Sophos versus police spyware in “legal hacking” debate

Police helmet

In a rather disturbing development it is being reported in the British press that police have been given the power to hack into computers without a court warrant.

Naturally this news has resulted in massive consternation amongst those concerned with civil liberties, who contend that the move signifies a continuing shift towards a surveillance society in Britain. Already the country is believed to have the highest density of CCTV cameras in the world (one camera for every 14 people is the last figure I heard).

The Association of Chief Police Officers has said that in 2007-2008, British police carried out 194 remote hacking operations, including 133 in private homes, 37 in company offices and 24 in hotel rooms. It isn’t clear how many of these attacks used spyware software or keylogging hardware to examine information held on a suspect computer.

There is no doubt that high-tech criminals are able to use sophisticated technology such as encryption to help them commit their offences, and that this does bring enormous challenges to investigators which may make the use of spyware and keylogging devices attractive.

However, that doesn’t mean that there shouldn’t be strict guidelines and independent approval before this kind of police surveillance can take place. Law enforcement agencies should be forced to seek approval from a court, who would have to be convinced that there was sufficient reasons to surreptitiously break into a computer belonging to a member of the public.

One thing I can promise you though: If Sophos encounters any malware written by the police, we won’t turn a blind eye. We will add detection for it.

And if you think about it, we don’t have any other sensible choice.

For anti-virus vendors to know which spyware Trojan horse to ignore, the British police would need to provide us with a sample of their code. For security reasons, it seems unlikely that this would happen. As a result, how will we (and other security vendors) know which code is written by the cops and which originates from traditional hackers? After all, it’s not likely to say

Copyright (c) New Scotland Yard

is it?

In order to properly protect customers, Sophos continues to protect against all the malicious code that we see.

Even if security vendors were made aware of the code, how would we know that our customer was the intended target of police surveillance? You see, by planting spyware on the PCs of those under suspicion, the police could essentially be placing a weapon directly into the hands of their enemies.

Spying and remote-hacking code could easily be adapted and new variants created with far more sinister intentions in mind. Once the Trojan was released, there would be no way of knowing who would use it to spy on whom, and with what consequences. In an ironic twist of fate, the police could even find itself to be the victim of its own code.

So we will continue to defend computer users against malware and spyware, regardless of who might have written or installed the code.

And if that puts us at loggerheads with our friends in the police, so be it.