Page 19 of 28
For a few months, German police tested a face recognition system. Two hundred frequent travelers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).
Earlier this month, I blogged about a library of people’s smells kept by the former East German police. Seems that the current German police is still doing it:
The Stasi secret police used scent gathering in Communist East Germany, collecting smells in empty jam jars and storing them. The method has reminded Germans of that failed regime of snoopers, and was highlighted in the recent Oscar-winning film “The Lives of Others” about a Stasi surveillance officer.
The domestic policy spokesman for the Social Democrat Party, Dieter Wiefelspütz, finds the new weapon “pretty bizarre.” But he knows that unappetising though it may be, the method has been employed by German investigators for a long time.
In legal terms, recording someone’s body odour is no different than taking their finger prints. It’s covered by the criminal statue book. The scent contains a person’s identity just like the lines of his finger tips or his DNA.
Taking someone’s DNA is subject to strict conditions but the law permits finger printing and scent recording whenever police deem it necessary as part of a criminal investigation—which means virtually always. Erhard Denninger, an expert on Germany’s justice system, has no problem with scent analysis. “It’s harmless by comparison with sledgehammer plans like searching people’s computers,” he said.
Suspects are told to hold several 10 centimeter steel pipes in succession for several minutes each.
There are strict rules governing this procedure. The interior minister of the state of North Rhine-Westphalia has decreed that “persons must contaminate the metal tubes through their hands”, and that the aromatic traces thereby recorded “be secured in glass containers in dry condition.”
It sounds harmless. But a number of defence lawyers, Düsseldorf-based Udo Vetter among them, advise their clients not to agree to scent recording. If the state sniffs the sweat of its citizens, it amounts to a “considerable intrusion into one’s intimate sphere,” he says.
The complexity of collecting someone’s scent is the theme of Patrick Süskind’s novel “Perfume”, recently made into a movie, in which an 18th century murderer wraps beautiful women in cloths which he later boils. Unlike in real life, the perfume specialist chose to kill his victims before taking their scent.
Most computer security products deliberately do not detect police spyware.
In London (the system was built for road-fare collection, and is now being used for counterterrorism):
Police are to be given live access to London’s congestion charge cameras—allowing them to track all vehicles entering and leaving the zone.
Anti-terror officers will be exempted from parts of the Data Protection Act to allow them to see the date, time and location of vehicles in real time.
They previously had to apply for access on a case-by-case basis.
I’ll bet you anything that, soon after this data is used for antiterrorism purposes, more exceptions will be put in place for more routine police matters.
EDITED TO ADD (8/16): Well, that didn’t take long.
I’m sure glad the Australian Federal Police have their priorities straight:
Technology such as cloned part-robot humans used by organised crime gangs pose the greatest future challenge to police, along with online scamming, Australian Federal Police (AFP) Commissioner Mick Keelty says.
It’s nice to post a positive story once in a while:
Is it a bird? Is it a bomb? No, it’s the missing ‘bot.
A robot dubbed Seahorse 1, which was stolen days before an international contest, has turned up in a field off Interstate 45 in Dallas.
“Somebody was mowing his grandmother’s yard and thought it was a bomb,” said Nathan Huntoon, an engineering grad student and member of SMU’s robotics team.
The police were delivering the missing machine to SMU Monday afternoon. “We don’t know yet if it’s in working condition,” Mr. Huntoon said.
Sad that this feels like an exception.
I’ve blogged a few times about the Greek wiretapping scandal. A system to allow the police to eavesdrop on conversations was abused (surprise, surprise).
Anyway, there’s a really good technical analysis in IEEE Spectrum this month.
On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.
The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy. [See sidebar “CEOs, MPs, & a PM.”]
The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the country’s largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded.
[…]
A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.
It’s also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.
See also blog entries by Matt Blaze, Steve Bellovin, and John Markoff; they make some good security points.
