of Lawrence Lessig[37]. The most obvious example of this is to do with interception of communications: the authorisation required[38] to intercept communications is far more difficult to obtain than one to carry out surveillance and, therefore, an authorisation to do the latter will exclude (implicitly or explicitly) the former. Suppose that the police wish to covertly install a key-logger in order to read the encryption password used by the suspect. On the other hand, it is important that this does not log the keystrokes involved in an online "chat" session because this would be interception of communications. This is the scenario found in the Scarfo case and the solution adopted by the FBI is worth examination.

According to the FBI affidavit[39], it was already known that the computer in question used a modem as its only way to communicate to the outside world[40] and this modem would be connected via one of the COM ports. The key-logger was therefore designed to check whether any of the COM ports were active and, if so, did not make any record of the keystrokes typed. This was recognised as being more conservative than strictly necessary - the modem activity could have related to one application running on the computer while the keystrokes were sent to another[41] - but this was seen as the simplest way to guarantee that communications were not intercepted. Of course, if Scarfo had typed an email for later transmission while the modem was not connected, the contents of that email would have been recorded. This issue does not seem to have been raised in the Scarfo case. In the UK it would appear that such key-logging would not be interception, because this is defined[42] as making the contents available to a third party while being transmitted (my emphasis) and the email is not being transmitted as it is written (unlike "chat" systems).

Of course, the fact that this was allegedly done in one case would not automatically mean it is possible in another. Nowadays most computers are connected to the Internet permanently or nearly so, meaning that anything typed could be a potential communication. Key-loggers would need to work on some other basis, such as checking which program the keystrokes are being sent to.

Misuse by law enforcement

The final major technological issue is deliberate misuse of the policeware by law enforcement. This misuse could be passive or active. An example of passive misuse would be where the policeware was designed to allow files to be copied to the police for the purpose of obtaining specific files (e.g. financial records kept on the machine), but was used to make copies of unrelated files. This would be a breach of the authorisation for the use of the policeware in the first place; it would also alter the "last accessed" times on the relevant files, which could confuse a forensic investigator looking at the computer at a later date (assuming that, at some point, the machine would be seized). The only real remedy for this is to have formal procedures - a record must be kept of everything the policeware is commanded to do, so that this can be related to any later forensic findings. Preferably this record-keeping should be automatic (e.g. done by the same application running on the police's computers that sends commands to the policeware).

Active misuse is more serious. If, for whatever reason, the policeware has the specific ability to alter the contents of files on the target computer, this ability could be misused to alter data, erase exculpatory evidence, or plant incriminating files that can later be "found". Any such action would, of course, be criminal under several headings but, more importantly, it would be a gross perversion of justice to do so, a gross miscarriage of justice if such evidence were accepted, and if detected it would completely destroy the evidential value of anything found on that computer or, indeed, any computer it regularly connects to, in turn destroying any prosecution case. While in principle it might be possible to arrange that any transfers to the suspect's computer were properly logged and could be audited, this remains fraught with risk and the safest way to prevent misuse is to ensure that policeware does not have any such ability.

Usability of evidence

How useable is evidence gained from use of policeware? Firstly, as discussed in the previous sections, it is essential that the policeware cannot alter any file on the system and desirable that it does not normally access any files. Obviously it will need somewhere to store information it has collected until that can be forwarded to its controller, and it may need to alter various system files so as to prevent it being reported to the user. All of this is necessary to ensure that the policeware does not affect any other evidence recovered from the computer and also to deflect claims from the defence that it corrupted that evidence.

