Wiebke Abel (Edinburgh) and Matthias Damm (an attorney in Karlsruhe, and LLM graduate of Strathclyde) both addressed the topic of trojans and spy software and their use by law enforcement agencies in particular.

Wiebke started things off with an overview of how ‘the world has changed’ and what this means for crime. Are traditional investigation methods and laws sufficient to deal with new challenges? Can a ‘new generation of investigators’ (and investigative tools) help? She picked a particular example, the ‘German Federal Trojan’ (aka Bundestrojaner!). Trojans are familiar (as used by hackers, spammers and others) – but are they only for criminal use? The plan here is for covert search and surveillance of private computers by police or secret services. This can be implemented through spyware, through existing ‘backdoors’ and even download-contamination. There was – naturally – outrage in Germany about this – but was this a once-off? No: the US ‘magic lantern’ and Austrian ‘online search’ are other examples. These technologies are special because of the way they combine factors such as mobility, ubiquity, invisibiity and digital evidence collection; but they are unpredictable and can even raise international issues (trojans operating outside national borders), and the use of gathered data is wholly unclear at this stage (would it stand up in court? should it?). And how do you prevent antivirus software from identifying the supposedly hidden trojan? Wiebke mentioned R v Aaron Caffrey (existence of trojan used as defence in a criminal trial about material on C’s machine). A possible solution is seeing source code as the ‘DNA of software’; hardwire the law into software. But the overwhelming need is an approach where regulation through law and regulation through code are working together

Matthias then started his presentation, ‘I know what you saved last summer’. He also took guidance from history, mentioning fingerprints, DNA and CCTV as examples of new investigative ‘technologies’. Today’s investigators look more like computer operators than Sherlock Holmes. CIPAV (Computer and IP Address Verification) is in use in the US, although it’s not supposed to be dealing with content. The FBI haven’t been very helpful in explaining how it works. As for the Bundestrojaner, the Federal Constitutional Court dealt with this (on 27th February 2008) and gave the go-ahead to such software in its ruling, subject to strict conditions (such as a court order and the respect for private data). This was the same case where the Court formulated a new constitutional right, the guarantee of the confidentiality and integrity of IT systems. More than 60% of the German population apparently support the system, although are they aware of the Orwellian nature of such software?

After a discussion on the trojan issues, Angus Marshall (Teeside) then reported on the EPSRC-funded ‘Cyberprofiling’ project. The project looked at offender and geographic profiling, in particular in the context of intelligence and intelligence-sharing. How can existing information (server logs etc) be used in a useful way? Overcoming various problems, they developed a ‘data collection appliance’. But one of the most interesting legal issues that arose was whether an IP address is a ‘personal identifier’ (relevant for sensitive data / data protection / sharing / etc). Information Commissioner has given various answers; European practice varies. But the research group didn’t feel that IP addresses were personal, though they did accept the advice and used anonymisation. This itself required some new work. So how does this type of ‘dataveillance’ compare with other things like (on one hand) CCTV, DNA and wiretapping and (also, or on the other hand) credit cards, mobile phone tracking, loyalty cards etc. The first category is ‘biometric keyed’ and the second is ‘token mapped’. Angus gave an overview of the regulation and effectiveness of each. He concluded that a telephone number is not a personal identifier; neither, they argued, is an IP address (but combined with other factors ‘may be personal data’). Again, the discussion was extremely vibrant, and now it’s off to lunch.