EDITED TO ADD (10/22): More info:
The head of Vodafone Greece told the Government that as soon as it discovered the tapping software, it removed it and notified the authorities. However, the shutdown of the equipment prompted strong criticism of Vodafone because it had prevented the authorities from tracing the taps.
From Technology Review:
A camera developed by computer scientists at the University of California, Berkeley, would obscure, with an oval, the faces of people who appear on surveillance videos. These so-called respectful cameras, which are still in the research phase, could be used for day-to-day surveillance applications and would allow for the privacy oval to be removed from a given set of footage in the event of an investigation.
An interesting privacy-enhancing technology.
This is a great piece of news in the U.S. For the first time, e-mail has been granted the same constitutional protections as telephone calls and personal papers: the police need a warrant to get at it. Now it’s only a circuit court decision—the Sixth U.S. Circuit Court of Appeals in Ohio—it’s pretty narrowly defined based on the attributes of the e-mail system, and it has a good chance of being overturned by the Supreme Court…but it’s still great news.
The way to think of the warrant system is as a security device. The police still have the ability to get access to e-mail in order to investigate a crime. But in order to prevent abuse, they have to convince a neutral third party—a judge—that accessing someone’s e-mail is necessary to investigate that crime. That judge, at least in theory, protects our interests.
Clearly e-mail deserves the same protection as our other personal papers, but—like phone calls—it might take the courts decades to figure that out. But we’ll get there eventually.
U.S. courts are weighing in with opinions:
When Ray Andrus’ 91-year-old father gave federal agents permission to search his son’s password-protected computer files and they found child pornography, the case turned a spotlight on how appellate courts grapple with third-party consents to search computers.
[…]
The case was a first for the 10th U.S. Circuit Court of Appeals, and only two other circuits have touched on the issue, the 4th and 6th circuits. The 10th Circuit held that although password-protected computers command a high level of privacy, the legitimacy of a search turns on an officer’s belief that the third party had authority to consent.
The 10th Circuit’s recent 2-1 decision in U.S. v. Andrus, No. 06-3094 (April 25, 2007), recognized for the first time that a password-protected computer is like a locked suitcase or a padlocked footlocker in a bedroom. The digital locks raise the expectation of privacy by the owner. The majority nonetheless refused to suppress the evidence.
Excellent commentary from Jennifer Granick:
The Fourth Amendment generally prohibits warrantless searches of an individual’s home or possessions. There is an exception to the warrant requirement when someone consents to the search. Consent can be given by the person under investigation, or by a third party with control over or mutual access to the property being searched. Because the Fourth Amendment only prohibits “unreasonable searches and seizures,” permission given by a third party who lacks the authority to consent will nevertheless legitimize a warrantless search if the consenter has “apparent authority,” meaning that the police reasonably believed that the person had actual authority to control or use the property.
Under existing case law, only people with a key to a locked closet have apparent authority to consent to a search of that closet. Similarly, only people with the password to a locked computer have apparent authority to consent to a search of that device. In Andrus, the father did not have the password (or know how to use the computer) but the police say they did not have any reason to suspect this because they did not ask and did not turn the computer on. Then, they used forensic software that automatically bypassed any installed password.
The majority held that the police officers not only weren’t obliged to ask whether the father used the computer, they had no obligation to check for a password before performing their forensic search. In dissent, Judge Monroe G. McKay criticized the agents’ intentional blindness to the existence of password protection, when physical or digital locks are such a fundamental part of ascertaining whether a consenting person has actual or apparent authority to permit a police search. “(T)he unconstrained ability of law enforcement to use forensic software such at the EnCase program to bypass password protection without first determining whether such passwords have been enabled … dangerously sidestep(s) the Fourth Amendment.”
[…]
If courts are going to treat computers as containers, and if owners must lock containers in order to keep them private from warrantless searches, then police should be required to look for those locks. Password protected computers and locked containers are an inexact analogy, but if that is how courts are going to do it, then its inappropriate to diminish protections for computers simply because law enforcement chooses to use software that turns a blind eye to owners’ passwords.
Sidebar photo of Bruce Schneier by Joe MacInnis.