In the most recent issue of SANS NewsBites (vol. 9, no. 70), there was a piece on how the German government wants permission to infect the computers of potential terrorists with spyware. The government wants to send targeted emails to suspects that would infect their computers with spyware, reporting specific data back to authorities. Opponents of the strategy say that spyware cannot be targeted specifically enough to avoid infecting unintended computers. In addition, some argue that it would be illegal for the German government to send email misrepresenting who the real sender is.
Interesting dilemma, no?
With a court order, can government tap a phone and inadvertently record the conversations between two non-suspects? Yes.
Can government tap the phones of thousands of people who might potentially be terrorists, without having a court order? Well ... in the U.S. the answer was 'Yes'.
I don't feel strongly about this, but I am leaning towards supporting the German government. If they can obtain a court order which allows them to use any means necessary to monitor the activities of specific individuals, I think the technology is there to target the spyware to specific users.
Is there potential that unintended victims will be monitored as well? Yes. With apologies to the ACLU, I think there are acceptable ways to respectfully handle the data of the unintended victims.
Is it ironic, perhaps even ludicrous, that the German government should use spyware as a weapon against potential terrorists when it is well known that German government computers have been the successful target of malware attacks? Is it eyebrow raising that there is pending legislation in Germany that would make it illegal to possess the hacking tools required for them to execute their strategy? Of course it is!
Think of it this way. If a police officer is shot at, he has the right to shoot back. Hopefully, his aim is as good or better than the criminal who shot at him. On the second front, there are countries where it is illegal for private citizens to own handguns, but the police carry them.
On the false identity front, can government officials disguise themselves or assume false identities in order to more closely monitor criminals, spies, and terrorists? Yes, indeed. Governments do it all the time. Misrepresenting the sender information of an email is trivial in comparison to having someone pretend to be someone else in order to become an intimate part of the daily operations of a criminal enterprise. And, that is a fully accepted law enforcement tactic.
Bottom line, is it wrong to employ the strategies of your enemy in order to defeat him? What if those strategies are completely counter to the principals you swear you represent and defend?
Tough call. Guess I know why I don't have an ACLU card. Good luck Germany.