Hacking Techniques for Law Enforcement - A good idea or asking for trouble?
Mikko @ F-Secure made a post on their blog about whether or not law enforcement organizations should be permitted to utilize security tools and hacking techniques in investigations that got me thinking. To me the answer to this question is very clear — NO WAY JOSE! — not unless proper oversight can be implemented and safe guards to protect our privacy are devised. EFF, help us on this one!
Given that police have been abusing laws made to combat terrorism to violate the rights of US citizens that are not members of terrorist organizations, I think that opening the gates to allowing the use of hacking techniques and malware invites a whole host of other problems.
The first problem that I have with this is the cost of training. Will training police in computer security be cost-effective? I would be leaning more towards saying no. Learning security techniques is not something that they can create two week training courses on. Also, will the cost of providing advanced security training to police provide enough benefit to us to justify the spending?
The second problem that I have with this is the risk associated with police using these tools and techniques without proper understanding of the tools and their effects. Will Joe Blow Officer here in Phoenix know what he’s doing or will he be damaging my server I have at home while he tries to install his spyware?
Another problem that I have with this is how will prosecutors be able to prove that the data collected by investigators hasn’t been tampered with or fabricated. Without proper controls and oversight for these types of operations officers with an axe to grind will be able to go penetrate computers and plant fabricated evidence. Will companies be forced through legislation to preinstall the software onto computers prior to shipping them to consumers? and if so, will it be a felony to remove it?
Lastly, if we properly secure our systems against what I feel is a gross violation of my rights to privacy, will there be legal ramifications? Will I get sent to jail because I have a proper firewall and IDS? Will they ‘disarm’ us of security tools like Britain did to their citizens when taking firearms? Will security tools be outlawed without a license to own them? We need to think about things like this and tell our local government officials what we think before it’s too late.
Great point man, I’d assert that at least in the beginning, training law enforcement would be a much less viable solution than outsourcing that talent, for the exact reasons you mention: cost effectiveness, and whether advanced tactics will be executable by the authorities charged with the task without destroying data or otherwise damaging a functional system, let alone whether it would yield useful results at all.
On the other hand, I think it’s clear we’ve (the collective we) identified that cyber-communication enables cyber-terrorism, and I do believe that we need an organized method of dealing with it. I think that the development of technology to this point has raised many white-grey-black hat perspective questions, and now that the technology is getting popular enough to entice cyber terrorism, governments will have to ask themselves the same questions the OG (original gangsta) hackers asked themselves when they realized they had a leg-up on the typical dumb user’s sensitive data.
I believe that in order to answer this “should law enforcement be able to use security tools” question, we need to better understand how the current laws work with technology (we know big brother isn’t going to strike a few ancient perhaps even deprecated lines in a law just because technology has changed the world …. but they should lol). This brings me full circle, back to what Germany decided to do about this: nothing, because they don’t know enough to ratify a legal framework for it.
However, in the interest of minimizing “cyberterrorism” (air quotes lol) I think law enforcement agencies should be able to use security tools that do not access computers in a way that breaches privacy. Doing a quick Nmap scan is as harmless as driving by someone’s house to see if they left their windows open. Should law enforcement be prohibited to use even that? Perhaps with a warrant, and due diligence to communicate the necessity of the warrant like was mentioned in the original post, penetration tools could be utilized.
I think it would be much easier for us here in the US to throw out laws that prohibit us from properly securing our systems such that law enforcement can’t penetrate and plant\steal\destroy data. I’m worried other countries may not find see this as a problem :(
hmm … there is a lot to think about…
-Mars