Police trojans must be fought

This is a translation of Tomas Djurling’s recent article in Computer Sweden:

The wish of the police to use trojans to solve certain crimes will cause more harm than good, and the method has no place in a state of justice. This is claimed by security expert Tomas Djurling.

Police want to plant trojans in suspects’ computers in order to curb crime. I can well imagine that they have the desire. But have they thought through the full implications of this approach? To have this opportunity could perhaps solve some crimes, but there are so many downsides to this coin.

The German police have had the opportunity for a long time. The name of the trojan there is “Bundes Trojans or State Trojans”. The German hacker group Chaos Computer Club, CCC, discovered the trojan in October 2011. According CCC there were major security flaws in the trojan. Among other things, it lacked authentication, which meant that computers that had the trojan installed became very vulnerable on the internet. The trojan’s communication was not encrypted, which meant that information sent over the internet could be easily intercepted.

You may well find that it does not do any harm if the “crooks” have flaws in their computers, but there are several very large downsides of this for police and prosecutors. How is evidence evaluated in subsequent criminal investigations and court proceedings, if it appears that the police have opened up a suspected computer on the internet, available for anyone to use based on their purposes?

Then also anyone can “plant” information in the computers that have police trojan installed. The use of trojans for the police would probably make it much more difficult for police and prosecutors to solve crimes in a legally secure manner, which is expected of a state of justice.

The statistics of solved crimes would likely be worse. What lawyer would not miss the opportunity to challenge the evidence presented in these trials?

Other challenges are:

All those who turned out to be innocent, and were hacked with information losses, missed business or bankrupcy as a result by the trojan installed by the police. How are they protected?

What happens to the installed trojans that do not lead to investigation and trial? Should they be uninstalled hidden? What if the uninstallation fails, will it then be left or will the police do home visits, in order to uninstall the trojan on site with the previously suspected criminal?

Relatives of suspects or criminals may get hurt or violated in many situations.

The information collected by the police must be stored and handled in a secure manner throughout the investigation process. When a large and very important part of the process is done by computers connected to the internet, this process cannot be guaranteed to be secure.

How should the government protect these people’s privacy or replace the individual people or companies that get into trouble? No trojan or other software can be guaranteed to be secure over time.

This type of method is better suited in dictatorships than in western democracies. Apart from the purely legal, technical and investigative aspects, this will jeopardize the confidence in the administration of justice and ultimately in the entire state power. A trust that needs to be strengthened, not undermined.

If police and prosecutors would be able to use this method, they risk the rule of law for all in society. Hardly anyone would want that.