Australia's Spies Want To Put Members Of The Public At Risk By Using Them To Pass On Malware to Suspected Terrorists

from the not-thinking-it-through dept

Last year we wrote about the German police using malware to spy on members of the public. Now ASIO, Australia's national secret service, has come up with a new variant on the idea:

A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to ''use a third party computer for the specific purpose of gaining access to a target computer''.
The problem seems to be that even suspected terrorists are getting the hang of this security stuff:
The department said technological advances had made it ''increasingly difficult'' for ASIO to execute search warrants directly on target computers, ''particularly where a person of interest is security conscious.''
So the idea seems to be to infect the computer of someone that the alleged terrorists know, and then use that trusted link to pass on malware:
Australians' personal computers might be used to send a malicious email with a virus attached, or to load ''malware'' onto a website frequently visited by the target.
That probably seemed like a really clever ruse to the people who thought it up, but it overlooks some basic flaws.

First, that once ASIO has taken control of an intermediary's computer it can do anything -- including poking around to see what's there. After all, if intermediaries are known to suspected terrorists, it's possible that they too might be terrorists.

The authorities are insisting that the warrant to break into somebody's computer would not authorize ASIO to obtain "intelligence material" from it. But you don't have to be clairvoyant to predict that at some point in the future, "exceptional" circumstances will be invoked to justify doing precisely that: once security services start down a slippery stop, they never seem to be able to stop.

Secondly, as the German experience shows, if a computer has been compromised by malware in this way, it's not just the government agencies that can take control: anyone who has obtained the malware and analyzed it will be able to look for ways to send their own instructions. That could leave innocent members of the public vulnerable to privacy breaches and economic losses that would be directly attributable to the spy agency's digital break-in.

Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware. If they notice and really are ruthless terrorists, they might decide to take revenge on that person and his or her immediate circle of family and friends. Either the Australian spy agency hasn't really thought this through, or it is being extremely cavalier with the lives of the members of the public it is supposed to protect.

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    doug, Jan 17th, 2013 @ 9:07pm

    spys is spys

    For many thousands of years, combatants wore "uniform-s"
    Combatants out of "uniform" (spys) were automatically hung, for their actions endangered non-combatants (you and i).
    As these simple rules are subsumed in never ending Hollywood propaganda making subterfuge fun, "war" is changed;
    In the US Civil war, 750,000 combatants died and perhaps a thousand civilians (mostly in Kansas).
    WWI nine combatants for every civilian death.
    WWII one combatant for every ten civilian deaths (perhaps a million mostly women and children died on a Saturday morning 10 March 1945).
    1965-1973 in SE Asia, we lost 59 thousand men, they lost 3-6 million with "strategic bombing".
    My father had to remove his buttons and all Navy insignia in WWII when flying into or out of the Azores, Peru & Galapagos Is or Ireland.
    Rules is rules.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    John, Jan 17th, 2013 @ 9:12pm

    As an Aussie who does development and IT support for clients, including the removal of malware from PCs. Does this mean I could be charged with some kind of interference with an investigation crime if I remove this spyware from a clients computer?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 17th, 2013 @ 9:40pm

    What happens if a antivirus company gets their hands on it? Will they be allowed to fix it?

    If not you can be sure real hackers will use that to their benefit.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    G Thompson (profile), Jan 17th, 2013 @ 9:48pm

    Re:

    Good question John (just saw your site too.. looks good and we most likely have prob met or passed each other at a Comp show years ago - If you dealt with the Australian Business Index in late 90s then we have)

    Seeing as this is only a proposal by a spokesperson who is probably only gauging the public and business response (it was given to News Ltd remember) then until at such time it becomes more I wouldn't worry about it. Though my answer to the question is most likely no unless you had foreknowledge of the installation.

    This situation will always be a problem for ASIO and the AFP (who are more likely to want this then ASIO). But it has major chilling effects on what constitutes a third party machine, who has vicarious liability, what checks are in place for abuse from all sides, and would there be 3rd, 4th party or more liability for someone innocently destroying the code.

    Have a great weekend from here in stinking hot Sydney (42 where I am at moment) and I gotta drive home soon in Sydney traffic.. to where its currently 45. blah!

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Old Man in The Sea, Jan 17th, 2013 @ 10:39pm

    Re: spys is spys - WWII

    Some figures I found when looking at the number of civilians who died in Europe alone indicate that the ratio of combatant to civilian deaths may have been as low as 1 combatant death for every 110 civilians killed. This was some years ago now.

    How accurate that is I don't know it could have been much worse than this.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Old Man in The Sea, Jan 17th, 2013 @ 11:00pm

    This is ASIO we are talking about

    Just remember this is ASIO we are talking about. You know the organisation that is so competently run that they are the masters of the comedic scenario.

    I had a colleague who in his youth went for a job with them and the report of the interview included that dark glasses and trench coats were the order of the day. We didn't initially believe him till he swore an oath that it was so.

    Should we be worried, probably and more for what other groups will do with the facilities than what ASIO will be able to do.

