Australia's Spies Want To Put Members Of The Public At Risk By Using Them To Pass On Malware to Suspected Terrorists

from the not-thinking-it-through dept

Last year we wrote about the German police using malware to spy on members of the public. Now ASIO, Australia's national secret service, has come up with a new variant on the idea: A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to ''use a third party computer for the specific purpose of gaining access to a target computer''. The problem seems to be that even suspected terrorists are getting the hang of this security stuff: The department said technological advances had made it ''increasingly difficult'' for ASIO to execute search warrants directly on target computers, ''particularly where a person of interest is security conscious.'' So the idea seems to be to infect the computer of someone that the alleged terrorists know, and then use that trusted link to pass on malware: Australians' personal computers might be used to send a malicious email with a virus attached, or to load ''malware'' onto a website frequently visited by the target. That probably seemed like a really clever ruse to the people who thought it up, but it overlooks some basic flaws.

First, that once ASIO has taken control of an intermediary's computer it can do anything -- including poking around to see what's there. After all, if intermediaries are known to suspected terrorists, it's possible that they too might be terrorists.

The authorities are insisting that the warrant to break into somebody's computer would not authorize ASIO to obtain "intelligence material" from it. But you don't have to be clairvoyant to predict that at some point in the future, "exceptional" circumstances will be invoked to justify doing precisely that: once security services start down a slippery stop, they never seem to be able to stop.

Secondly, as the German experience shows, if a computer has been compromised by malware in this way, it's not just the government agencies that can take control: anyone who has obtained the malware and analyzed it will be able to look for ways to send their own instructions. That could leave innocent members of the public vulnerable to privacy breaches and economic losses that would be directly attributable to the spy agency's digital break-in.

Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware. If they notice and really are ruthless terrorists, they might decide to take revenge on that person and his or her immediate circle of family and friends. Either the Australian spy agency hasn't really thought this through, or it is being extremely cavalier with the lives of the members of the public it is supposed to protect.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: australia, malware, privacy, spyware