Italy unveils a legal proposal to regulate government hacking
Internet traffic nowadays is mostly encrypted (“HTTPS”). Thus, for a few years now, Law Enforcement Agencies (LEA) have been facing far more challenges at gathering data through the interception of connections than they used to.
As a result, LEAs are increasingly hacking directly into the suspect’s devices (computers, phones, TVs, cars), installing trojans (tiny pieces of software that can do almost anything and collect almost everything without restriction).
This is something new. Unsurprisingly, in many countries, the laws regulating the legitimate use of trojans are just as new, notably US Rule41 and the UK IP Bill, laws that authorize LEAs to hack into suspects’ devices, with few constraints and with an unsophisticated approach .
In Italy, the Civic and Innovators parliamentary group - which includes, among others, Andrea Mazziotti, Chairman of the Constitutional Affairs Committee, Stefano Dambruoso, a well known anti-terrorism prosecutor, and Stefano Quintarelli, an italian internet pioneer and entrepreneur - has recently introduced a bill on the matter.
It took nearly two years of work to draft the proposal, with the involvement of many experts and stakeholders; among them: a former speaker of the Parliament, civil rights activists, law enforcement officers, computer forensics researchers, prosecutors,law professors, IT security experts, anti-mafia and anti-terrorism departments and politicians.
This complex law proposal tries to address most of the technical issues related to the use of trojans, while guaranteeing individual rights and protecting the public from the possible abuse of government trojan.
The main concept behind the law is that a trojan shall not be allowed to do everything, but only what has been specifically authorized by a judge’s signed warrant.
* A Telephone Wiretapping Warrant is required to listen a Whatsapp call .
* A Remote Search and Seizure Warrant is required to acquire files on remote devices.
* An Internet Wiretapping Warrant is required to record web browsing sessions.
* The same kind of warrant that would be required for planting a physical audio surveillance bug is required to listen to the surrounding environment with the device’s microphone.
The proposal aims to update the framework of guarantees and limitations already provided by the criminal code, in light of the quick development of computer science, and the consequent threats to citizens’ privacy.
For example, according to the bill, if a device is searched and seized remotely during an investigation, the owner must be notified when the investigation ends. In fact, a similar provision already exists for “physical” house searches.
However, there are also very complex technical challenges that this proposal try to address, by specifying many technical and operational requirements that have to be met to legally use trojans in an investigation:
a. The source code must be deposited to a specific authority and it must be verifiable with a reproducible build process (like the Tor Project and Debian Linux are doing)
b. Every operation carried on by the trojan or through its use must be duly documented and logged in a tamper proof and verifiable way, using cryptographic time-stamping and digital signing, so that its results can be fairly contested by the defendant during the inter partes hearing.
c. The trojan, once installed, shall not lower the security level of the device where it has been activated
d. Once the investigation has finished, the trojan must be uninstalled or, otherwise, detailed instruction on how to self-remove it must be provided.
e. Trojan production and uses must be traceable by establishing a National Trojan Registry with the fingerprint of each version of the software being produced and deployed.
f. The trojans must be certified, with a yearly renewal of the certification, to ensure compliance with the law and technical regulation issued by the ministry.
g. Extracted data must be stored in the prosecutor’s servers and must be protected from third-party access with encryption.
h. Trojans have to be directly operated by police, and not by private contractors.
One would ask: how would that impact companies that develop and sell such kind of trojans?
Should the proposal become a law, they would need to update their software to comply with the new technical regulations and they would have to deposit their source code to the competent authority, in order to keep their business going on in Italy (and in any other country that adopted a similar regulatory framework).
The proposal is under public consultation. . There, judical and technical conversations are being held to further collect input from a wider public.
The Law Proposal, along with it’s Technical Regulation Proposal, is online. Of course, it is written in Italian, but an English summary is available: “Rules governing the use of government trojan with respect for individual rights”.
Fabio Pietrosanti and Stefano Aterno.
Fabio Pietrosanti and Stefano Aterno
(Image: calflier001, calflier001, CC-BY-SA)
Lots of crazy fun laws still on the books in Blighty, though I’d hazard a guess that many of them have in fact been formally overturned or superceded. Some, though, are new enough. The Salmon Act 1986 is an Act of Parliament of the United Kingdom, passed in 1986, which regulates salmon fishery. It is […]
Prosecutors today dropped all charges against actor Jussie Smollett, who was accused of orchestrating an attack on himself and falsely reporting it to the police. Smollett, 36, was seen arriving at a Chicago courtroom around 10:30 a.m. on Tuesday for an emergency hearing. Following his court appearance, his attorneys released a statement saying that the […]
Grandson of legendary John Deere engineer defends right-to-repair and condemns Big Ag for "taxing customers"
Willie Cade's grandfather Theo Cade was one of John Deere's most storied engineers, with 158 patents to his name; he invented the manure spreader and traveled the country investigating stories of how farmers were using, fixing, modifying and upgrading their equipment; today, Willie Cade is the founder of the Electronics Reuse Conference, having spent a […]
If you’re going to pursue a career in graphic design, videography or web development, there are some essential tools you need to have – and all of them are included in the Adobe Creative Cloud. And whether you need to brush up on Illustrator, Photoshop or InDesign – or are a beginner to them all […]
Got a vision to put on film? The Film & Cinematography Mastery Bundle shows you how to put it there, with classes covering gear, lighting, production – even marketing. Even in this age of indie cinema, filmmaking can seem like an exclusive world for the chosen few. But with the right eye – and the […]
If you’re into tech at all, you should definitely consider unleashing your inner tinkerer on a Raspberry Pi board. If you’re intimidated, don’t be. It’s a statistical probability that people half your age have created cooler things than you can imagine with the versatile kit. Not sure where to start? The Complete Raspberry Pi 3B+ […]