As to the data actually collected, provided that the policeware was installed in accordance with an appropriate authorisation, there is unlikely to be any danger that it will be excluded from evidence by the court. Of course, just as with any computer forensic evidence, it will be necessary to produce explanations of how the policeware operates and what the collected data is. That data should contain as much provenance as possible. For example, a key-logger should record the exact time of each keystroke and the window or application that received the key. If, like the Scarfo one, it only records some keystrokes, it should note periods when it has been disabled and why that was. Indeed, the Scarfo case is salutary here: the defence motion to suppress the evidence from the FBI key-logger[43] includes a number of valid criticisms. Apparently there was no date-time information attached to the logs[44] and the recorded data did not seem to match what would be expected from a key-logger:

Moreover, the data supplied in discovery reflects the capture of both letters, words, numbers, several pages with the word "gray," other indecipherable items and the "passphrase" as its last entry. If the KLS was functioning as it should, this amalgamation of data should not have been recorded - sentences, words, intelligible information should have been recorded. While the government claims that the KLS only operated for 14 days, it is hard to believe that during those 14 days Scarfo hardly wrote an intelligible sentence on his computer.[45]

There are other criticisms of the description:

"Further, the FBI did not install and operate any KLS component which would search for or record any fixed data stored within the computer." If this were true, then how would the agents retrieve the actual recorded keystrokes from the system?[46]

The former is the sort of pitfall that a well-written piece of policeware should avoid; the latter could be addressed by a good presentation in court (though it is puzzling how the system could record keystrokes without recording data within the computer).

Conclusion

Provided that the appropriate authorisation procedures are followed, there is no reason in UK law why the police cannot covertly install a piece of software on to the computer of a suspect and use it to collect intelligence or evidence. Unless the correct warrant has been obtained, care must be taken to ensure that the policeware does not intercept communications.

Creating such a piece of policeware that will not be discovered by existing anti-virus and anti-spyware software will be difficult, as will remotely installing the policeware through firewalls and intrusion detection systems. There are a number of pitfalls that the policeware designer needs to be avoid; in particular, it is preferable that it not be allowed to modify existing files.


Footnotes

[1] Throughout this essay "police", "law enforcement", and "law-enforcement agencies" are used interchangeably.

[2] See, for example, German Supreme Court Deems Police Hacking Illegal, Deutsche Welle 2007-02-05, available at http://www.dw-world.de/dw/article/0,2144,2337932,00.html.

[3] See, for example, German cops and spooks prep own spyware, The Register 2007-02-27, available at http://www.theregister.co.uk/2007/02/27/german_state_hackers/.

[4] See, for example, Trojan lets cyber-cops plant bogus evidence, The Register 2001-06-04, available at http://www.theregister.co.uk/2001/06/04/trojan_lets_cybercops_plant_bogus/. But note the partial retraction and further discussion at http://www.theregister.co.uk/2001/06/06/reg_duped_by_crimebusting_d/. There is also a followup article Law-enforcement DIRT Trojan released, The Register 2002-03-14, available at http://www.theregister.co.uk/2002/03/14/lawenforcement_dirt_trojan_released/.

[5] See Trojan lets cyber-cops plant bogus evidence, referenced from note 4.

[6] See, for example, FBI surreptitious black bag jobs circumvent encryption products, Politech mailing list 2000-12-05, available at http://www.politechbot.com/p-01545.html. Scarfo eventually entered into a plea agreement.

[7] See, for example, FBI uses hacking technology for surveillance, ZDNet 2001-11-22, available at http://news.zdnet.co.uk/internet/0,1000000097,2099692,00.htm?r=4.

[8] Unsurprisingly, I am not the first person to use the term and it has already appeared in Wikipedia as well as the press. See http://en.wikipedia.org/wiki/Policeware. However, my use here excludes such systems as Carnivore which are not installed on a suspect's computer.

[9] See, for example, Swiss look to Trojan code for VoIP tapping, ZDNet 2006-10-10, available at http://www.pcpro.co.uk/news/95394/swiss-look-to-trojan-code-for-voip-tapping.html and, more recently, Skype Trojan wiretap plan leaks onto the net, The Register 2008-01-28, available at http://www.theregister.co.uk/2008/01/29/skype_trojan/.

[10] Definition from E.S.Raymond The New Hacker's Dictionary, pub. 1996 MIT Press, ISBN 0262680920, also known as The Jargon File and available at http://catb.org/~esr/jargon/. This specific definition was "coined by MIT-hacker-turned-NSA-spook Dan Edwards".

