In 2009, I co-wrote two papers for the AVAR conference in Kyoto. The first was co-written with Craig Johnston: Please Police Me.
Here’s the abstract:
Sed quis custodiet ipsos custodies ? (Who will guard the guards themselves?)
While the anti-malware industry has always tended to avoid poachers turned gamekeepers, the rest of the security industry has fewer scruples. But what about gamekeepers turned poacher? Time and time again, civil liberties groups are obliged to intervene as best they can when governments and law enforcement agencies attempt to expand their ability to eavesdrop electronically using “hacking” techniques and keylogging malware more often associated with the other side of the cops and robbers divide.
An issue with particular resonance in the anti-malware community is the idea of a “good” Trojan like the FBI’s Magic Lantern, which not only poses ethical issues for the anti-malware industry – would vendors be prepared (or forced) to make an exception for detection? – but also inspires misgivings in the community as a whole, from privacy campaigners to the wider security community to everyday business and home users.
In this paper, we’ll consider not only the ethical and political issues around “policeware” and other surveillance tools and techniques, but practicalities such as the mechanisms for distributing and installing such tools, and the maintenance and enforcement of secrecy and compliance.