To catch a thief

October 2014

Set a thief to catch a thief, it is said, because he’ll know the tricks.  It works; that’s why other professional magicians were unimpressed by Uri Geller’s spoon bending efforts, and why computer security companies employ people who have dabbled in the black art of “hacking”, as breaking into computers from afar is known.

It’s very hard for the police to stay on top of cybercrime, but the latest efforts of the FBI in America worry me, because they use exactly the same methods the criminals use.  This raises new ethical issues we have just not had to think about before.

The FBI has been using a technique that cyber-criminals call “drive by hacking”.  This involves surreptitiously infiltrating a popular website, and inserting “malware” into the computers of everyone who visits the website. 

This goes on until the website managers spot it (usually pretty quickly) and put a stop to it, but on a site that is receiving millions of hits a day (like the BBC), much damage can be done in the meantime.  Malware is a very small programme that can look around your computer, report back what it finds and cause no end of trouble.  It can even be designed to vanish once it has reported to its masters, so you would never even know it’s been there. 

The FBI has been using exactly the same technique to discover who visits the nastiest websites, like child pornography and worse.  By using malware, the FBI has been identifying the people who use the sites (wherever they are in the world), and has started prosecuting them. 

In a sense, this is not new; the forces of law and order have been using computer hacking for years to look into an identified malefactor’s computers; this is akin to tapping a telephone line, and is subject to the same sort of controls.  The worrying aspect of this new, bulk hacking method is that it is indiscriminate, and more like rounding up a huge random crowd than picking off an individual suspect. 

It gets worse:  the American Justice Department is applying to get the rules about search warrants changed so that they include the rights to conduct remote, clandestine searches of computers that visit a website and to copy the information found on them; neither website nor computer need be in the USA.  Maybe I’m over sensitive, but this seems to be perilously close to some of the least attractive aspects of cold war style secret police work. 

Do the ends justify the means?  It’s not that I want to protect child molesters or terrorists (although even they have rights), but it’s a fact that if you give a government an inch, sure as eggs is eggs, it will take a mile.  If they claim it will only be used for “security” purposes, don’t believe it.  It will be all too easy to start collecting lists of people who visit sites that disagree with the government of the day, for example.

Searching specific computers linked to a criminal suspect is one thing, but putting some government software into every computer that visits a particular site, irrespective of the county it comes from, and which then reports back on that person’s location and online activity, is quite another. 

The ethics of this have not been thought through and tested, and until they are, the authorities will drive their coaches and horses through the loophole.

How can we defend ourselves?  Good housekeeping is the best method.  Make sure that you use up to date browsers; use anti-malware programmes regularly (I list some free ones here). 

Most importantly, develop the habit, boring as it may be, of changing your passwords regularly, especially to your bank and other money related websites.