Kort efter terrordåden i Paris i november utlovade inrikesminister Anders Ygeman en utredning om hemlig dataavläsning. Juristen Franciskus van Geelkerken, aktuell med en unik avhandling om polistrojaner, varnar för ändamålsglidningar och för att oskyldiga kan komma att avlyssnas.
Inrikesminister Anders Ygeman är inte beredd att föreslå utökad signalspaning eller förbud mot kryptering. Däremot tycker han att det är viktigt att polisen kan plantera trojaner:
- De digitala plattformarna är i hög grad krypterade. Säpo och polisen har ofta rätt att lyssna av dem, men de saknar verktygen för att göra det, säger han.
- Det handlar inte om nya rättigheter utan om möjlighet att använda rätten. Polisen använde hemliga tvångsmedel i Paris. Jag vill att vi om fem år ska kunna avvärja terrorhot och inte behöva säga att tekniken sprungit ifrån oss, att vi bara kan lyssna på pensionärer som pratar genom koppartråd.
Han anser inte att risken för integritetsintrång är skäl att skäl att avstå:
- Det är klart att den finns, men det är därför vi har rättssäkerhetsgarantier. Säkerhetsskyddsnämnden kan i efterhand kontrollera om det gått rätt till. Men polisen måste skärpa sig när det gäller registerhållningen.
Tidigare förslag om dataavläsning – se här och här – har kritiserats av bl a Advokatsamfundet, som varnar för ändamålsglidningar. Det gör också Franciskus van Geelkerken, som snart disputerar med en unik avhandling om just polisens användning av trojaner.
Enligt Geelkerken bör användningen av trojaner reserveras för de grövsta brotten. För att användningen ska vara förenlig med Europakonventionens artikel 8 måste polisen därtill informera misstänkta om att de avlyssnats. Han tillägger att trojaner är lätta för brottslingar att kringgå.
How efficient is the use of trojans as a metod for fighting terrorism, child pornography etc?
- The effectiveness will not be as great as politicians think it will be. To safeguard the principles of the rättsstat the crimes for which trojans can be allowed must be quite limited and the secondary requirements such as the minimum term of imprisonment and the severity of the crime itself are going to result in the situation that it will only be possible to use trojan police horses in a very small number of cases each year. As such the overall effectiveness of the use of trojan police horses on the whole criminal investigation process is going to be marginal.
How severe should a suspected crime be in order to justify the use of trojan horses, in your opinion?
- It is difficult to say how severe a crime should be, but as a guideline I would say it would have to be a crime which:
- Shocks the society
- Is a serious crime in abstracto, for instance the recruiting of people to overthrow the government and setting up a Kaliphate in Sweden or recruiting people to go and fight for ISIL in Syria, Irak or the Levant. So basically the underlying principle violated by the crime is very serious, regardless of the crime itself. Or in other words, does society think that this violation is severe enough to warrant the limitation of one or more fundamental rights?
- Is a serious crime in concreto for instance the murdering of a large group of people. So the crime itself is considered very serious by society, regardless of the underlying principle.
- It is in general difficult to determine whether a crime is serious - in concreto or in abstracto - but the maximum term of imprisonment can form a basis. If the legislator has set a long to very long term of imprisonment for a crime it gives a fairly good indication whether it is a serious crime or not.
What does swedish law say about police trojans?
- I haven’t looked at Swedish law, but seeing that FRA-lagen was enacted with little to no problem I would assume that allowing trojan police horses will not be a big problem from a privacy standpoint. I am not saying that is a good thing, I am just making an assessment as an outsider.
During a seminar recently you said most EU countries don’t inform individuals about investigations. Does this violate the ECHR art 8 or other rules regarding privacy?
- I would say that the fact that most EU countries do not inform individuals enough does violate the right to privacy. There are however reasons - in some cases even good ones - why this information is withheld. The main reason, and in my opinion the only acceptable reason, is that if an individual were to be informed that might endanger the investigation of the suspect. That does however not mean that the innocent third party should not be informed later on.
- Another often heard argument for withholding this information is that it might endanger future investigations. That is in my opinion not acceptable. In a society where the people elected politicians, and those politicians enact legislation, which might or will limit fundamental rights, the people have the right to know what the State is doing. That is the same reason why I am against the idea that anyone can ask Skatteverket about my personal information based on offentlighetsprincipen but I cannot get the information from Skatteverket who has obtained information about me...
What are the main arguments for and against the method?
