The FAST And The Furious

Last Updated on October 9, 2011

Yesterday I stumbled upon a couple of really interesting news published respectively by the Chaos Computer Club, the famous German hacker community, and by CNET, concerning in both cases “new” technologies aimed to fight crime. But if the news published by the CCC is yet another example of alleged Government Malware, that is a spyware built with the purpose to spy and collect evidences on the target’s computers, the news published by CNET sounds incredible and brings our minds to the well-known scenes of Minority Report, where Police used precognition to prevent crime.

In any case, both articles mix information security, privacy and ethics, and raise many concerns about the role of technology to fight crime and its right to cross the boundaries with ethics and privacy

Let us begin from the FAST

FAST (Future Attribute Screening Technology) is the name of a project sponsored by the U.S. Department of Homeland Security which aims to prevent crime using algorithms based on ethnicity gender, breathing and heart rate (At Least no PRECOG so far). FAST seeks to develop behavioral screening technologies that will enable security officials to test the effectiveness of current screening methods at evaluating suspicious behaviors and judging the implications of those behaviors. The ultimate goal of the FAST project is to equip security officials with the tools to rapidly assess potential threats.

According to a June 2010 Document, FAST is already in operation and its test is ongoing on a Planned Limited User Evaluation after an initial test on DHS Employees. For this initial sample of Employees, the system collected video images, audio recordings, and psychophysiological measurements (i.e., heart rate, breathing pattern, thermal activity, and other physiological and behavioral cues). The data were used for Baseline. A field testing has been conducted in an undisclosed location in the Northeast, with a select group of participants on a volunteer basis.

In the latter case several data were collected such as: demographic information (age, gender, occupation, and ethnicity), medical information (heart, circulation, respiratory, and vision issues), current medications, and substance use in the last week (caffeine, tobacco, alcohol, other substances).

The document also states DHS will only have access to aggregated and anonymized data and this was confirmed to CNET by a Homeland Security spokesman.

So definitively, are the criminals really going to be captured by PRECOGs before perpetrating a crime? Not yet! DHS, provided a statement to CNET that said:

The department’s Science and Technology Directorate has conducted preliminary research in operational settings to determine the feasibility of using non-invasive physiological and behavioral sensor technology and observational techniques to detect signs of stress, which are often associated with intent to do harm. The FAST program is only in the preliminary stages of research and there are no plans for acquiring or deploying this type of technology at this time.

And Proceed with the Furious

Maybe German people would be quite furious in this moment, in knowing that they have been possible targets of a (un)lawful interception Malware allegedly crafted by the German Police Force (dubbed “0zapftis”, “Bundestrojaner” or “R2D2”) with the purpose to spy online activity and record Skype internet calls. Its discovery was announced yesterday by the Chaos Computer Club which reversed engineered and analyzed the malware.

The malware, according to its original concept, should have been a light variation of the original “Bundestrojaner” forbidden by the German constitutional court on February 27 2008. Even before this sentence, the German government introduced a less conspicuous variant of the spyware dubbed “Quellen-TKÜ” (the term means “source wiretapping” or lawful interception at the source), whose only purpose, by definition, was to wiretap internet telephony, enforced through “technical and legal” means.

Unfortunately the analysis conducted by CCC has shown that the “Bundestrojaner light” goes much further than its initial concept violating the terms set by the constitutional court and, even worse, according to the analyzers is badly written and lacks the basic security measures (for instance no mutual authentication and poor encryption), so making a malicious third party capable to intercept the captured or use the Trojan to install arbitrary programs or upload arbitrary data on the target’s computer.

This is not the first case of a Government Spyware: Sophos reports about a German state-sponsored cyber-spying in in 2008, when there were claims that German Foreign Intelligence Service deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan, and almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written – dubbed “Magic Lantern“. Even a recent occurrence also happened in Italy when, as part of an investigation against a criminal conspiracy, the police injected a spyware into the computer of an individual used to collect evidences of his role inside the conspiracy.

Easily predictable this affair will rise a political storm in Germany. Although it is not clear if it was really written by the German Police, the CCC has informed the German Ministry of the Interior. If it is true that the malware is really capable not only to gather information, but also to upload data or install other programs, it also possible that it could be (or worst has already been) used to build (and gather) artificial evidences against the target (this is the reason of my logical link with the FAST affair).

The boundary between lawful interception and privacy is blurred, maybe is time, for the legislators, to regulate the growing use of spyware for lawful interception and the consequent authorized infiltration of suspects’ computers and their secret hard drives scanning.