[11] "A vulnerability in software that can be used for breaking security or otherwise attacking an Internet host over the network.", Raymond op.cit. note 10.

[12] The Computer Misuse Act has undergone a number of major changes since first coming into force and has others pending; at the time of writing the Act as applied to Scotland is significantly different from how it applies to England and Wales. A consolidated version is available at http://www.davros.org/legal/cma.html. Unless stated otherwise, quotes and citations of the Act in this essay are the version in force in England on 2008-03-31.

[13] PACE s.8(1).

[14] RIPA s.2(1).

[15] Defined in RIPA s.2(2) as modifying the system or monitoring transmissions "as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication". Under s.2(8) this includes recording the communication for later access.

[16] More precisely, s.4(2) creates the power to enact regulations authorising interception for legitimate business purposes. These powers were used to enact the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (No.2699).

[17] RIPA s.2(6): "For the purposes of this section references to the modification of a telecommunication system include references to the attachment of any apparatus to, or other modification of or interference with -
(a) any part of the system;"

[18] "(2) Subject to subsection (6), surveillance is directed for the purposes of this Part if it is covert but not intrusive and is undertaken -
(a) for the purposes of a specific investigation or a specific operation;
(b) in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation); and
(c) otherwise than by way of an immediate response to events or circumstances the nature of which is such that it would not be reasonably practicable for an authorisation under this Part to be sought for the carrying out of the surveillance."

[19] "(3) Subject to subsections (4) to (6), surveillance is intrusive for the purposes of this Part if, and only if, it is covert surveillance that -
(a) is carried out in relation to anything taking place on any residential premises or in any private vehicle; and
(b) involves the presence of an individual on the premises or in the vehicle or is carried out by means of a surveillance device."

[20] See RIPA s.28(2) for directed surveillance and s.32(2) for intrusive surveillance.

[21] "(4) References in this Part to surveillance include references to the interception of a communication in the course of its transmission by means of a postal service or telecommunication system if, and only if -
(a) the communication is one sent by or intended for a person who has consented to the interception of communications sent by or to him; and
(b) there is no interception warrant authorising the interception."

[22] Normally the Home Secretary, the Foreign Secretary, or the equivalent Scottish minister.

[23] See note 6 and the FBI affidavit referred to at note 39.

[24] In principle such systems can also use file size or a hash of the file contents. However, these are easy to defeat and sophisticated malware will change its own contents from time to time to make recognition harder.

[25] See below for ways this could happen.

[26] See http://www.f-secure.com.

[27] See Swiss look to Trojan code for VoIP tapping, ZDNet 2006-10-10, available at http://www.pcpro.co.uk/news/95394/swiss-look-to-trojan-code-for-voip-tapping.html.

[28] See http://www.sophos.com.

[29] See AV vendors split over FBI Trojan snoops, The Register 2001-11-27, available at http://www.theregister.co.uk/2001/11/27/av_vendors_split_over_fbi/.

[30] See http://www.symantec.com.

[31] Ibid, note 29.

[32] See Will security firms detect police spyware?, CNET News.com 2007-07-17, available at http://www.news.com/Will-security-firms-detect-police-spyware/2100-7348_3-6197020.html.

[33] For example, see W.Lee and S.Stolfo, Data Mining Approaches for Intrusion Detection, available at http://www1.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html.

[34] See http://www.zonealarm.com.

[35] This is the format used to send emails that, for example, contain attachments or have both text and HTML versions. See section 5 of IETF RFC 2046, available at http://www.ietf.org/rfc/rfc2046.txt.

[36] As an extreme example of this, it is often claimed that the IBM OS/360 program "IEFBR14", which explicitly does nothing at all, took several attempts to get correct. See http://catless.ncl.ac.uk/Risks/6.14.html#subj2.

[37] See L.Lessig Code and other laws of Cyberspace, pub. 1999 Basic Books, ISBN 0465039138.

[38] See above for a discussion of the various types of authorisation granted under RIPA.

[39] Available at http://epic.org/crypto/scarfo/murch_aff.pdf.