- The main argument for the use of trojan police horses are:
- There is no alternative to achieve the same investigatory results i.e. circumvent encryption, identifying, locating and investigating a suspect., infiltrate networks.
- In as far as strong encryption is not deemed illegal, unless trojans are allowed criminals will be able to hide their activities with relative impunity.
- If ‘bullet proof hosting’ is used it is in practice impossible to ascertain the identity or location of a suspect.
- By being able to use trojans the use of network taps on innocent third parties can be prevented.
- The main arguments against the use of trojan horses are:
- The use of trojans would in practice be an omnibus provision, removing the need of installing e.g. a network tap, a GPS beacon, microphones, or cameras.
- Considering the severity of cases in which trojans could be allowed, trojans will not be the save-all and end-all solution politicians believe it to be.
- Once trojans are allowed there is a risk of both function- and scope creep. Function creep refers to the practice that once a (criminal procedural) measure has been allowed, the purposes for which this measure may be used are over time expanded by the legislator beyond the purpose for which it was originally intended. A good example of a case where function creep took place is the use of DNA of suspects and the legislation regulating it. Scope creep refers to the situation in which the amount of cases in which a technology or system is used over time is gradually widened beyond the purpose for which it was originally intended because its use becomes more and more commonplace. A good example of scope creep on observation more specifically “telephone taps”. When this power was first proposed early 20th century it was considered a very invasive criminal procedural measure, whereas nowadays “telephone taps” are placed on a large scale.
- Allowing police to access automated works outside of their jurisdiction, without bi-lateral and/or multi-lateral agreements, would be akin to an open invitation to other countries to allow their police forces to access automated works in other countries.
- If police are allowed to exercise powers outside of their jurisdiction, this will create a precedent for other states to do likewise. Those other states might however have less‑democratic regimes and may not incorporate as many safeguards as signatory states of the ECHR if they incorporate safeguards at all.
- If trojans are allowed this could severely limit the principle of legality in the sense that criminal procedural investigatory measures may only be used against a suspect. Seeing as police do not know the identity nor location of a suspect, the chance that an innocent third party will also be investigated cannot be disregarded.
- The allowance of trojans will not make it possible to catch or apprehend a “real” cybercriminal. In particular because any computer-savvy criminal takes counter-measures to make certain that the use of trojans will yield no evidence.
Användningen av polistrojaner i Europa och USA
2008 antog EU en plan för bekämpning av cyberbrott som bl a uppmanade medlemsstater att genomsöka datorer på distans. Tysklands inrikesminister presenterade en plan för trojanska hästar året innan. Ett av Tysklands förbundsländer legaliserade användning av ”remote forensic tools”, men 2008 slog en federal domstol fast att lagstiftningen var oförenlig med Tysklands grundlagar.
Liknande program har föreslagits runtom i Europa, bl a i Nederländerna där regeringen föreslagit att polisen ska få bereda sig tillgång till enskildas datorer i samband med brottsutredningar. Förslaget togs upp i en hearing i riksdagen nyligen.
I USA finns det inget uttryckligt lagstöd för användning av trojaner, men inte heller något förbud. Medborgare har däremot rätt att slippa ”unreasonable searches and seizures” enligt det fjärde tillägget till konstitutionen. Det är känt att FBI har mjukvara som kan ge åtkomst till krypterad data genom installation av en trojan som loggar tangenttryckningar. Användningen av trojaner har godkändes av domstol i ett fall då en sexårig pojke hotade skola. I ett annat fall ville FBI avlyssna en misstänkt bedragares chattloggar, e-post m.m. samt ta kontroll över den misstänktes webbkamera. Domstolen avslog begäran, bl a med hänvisning till att FBI inte kunde garantera att oskyldiga inte kunde komma att avlyssnas.
Vid sidan av debatten om trojaner förs också diskussioner om möjligheten för myndigheter att hacka datorer och utföra cyberattacker. Inte minst sedan FBI:s operation förra året då myndigheten tog över och drev en barnporrsajt med 215 000 medlemmar i syfte att komma åt pedofiler som använde sig av Tor för att kryptera kommunikation. Operationen ska ha lett till 137 åtal. En av de misstänkta har med hänvisning till det fjärde tillägget begärt att åtalet ska läggas ner.
Läs också:
Remote Computer Searches and the Use of Virtual Force (Susan W. Brenner 2011)
Text & Bild:
Fredrik Svärd
[email protected]