Michael Eriksson's Blog

It feels like I cannot turn around without reading more news concerning surveillance of citizens by their own (or other) governments in various forms. This especially where computers are concerned, e.g. requests that the use of the infamous German “Bundestrojaner”* be expanded.

*A tool ordered and used by the German government to infiltrate computers in the same way that some illegal malwares do.

This is extremely unfortunate for a number of reasons, including (but likely not limited too):

1. The contents of a computer can be extremely intimate and personal in many ways, some obvious, some not. If someone has access to the contents of a computer, this can* give insights into the owner in a manner that is usually not achievable e.g. through getting an ordinary search warrant and going through a house, top to bottom. Even a diary is typically less revealing, because a diary will be incomplete through factors such as limited self-knowledge, self-censorship (due to the fear that others do read the contents), and lack of time or space. A computer can contain personal notes, private correspondence, fan-fiction never intended for publication, … among the more obvious items; surfing habits, movie preferences, porn interests, sleeping patterns, … among the less obvious. This only passively reading the contents on or communications with the computer—install a surveillance tool and there is no limit to what can be found. A computer can simply give so much private information about someone that an intrusion can only very rarely, if at all, be ethically justified—we are on a completely different level from e.g. a (physical) search warrant, more comparable** to actually being in the head of the computer’s owner.

   *There is a great variation from person to person, but by now a majority would likely already be included in this “can”—and the proportion is rapidly increasing.

   **In some cases, myself included, there might actually be more to be deduced from the computer’s hard-drive than from the owner’s memory.

   If in doubt, Richelieu allegedly said If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.—imagine what even a far lesser conspirator could do with an entire computer… Indeed, there are a number of things on my computer that could give a very wrong impression, including e.g. materials that I have down-loaded according to the maxim “know your enemy”—but which a naive or hostile spy could misconstrue as support for the corresponding ideology or whatnot.

2. Digital evidence is so easy to falsify that its actual value is far smaller than for physical evidence. Yes, physical evidence can be planted. Yes, photos and film clips can be manipulated or even, by now, generated through CGI. No, they are not comparable to e.g. claims about what was found on a computer. As soon as another party has the ability to write to the disk, all bets are off. If a knowledgeable entity like the NSA decided to frame someone, it would be a walk in the park, if they had digital access*—and so long as digital evidence is allowed in a court system that has yet to catch on to the uselessness of such evidence.

   *Note that this need not be a case of physical access. Tools like the aforementioned “Bundestrojaner” could equally well be used to plant evidence remotely.

3. Many of the measures used by governments risk the security of computers from other parties*. Consider e.g. the ever popular idea of limiting the key length of encryption methods or forcing software makers to install backdoors in the software for use strictly by the government and strictly after a court order: The shorter key length still makes it far easier for other hostiles to attack the computer; at least some of the backdoors will be discovered or published sooner or later (probably sooner…), and even those that go unpublished can still introduce weaknesses. Or consider recent claims of the U.S. government keeping back information about discovered security holes (so that they can use them), which prevents the software makers from fixing the problems, which opens the door for independent discovery and abuse by e.g. computer criminals…

   *An interesting physical example of the same principle is the “TSA lock” often seen on luggage today: It is there so that the TSA (and only the TSA) can unlock a piece of luggage without damaging it—ostensibly, all in the interest of the travelers. In reality, most (all?) key patterns have been leaked to the Internet, are available as input files for 3D printers, and any Tom, Dick, Harry with a 3D printer can get a set of physical keys and unlock any “TSA lock”…

   Other problems can occur that are out of proportion in comparison to what used to be the case. For instance, if someone was suspected of preparing a bank robbery or a terrorist attack, hording child pornography, trying to subvert the government, …, in the past, there might be a thorough house search and possibly some temporary confiscations, but by-and-large the house was still usable, most of the contents would still be present, and (barring an actual find) life would go on as before, except for an emotional scar. Today, the computer(s) would simply be confiscated, likely including any backups, and the victim/suspect would be severely hindered, possibly to the point that he cannot complete important business communications on time, cannot access important personal data, …

4. For a “democratic”* system to work, one of the main purposes of the constitution and laws has to be to protected the citizens from the government. The system must work even when the government is evil. If the current government happens to be good, the laws still has to protect the citizens, because there is a considerable risk that the government will be evil at some later time. To boot, the very concepts of “good” and “evil” can be very subjective, with the most evil regimes (by the standards of many others) often being convinced that they are the good guys, actually defending** the world against evil… To boot, even a more or less “good’ government can contain bad apples, e.g. a DA looking for re-election and willing fake evidence for a conviction with great PR value or a policeman who “knows” who the perp is and plants the evidence that “should” have been there. To boot, the machineries of bureaucracy, the incompetence of civil servants, and similar problems, tend to make even the most well-intended system fall well short of “good”.

   *I am always at loss to translate concepts like “Rechtsstaat”, but (strictly speaking incorrectly) variations of “democratic” are often used, as are “civic rights”. U.S. citizens often refer to the opposite with variations of “unconstitutional”.

   **One of the reasons that I tend to judge people, parties, countries, …, based on their actions rather than their opinions: Fascist is as fascist does.

   The current trends make a mockery of the principles behind a sound constitution. How can the citizens defend themselves when the government uses any and all means to circumvent security—including absurdities like requiring suspects to hand out passwords to investigators.

Correspondingly, I call for a complete reversal of course, where “digital trespassing” is considered a very severe crime, government surveillance of its citizens is reduced to the absolute minimum, tools like the “Bundestrojaner” are categorically and unequivocally forbidden, the citizen’s right to protection (including a very wide interpretation of “taking the fifth” and its equivalents) against the government is given priority, etc.

Two concluding remarks:

Firstly, while there may be cases so extreme that they do require or can justify at least some of the above methods (say, that someone is suspected of planning a bombing of a soccer stadium), these cases do not, can not, and must not justify the extension of these methods to more trivial suspicions. The “slippery slope” is a particular danger, where data is gathered or methods used today for the specific purpose of investigating terrorism, but where the police, certain politicians, …, will clamor for their use for less severe crimes tomorrow—and where the movie and music industry will demand their use for civil cases two days from now.

(And even with extreme cases caution must be used, because one of the things a good justice system should protect against is accusations raised out of malice. If standards become to different when the crime changes, the malicious party only has to alter the crime of the accusation in order to circumvent the protections. I have myself been torn out of sleep and forced to open the door to police in the middle of the night, because a mentally demented piece-of-shit landlord had claimed that I would keep a woman captive in my apartment. Because the alleged crime was so urgent, the police insisted that they did not even need a search warrant…)

Secondly, there is always a risk that data is spread to the wrong group of people or the wrong time, as soon as even a non-hostile entity gets its hand on it. (E.g. because someone hacks a police server with confiscated data, because an individual member of the police, deliberately or accidentally, takes data home, because some juicy piece of information is leaked to the press in exchange for money, …) For instance, what if an in-the-closet gay movie star or politician is the suspect of a crime, acquitted, but the fact that he is gay is discovered and eventually made public without his consent? At a minimum, this is severe violation of his privacy. In a less gay friendly era or a less gay friendly country than e.g. modern Germany, he could have a very severe problem, starting with a termination of his career.