[40] "the FBI knew that when the computer's modem was not activated, the computer was not acting as an electronic communications device". Ibid page 6.

[41] Ibid page 7.

[42] RIPA s.2(2).

[43] Available at http://epic.org/crypto/scarfo/supp_suppress_mot.pdf.

[44] Defence motion, page 7 paragraph 8.

[45] Defence motion, page 8 paragraph 8. "KLS" is the FBI key-logger.

[46] Defence motion, page 19, paragraph 10. The quoted text is from the FBI affidavit; see note 39.


Online sources

Except where specifically dated, all online sources were successfully accessed on some date between 1st and 15th April 2008. Bracket numbers give the notes where these are referred to.

Press articles

AV vendors split over FBI Trojan snoops, The Register 2001-11-27 http://www.theregister.co.uk/2001/11/27/av_vendors_split_over_fbi/ [29, 31]

FBI uses hacking technology for surveillance, ZDNet 2001-11-22 http://news.zdnet.co.uk/internet/0,1000000097,2099692,00.htm?r=4 [7]

German cops and spooks prep own spyware, The Register 2007-02-27 http://www.theregister.co.uk/2007/02/27/german_state_hackers/ [3]

German Supreme Court Deems Police Hacking Illegal, Deutsche Welle 2007-02-05 http://www.dw-world.de/dw/article/0,2144,2337932,00.html [2]

Law-enforcement DIRT Trojan released, The Register 2002-03-14 http://www.theregister.co.uk/2002/03/14/lawenforcement_dirt_trojan_released/ [4]

Reg duped by crime-busting D.I.R.T Trojan, The Register 2001-06-06 http://www.theregister.co.uk/2001/06/06/reg_duped_by_crimebusting_d/ [4]

Skype Trojan wiretap plan leaks onto the net, The Register 2008-01-28 http://www.theregister.co.uk/2008/01/29/skype_trojan/ [9]

Swiss look to Trojan code for VoIP tapping, ZDNet 2006-10-10 http://www.pcpro.co.uk/news/95394/swiss-look-to-trojan-code-for-voip-tapping.html [9, 27]

Trojan lets cyber-cops plant bogus evidence, The Register 2001-06-04 http://www.theregister.co.uk/2001/06/04/trojan_lets_cybercops_plant_bogus/ [4, 5]

Will security firms detect police spyware?, CNET News.com 2007-07-17 http://www.news.com/Will-security-firms-detect-police-spyware/2100-7348_3-6197020.html [32]

Discussion lists

FBI surreptitious black bag jobs circumvent encryption products, Politech list 2000-12-05 http://www.politechbot.com/p-01545.html [6, 23]

Company websites

F-Secure: http://www.f-secure.com [26]

Sophos: http://www.sophos.com [28]

Symantec: http://www.symantec.com [30]

ZoneAlarm (Checkpoint) http://www.zonealarm.com [34]

Court papers in the Scarfo case

Defence motion to suppress evidence http://epic.org/crypto/scarfo/supp_suppress_mot.pdf [43-46]

FBI affidavit http://epic.org/crypto/scarfo/murch_aff.pdf [23, 39-41, 46]

Other online resources

Consolidated text of the Computer Misuse Act 1990 http://www.davros.org/legal/cma.html [12]

W.Lee and S.Stolfo, Data Mining Approaches for Intrusion Detection http://www1.cs.columbia.edu/~sal/hpapers/USENIX/usenix.html [33]

Multipurpose Internet Mail Extensions, IETF RFC 2046 http://www.ietf.org/rfc/rfc2046.txt [35]

E.S.Raymond The New Hacker's Dictionary, pub. 1996 MIT Press, ISBN 0262680920, also known as The Jargon File http://catb.org/~esr/jargon/ [10, 11]

Wikipedia article on "Policeware" http://en.wikipedia.org/wiki/Policeware [8]

The story of the IEFBR14 program http://catless.ncl.ac.uk/Risks/6.14.html#subj2 [36]


Back Back to the LL.M. index. To legal To my other legal topics index. CDWF Back to Clive's home page.