Do you usually shy away from legal documents?
Well, here's one that's well worth reading.
It deals very interestingly with the zone in which busting cybercrooks and protecting privacy intersect.
The judge who wrote it also gives some refreshingly readable remarks about the way in which words like "cyberspace" and "cloud" have sidetracked us into behaving as though the internet had no real-world existence.
The case in point deals with an application by the US Federal Bureau of Investigation (FBI) for a warrant to conduct covert surveillance on one or more cybercriminals.
Loosely speaking, the cops wanted permission to sneak spyware onto a computer that they were pretty sure was being used to carry out bank fraud.
The computer wasn't just used for a $75 credit card fraud, but to "attempt a sizeable wire transfer from [the victim's] local bank to a foreign bank account."
I'm sure you can see this from both sides. (The court's and the cops' sides, not the cops and the crooks!)
Here's someone from who-knows-where, acting semi-anonymously on the internet, trying to steal money off one of your countrymen by sending it on an irreversible journey overseas.
The bank is in your jurisdiction, the money is in your jurisdiction, and so is the victim; it's reasonable to assume that this sort of crime is not a one-off, and that, if successful, the crooks are going to go after more money from more victims.
Your most realistic chance of finding out the who, where and how is to keep your eye on what happens on the computer that the crooks are using.
Whom are they emailing? What websites are they using? What chat forums are they part of? What are they typing in before it gets encrypted for transmission? Are there any other victims they're trying to defraud right now?
Heck, if you could commandeer that computer, and it turned out to have a webcam, you might even be able to grab a mugshot of the crooks in flagrante delicto.
Law enforcement in Georgia (the country in Europe, not the state in the USA) did something along those lines last year, for example.
But there are two obvious problems here:
- The computer isn't physically in your jurisdiction.
- The computer might not belong to the crooks.
As the judge in this matter points out, there are some other tricky issues, too:
- How do you locate the computer accurately in the first place?
- If you pin it down, how do you get the spyware onto it?
- If you infect it, how do you ensure you don't collect too much data?
- How do you make sure you don't infect others along the way?
There are even some legally punctilious matters buried in all of this, such as whether snapping still images from the video stream of a webcam counts as photo surveillance or as video surveillance, which in the US are subject to different statutory minutiae.
To cut to the chase, the judge denied the application, and refused permission for the spyware, noting that:
[Nowhere] does the Government explain how it will ensure that only those "committing the illegal activity will be...subject to the [spyware] technology." What if the Target Computer is located in a public library, an Internet cafe, or a workplace accessible to others? What if the computer is used by family or friends uninvolved in the illegal scheme? What if the counterfeit email address is used for legitimate reasons by others unconnected to the criminal conspiracy? What if the email address is accessed by more than one computer, or by a cell phone and other digital devices? There may well be sufficient answers to these questions, but the Government's application does not supply them.
"What if," indeed.
Interestingly, the judge forgot to add, "What if the computer is already infected with spyware or other malware, and has no connection at all with the crooks, or even with their friends and family, but rather to some utterly innocent and unknowing third party?"
Fans of privacy and on-line freedom will no doubt cheer this judgement.
It shows, in my opinion, a great deal of common sense and fairness: general-purpose spyware installed on an unknown computer may very well expose a wide range of intimate secrets about any number of people, including innocent parties.
Yet it's not all doom-and-gloom for law enforcement, who will no doubt be disappointed to have lost a chance that would, almost certainly, have gleaned useful information about cybercriminal activity.
The judge was careful to conclude by saying:
The court finds that the Government's warrant request is not supported by the application presented. This is not to say that such a potent investigative technique could never be authorized. And there may well be a good reason to update the territorial limits of [the rules to do with US court warrants].
In other words, as far as FBI spyware goes, watch this space!
By the way, whether you agree with the judge (privacy trumps search-and-seizure), or with the cops (cut us a bit more latitude to take on international cybercrime), there is a lesson in here for all of us .
If the court considers your legalistic well-being to be at risk from spyware deployed and used by accredited law enforcement professionals, just think how huge the risk is from spyware used by cybercriminals.
Keep your security patches, your anti-virus software and your network devices like routers and firewalls up-to-date!
Do you run a network at home, perhaps for friends and family, or even just for fun? How well protected are you?
Why not try our free Sophos UTM Home Edition?
You get a web application firewall, web and email filtering, IPS, VPN and more for up to 50 IP addresses.
Turn that spare PC into a full-on network security appliance!