Nigel Morris, of the UK’s "Independent" newspaper reported recently on new powers given to police in the UK and proposals to extend similar powers across the European Union.
Understandably, civil rights groups like Liberty have apparently expressed the belief that such expansion of "police hacking operations" should be regulated by Act of Parliament and that there should be a requirement for the police to apply to a court for a warrant.
An issue that could be of particular concern to anti-malware vendors is that the article refers not only to the use of keylogging hardware and eavesdropping over wireless networks, but also to the practice of "sending an email containing a virus to a suspect’s computer that then transmits information … to a distant surveillance team."
It’s not clear to me whether a "magic lantern"-like Trojan is really on the cards or whether that’s a political journalist’s extrapolation. The fact that the article refers to a virus rather than a Trojan raises a red flag. I seriously doubt whether replicative malware would be considered the best way to spread a tool like this: you might want to bug every PC in the world, but to do so via a virus might be seriously counterproductive, since every bugged PC would increase the likelihood of detection sooner or later. (Yes, I can see some possibilities for making a viral scheme more viable, but I’m not sure this is the place to discuss them…)
The fact that the article also talks about distribution by email attachment also suggests a fairly vague hypothesis, rather than deep knowledge of how things really are in the current threatscape.
The idea of a "good" Trojan like the FBI’s does pose serious ethical issues, though I won’t go into those now. The question is whether a UK or other European government would attempt to force a vendor to "ignore" it. That risk may be overstated: apart from anything else, they’d have to share information about the precise nature of the Trojan with a great many companies worldwide, militating against the covert nature of this approach to surveillance. However, other governments have certainly explored this possibility: there’s actually a term – "policeware" – that covers certain software tools used by law enforcement .
David Harley BA CISSP FBCS CITP
Author David Harley, ESET