The Council of ministers of the European Union issued a press release on November 27th which states the adoption of a strategy to reinforce the fight against cyber crime. Computer crime or cyber crime is a major problem of the networked world we live in. Spamming, Phishing and Identity theft are just a few of the potential crimes which can be committed using networked computers or other telecommunication devices.
From this angle it seems both reasonable and positive that the European Organisations try to crack down on these kinds of crimes. But a deeper look into the announcement and especially the proposed tools raises doubts and concerns. The Council suggests “operational measures, such as cyber patrols, joint investigation teams and remote searches to become part of the fight against cybercrime in the next five years”. The strategy also includes plans to link the different investigation forces in the member states closer together to improve their efficiency.
To show what concerns are related to this advance by the Council a look closer at the remote search measure is helpful. This measure is aimed at searching computers hard drives over the internet. But a remote search is only useful if the person who is suspected of a crime is not informed about the action. If the suspect would be informed a simple seizure of the computer by police forces would also do the trick. It is unclear how the planned strategy would try to implement such a tool technically but there is a clear threat to the privacy and rights of citizens. How can the investigators be sure that there are no false positives and computers of innocent citizens are searched? Will there be a need for a judge to approve these searches? Will persons whom computers were searches ever be informed about that attack? Could the tools used by the investigators be compromised and also used by criminals?
Besides the rightful doubts about the legality and normative questions related there is another important point: Like with the measures already as part of the Telecom Package, which is series of amendments to existing European Law and contains language which can be seen as a advance to implement deep package inspection and a criminalisation of the Peer-to-Peer infrastructure in Europe, the practicality of a tool like remote search has to be questioned. The rising proliferation of personal routers protecting users from unsolicited connections makes it very hard to do a remote search from a technical stand-point. And even if a tool could pierce the protection provided by a router (which according to security experts is very difficult) it can be assumed that cyber criminals are using tools to protect themselves from being found. For example free and open source encryption software like Truecrypt, which incorporate modern encryption algorithms like AES-256, can be used to secure files easily. Breaking an AES-256 encryption with a reasonably long password might take a few thousands to millions of years even using high-end computers. Maybe ordinary internet users do not use encryption but high-tech criminals surely will and maybe already do.
In Summary it can be asked whether this kind of activities which clearly pose a risk to freedom and privacy and which efficiency is at least very questionable are worth the target at hand. Cybercrime has to be fought there is no doubt about that but the suggested tools at methods do not seem to be actually useful to fight high-tech criminals.