07 January 2009

Remote Searching

There's been fuss the last couple of days about police powers to hack into suspects' computers.  Apparently under RIPA they do not need any kind of warrant, just approval from a chief constable.

As some bloggers have pointed out, the power doesn't imply the ability.  If your system is secure against hackers, it's secure against the police.  Provided you don't do anything reckless, like run an open wireless network, or run Windows, you should be safe.

Having said that, it is worth noting that the police have resources that private hackers do not.  In particular, they may get cooperation from ISP staff, or other service providers.  Even if that theoretically requires further authorization, if they are given, for example, a password, informally and without authorization, they would then be legally allowed to use that password to access your system.  In practice, they are unlikely to have to account for how they managed to get the password.  When I worked in telecoms, the authorities were given traffic data (billing itemizations) on informal request on a regular basis.

I'm not actually sure what the law is.  I've been looking at the text of the 2000 Regulation of Investigatory Powers Act, but it's hard to puzzle out.  So I'm relying on press reports.

If you want to keep the police out of your PC, follow normal IT security (use WPA2 or IPsec on wireless, don't use Windows, don't run code of unknown origin), and also assume that any passwords you use on external systems are known to attackers, so use different passwords for logging into your box, for remote access, and for wireless.  Don't expose these passwords over unencrypted email.  Set good passwords on routers.

There's another reason for making a fuss about this.  Even if your system is safe, most people's won't be.  That means that over time, it will become accepted that police have access to everyone's computers.  Eventually, the "loophole" that some people actually have secure systems will be "exposed" as compromising the ability of the police to protect us (or to protect THE CHILDREN), and secure systems will be simply banned.  This is despite the fact that there is already law allowing the police to demand encryption keys etc. with a warrant.

That sounds far-fetched, but is there any reason why one would assume that a mobile phone was something too dangerous to allow an anonymous person to own?  No -  only that, for business reasons, it happened to be impossible to anonymously own one until the technology for pay-as-you-go was released, and everyone got used to the idea that phones could be traced.   When people are used to the idea that computers can be searched by the police on a whim, they will not mind making it illegal to prevent it.

And just because you have nothing illegal, doesn't mean it doesn't matter.  Once someone hacks into your computer, they are likely to damage things by accident.  That's always been recognised by the law, which (rightly) considers it a crime even if no damage is done, because of the cost of going over the system and making sure everything is OK.  If police plant a backdoor on your system for their own use, it may be found and exploited by criminals. (This was one of the major issues with the Sony CD rootkits a year or two back.)  Civil damages are also assessed on the same basis.  As well as that, information which is gathered may be misused.   A police officer was convicted of using private information for blackmail purposes just recently.

I may come back to this issue tomorrow if I can figure out what RIPA actually says.

No comments: