CircleID

According to news reports, part of the EU's cybercrime strategy is "remote search" of suspects' computers. I'm not 100% certain what that means, but likely guesses are alarming.

The most obvious interpretation is also the most alarming: that some police officer will have the right and the ability to peruse people's computers from his or her desktop. How, precisely, is this to be done? Will Microsoft and Apple—and Ubuntu and Red Hat and all the BSDs and everyone else who ships systems—have to build back doors into all operating systems? The risks of something like that are mind-boggling; they're far greater than the dangers of the cryptographic key escrow schemes proposed—and mostly discarded—a decade ago. Even assuming that the access mechanisms can be adequately secure (itself an assumption), who will control the private keys needed? Police departments? In what countries? Will all European computers be accessible to, say, Chinese and Russian police forces? Or perhaps Chinese and Russian computers will need to be accessible to Europol. Cybercrime is, of course international, and no one region has a monopoly on either virtue or vice.

Instead of back doors, perhaps law enforcement will exploit the many security holes that are already in many systems. Will running a secure system then be seen as obstruction of justice? (Will all security researchers and practitioners suddenly be seen as accomplices to crime?) What about firewalls and home NAT boxes? Will you need a police permit to run one? Or will these need to be hacked as well? German police have tried this, but were blocked by a court order. There have also been reports of similar FBI efforts.

Possibly, a hybrid strategy will be used: physical entry will be necessary to plant some device or software (as in the Scarfo case). This is less risky in an electronic sense, but of course carries risks to the agents involved. Note that any of the three strategies discussed here is likely to be detectable by the target.

For purely electronic variants, the question of jurisdiction is also important. How can an EU police officer know that a target computer is located within the EU? Suppose that it's located in the U.S.—would warrants be needed from both jurisdictions? Suppose the officer was wrong about the location and only obtained an EU warrant—would the evidence be admissible in court? (For reasons too complex to go into here, Dell and YouTube frequently think my web connections are coming from Japan.) What if the suspect was taking deliberate evasive measures?

This is a complex topic with many ramifications. A lot more public discussion is necessary before anything like this is put into effect.

Written by Steven Bellovin, Professor of Computer Science at Columbia University. Visit the blog maintained by Steven Bellovin here.

Related topics: Cybercrime, Privacy, Security