[LINK] Is police spyware in your computer??

Roger Clarke Roger.Clarke at xamax.com.au
Fri Oct 2 14:32:12 AEST 2009

[At face value, this is a pretty disturbing report.  It seems fairly 
likely that it's full of misinformation from the source that fed it 
to the reporter and/or misunderstandings by the reporter.]

Spy software, then police, swoop on child porn file sharers
Date: October 1 2009
The Sydney Morning Herald
John Silvester

POLICE have secretly identified thousands of suspects who are 
allegedly trading child pornography images through online networks. 
Detectives expect to make hundreds of arrests, having used a 
breakthrough software program to spy on files held in private 

[Note "[a] program to spy on files held in private computers", most 
readily interpreted as meaning software installed in those 'private 
computers', aka spyware.]

Designed in the US to pinpoint computers holding known child 
pornographic images, the software has been used in Queensland for six 

[Firstly, the use of "in Queensland" rather than "by Queensland 
Police" is consistent with the interpretation that this is spyware, 
rather than software installed on police devices.]

[Secondly, a reasonable interpolation would seem to be that the 
spyware contains, or has access to, hashes of the file-content of 
"known child pornographic images", and computes the same hash for 
all, or at least some, files found on a device it is installed in, 
and 'calls home' when it finds matches.]

Victorian police made their first arrest using the technology earlier 
this month. A 60-year-old office worker, married with two adult 
children, will be charged on summons with possessing and transmitting 
child pornography.

[Note that it's charge by summons.  So the seriousness of the charge 
is apparently not sufficient to justify arrest, and opposition to 
bail in expectation of a custodial sentence.  (The fact is that these 
crimes, when successfully prosecuted, typically result in suspended 
sentences and/or community service).

[But the low seriousness of the charge is apparently sufficient to 
justify breach of the security of devices used by suspects?]

Known in the US as Operation Fairplay, the method enables detectives 
to identify the contents and images on computers without applying for 
search warrants and without raiding suspects.

[Australian Parliaments have granted law enforcement agencies 
extraordinary, extra-judicial powers, using the excuse of 
post-September 2001 terrorism.  Have those powers leaked across to 
child porn??]

Detective Sergeant Peter Ravlich, from Brisbane's Taskforce Argos, 
said his officers had made 40 arrests since investigators started 
using the program in March. "It just doesn't make mistakes,'' he said.


[Let's see now.  In Queensland, is possession alone an offence, and 
is mens rea - the intention to commit the criminal act - irrelevant? 
There are a great many ways in which, and contexts within which, a 
file can come to be on a device.]

In just two days, the team [are we back to the Victorian team now, or 
still talking about the US or Queensland teams?] identified thousands 
of computers in Victoria that hold child porn images. The computer 
hits are then matched with Google maps to confirm locations.

[Um.  Could we have some clarity about the way in which 'computers' 
are identified, and how that is related to a geographical location? 
Perhaps IP-address, and ISPs' records of the subscriber and premises 
to whom the IP-address was allocated at the time?  Google maps would 
then represent a marginal advantage over a UBD.]

The imaging, seen by the Herald, covers a map in red dots, each 
representing a suspect computer. One Melbourne suburb shows hundreds 
of hits - and the CBD has thousands, indicating widespread abuse of 
office networks.

[So the computer wasn't a suspect when the spyware was installed on 
the device, but became one when the spyware 'called home'?]

[So Melbourne CBD doesn't contain the same density of flats as Sydney?]

[More importantly, the numbers of devices involved suggest that the 
police may well have breached any requirement for 'reasonable grounds 
for suspicion'.  Have they been installing spyware willy-nilly??]

The suspects use technology similar to that used to share music files 
between computers. One computer has more than 200 suspect share 
files, of which 192 have been confirmed as holding illegal child porn 
images. Police have seized computers with ''tens of thousands'' of 
such images.

[Ah, the expression "technology similar to that used to share music 
files between computers" raises the question as to whether there 
really *is* spyware involved.

[Just suppose the police were using an *existing* P2P package, and 
had searched for instances of "known child pornographic images", and 
extracted the IP-addresses, and identified which ISP administers 
them, and hit the ISPs with warrants for the subscriber and premises 
information, and then went to that location.  (Note that the 
subscriber may not be a user of the device, and that there may be two 
or more users of the device.  Life wasn't meant to be easy, and 

[Subject to some provisos, people who are horrified by what's in this 
article might not be particularly put out by this alternative modus 
operandi, if that's what they actually did.]

The system effectively grades suspects - identifying "contact 
offenders", those likely to molest children - by analysing the 

[That's also a serious worry.  What material?  And what criteria?]

The head of Victoria's sexual crimes squad, Detective Inspector Glen 
Davies, said high-risk suspects will be targeted first and police 
would raid houses where they feared children were at risk. The first 
priority was to rescue potential victims.

[Note that the sole prosecution mentioned is a "60-year-old office 
worker, married with two adult children" and he's "charged on 
summons".  Maybe the prioritisation of high-risk suspects starts 
*next* week?]

[In short, the article is a disastrous piece of substandard 
journalism that a broadsheet should be ashamed of releasing.  Send 
the kid back to school and teach him to ask questions, not publish 
media releases.]

[Declaration:  I've given expert evidence on matters of this kind, 
and have been underwhelmed by the level of understanding of the 
people involved, and by the evidence that has been claimed to prove 

Roger Clarke                                 http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list