    John,

    If it is not officially marked by ASIO, how can you not remove it? Though I suppose, if this comes to pass, you could always ring ASIO to verify first and if they so that they are not monitoring the machine then you could just go ahead and remove it (get the confirmation as email, voice recording or letter first). I am sure that ASIO will set up a helpline for these matters as a service to the IT industry.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jan 17th, 2013 @ 11:09pm

    Well at least now they've showed me who the true terrorists are.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Ninja (profile), Jan 18th, 2013 @ 1:35am

    or to load ''malware'' onto a website frequently visited by the target.

    Ah the wisdom. So if the terrorist uses Facebook then it's ok if 1 billion more are infected with the malware too right? Why don't they throw nukes all over the world? This would surely eliminate all terrorists.

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    maclypse (profile), Jan 18th, 2013 @ 1:54am

    So basically, governments are no longer satisfied with backdoors into the cellphone networks and backdoors through encryptions, but now they actually want the legal right to hack citizens' computers without even an accusation of a crime? Sure. That won't end up abused.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Matthew Cline (profile), Jan 18th, 2013 @ 2:13am

    Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware.
    To play devil's advocate, you could consider that to be wartime collateral damage.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 2:18am

    It's okay, it'll only be used to spy on terrorists. Or people suspected with collaborating with terrorists.

    Unless of course there's some sort of secret interpretation that allows them to use it on everybody, but we all know how unlikely that is to happen.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 2:58am

    If they compromise computers, they can do what they like in the way of planting evidence. This gives them a send someone to jail capability.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Jessica, Jan 18th, 2013 @ 3:35am

    Let Them Do Their Job

    They have to consider this from all sides before even submitting a proposal, which is regarded with severe scrutiny before being allowed to pass. It's not a slippery slope to abusing intellectual property. That's paranoia and your article fearmongers to put a stop to something that could very well protect the public. Until the day happens when it fails, it deserves to be let alone to see how it works. Any moron who watches too much television can say 'the secret service will abuse the public', but let's face it, they are not exactly doing that now and have probably got the power to should they desire to do so. They don't need to pass this measure in order to plant evidence or anything like that. Quit being so stupid. That is not their job. Let them do their job to protect their country and butt out. Your article is presented as one-sided, ill informed and slanted toward exploiting the fears of others toward paranoia to sell your schlep. I am so glad no one pays for the retarded newsletter. It is the articles like this that have made me turn away from Techdirt in disgust. Most days, I just hit Delete when it surfaces in my inbox. This time I just had to say something. I'd swear Techdirt's so-called "journalists" such as Glyn Moody are just couch critic consiracy theorists who view government agencies as The Man, forever getting in the way of Freedom. *sigh*

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 3:43am

    We have nothing to fear from StuxNet LOL

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 3:59am

    Re:

    Thats absurd, all governments by definition, are gods creation, run by angels.........dont you know...........never happen

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 4:35am

    Re: Let Them Do Their Job

    Two things:
    Goverment agencies around the world have proven again and again that they will abuse any extra power they can get.

    Second: if you dont like the reporting, why are you here?

    For obedient government believers like you there are other desinformation channels, like fox news

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 4:54am

    Re: Let Them Do Their Job

    The Stasi were just doing their job also.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 5:12am

    It is pretty much a given that they have been doing this for some time already. They simply want it to now be above board and on the books because keeping secrets is very expensive and most tidbits gathered are not admissible in court. I'm guessing these things are not admissible for at least two reasons, 1) you would blow your cover, 2) you would be confessing to an illegal act.

    I imagine that adding this sort of thing to the law books would require some sort of ambiguity or possibly a section of the law that is kept secret, because they would not want to divulge any details of their methods. Hence, secret laws and tribunals - what a wonderful world in which to live. Just remember boys and girls, ignorance of the law is no excuse and you have nothing to fear if you have done nothing wrong. Don't worry, be happy.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 5:40am

    i am surprised. makes a change for the public to have a use, (other than just being the scapegoats of the entertainment industries, available for suing and jailing,) rather than them upping their business models!

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 6:12am

    Re: Let Them Do Their Job

    Troll, or are fucking serious?

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    art guerrilla (profile), Jan 18th, 2013 @ 6:35am

    Re: Re: spys is spys - WWII

    in *general*, before about WWI & II, military to civilian deaths averaged about 1 civilian for every 10 military; since that time, the stats have basically flipped where it is 10 civilians for 1 military...
    why?
    because we are the MOST CIVILIZEDEST nekkid apes EVAHHHHHH!

    ...just ask anyone in power, they'll tell you so !

    art guerrilla
    aka ann archy
    eof

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Jan 18th, 2013 @ 8:37am

    Re: Let Them Do Their Job

    A prime example of double plus goodthink if ever I saw one.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    matt C, Jan 18th, 2013 @ 1:04pm

    Somebody once said: "special intelligence is a contradiction in term"

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    Kevin (profile), Jan 19th, 2013 @ 11:06am

    Hitler would have said

    Vertrauen Sie uns. Wir tun dies, um zu schützen Sie die Menschen.
    Yea, sure.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This