Useful Links
SMBlog
RSS feed RSS icon
About this blog
About me
Archives of Dave Farber's IP list
Archives of RISKS Digest
The Legal Information Institute at Cornell University
Thinking Security
Firewalls and Internet Security: Repelling the Wily Hacker
The Electronic Frontier Foundation
The Tor Project
The Center for Democracy and Technology
Freedom to Tinker blog
Bruce Schneier's blog
Matt Blaze's blog
Matthew Green's A Few Thoughts on Cryptographic Engineering
Krebs on Security
December 2008
Cybercrime and "Remote Search" (2 December 2008)
The Report on "Securing Cyberspace for the 44th Presidency" (15 December 2008)
Another Cluster of Cable Cuts (20 December 2008)
Companies, Courts, and Computer Security (30 December 2008)
Recent Posts
Brief Notes on Computer Word and Byte Sizes (7 March 2023
In Memoriam: Frederick P. Brooks, Jr. --- Personal Recollections (18 November 2022
Attacker Target Selection (5 July 2021
Where Did "Data Shadow" Come From? (26 June 2021
Vaccine Scheduling, APIs, and (Maybe) Vaccination Passports (2 April 2021
Security Priorities (25 February 2021
Covid-19 Vaccinations, Certificates, and Privacy (13 August 2020
Hot Take on the Twitter Hack (15 July 2020
Trust Binding (11 June 2020
Facebook, Abuse, and Metadata (24 May 2020
Archive
2007 (43)
2008 (39)
2009 (21)
2010 (15)
2011 (16)
2012 (14)
2013 (6)
2014 (16)
2015 (14)
2016 (6)
2017 (17)
2018 (16)
2019 (17)
2020 (15)
2021 (4)
2022 (1)
2023 (1)
 
Full Index
Tag Index

Cybercrime and "Remote Search"

2 December 2008

According to news reports, part of the EU’s cybercrime strategy is "remote search" of suspects’ computers. I’m not 100% certain what that means, but likely guesses are alarming.

The most obvious interpretation is also the most alarming: that some police officer will have the right and the ability to peruse people’s computers from his or her desktop. How, precisely, is this to be done? Will Microsoft and Apple — and Ubuntu and Red Hat and all the BSDs and everyone else who ships systems — have to build back doors into all operating systems? The risks of something like that are mind-boggling; they’re far greater than the dangers of the cryptographic key escrow schemes proposed — and mostly discarded — a decade ago. Even assuming that the access mechanisms can be adequately secure (itself an assumption), who will control the private keys needed? Police departments? In what countries? Will all European computers be accessible to, say, Chinese and Russian police forces? Or perhaps Chinese and Russian computers will need to be accessible to Europol. Cybercrime is, of course international, and no one region has a monopoly on either virtue or vice.

Instead of back doors, perhaps law enforcement will exploit the many security holes that are already in many systems. Will running a secure system then be seen as obstruction of justice? (Will all security researchers and practitioners suddenly be seen as accomplices to crime?) What about firewalls and home NAT boxes? Will you need a police permit to run one? Or will these need to be hacked as well? German police have tried this, but were blocked by a court order. There have also been reports of similar FBI efforts.

Possibly, a hybrid strategy will be used: physical entry will be necessary to plant some device or software (as in the Scarfo case). This is less risky in an electronic sense, but of course carries risks to the agents involved. Note that any of the three strategies discussed here is likely to be detectable by the target.

For purely electronic variants, the question of jurisdiction is also important. How can an EU police officer know that a target computer is located within the EU? Suppose that it’s located in the U.S. — would warrants be needed from both jurisdictions? Suppose the officer was wrong about the location and only obtained an EU warrant — would the evidence be admissible in court? (For reasons too complex to go into here, Dell and YouTube frequently think my web connections are coming from Japan.) What if the suspect was taking deliberate evasive measures?

This is a complex topic with many ramifications. A lot more public discussion is necessary before anything like this is put into effect.

https://www.cs.columbia.edu/~smb/blog/2008-12/2008-12-02.html