Hacking tools tipped to become weapons of the state

Governments could soon be using hacker tools for law enforcement and the pursuit of justice, according to an expert on IT and Internet law. Joel Reidenberg, professor of law at New York-based Fordham University, believes it likely that denial of service attacks (DoS) and packet-blocking technology will be employed by nation states to enforce their laws. This could even include attacks on companies based in other countries, he says.

Reidenberg told a seminar at the Oxford Internet Institute (OII) on Tuesday that democratic governments have an obligation to enforce their laws in the online space, as well as offline. Previously, this was thought to be extremely difficult due to the global nature of the Web.

"In the 1990s, it was thought states had no way of enforcing their laws online. That conventional wisdom doesn't stand up any more," said Reidenberg.

According to security experts, intelligence agencies have been conducting hacking attacks online for years. Reidenberg, though, sees a future where such actions would be just another legal instrument wielded by the state.

In 2000, a French court ordered Yahoo to block Nazi paraphernalia from being auctioned through its site in France -- where it is outlawed because it violates France's hate speech laws. But a US court later ruled that the decision could not be enforced in America, where Yahoo's servers were sited.

At the time, the French government was ridiculed in some quarters for believing that they could impose their laws on companies based in other jurisdictions.

But according to Reidenberg, the power of technologies such as distributed DoS attacks and worms means this is theoretically possible. "Distributed denial of service attacks and worms are characterised by having police powers," Reidenberg told the OII. "We think of them today as only being used by bad people, but these same instruments could just as easily be used by states to enforce legal judgements."

Some members of the audience at the OII expressed deep concern at this idea, suggesting that governments couldn't be trusted to wield such powers responsibly.

Reidenberg pointed out that the Chinese government has already imposed restrictions on Internet traffic -- the "Great Firewall of China" -- to prevent access to certain Web sites. He suggested that if a case similar to that between the French courts and Yahoo arises again, the company concerned could see itself virtually banned from that country. "States could soon have technology, if they haven't already, to intercept packets of data that they have decided shouldn't enter their country, in the same way we have officials patrolling national borders today," Reidenberg explained.

Another option could be an 'electronic blockage', where a company would be prevented from communicating across the Web outside of its home country. This would require the development of packet interception techniques, and would also need the help of intermediaries such as Internet service providers.

In the most extreme example, a company's Web site could even be taken offline by a distributed DoS attack, which Reidenberg likened to the "death penalty", if they failed to comply with a legal order.

One economist with links to the government who attended the seminar said she didn't believe regulators are considering such tools at present. But Reidenberg says that as sites such as Amazon, Yahoo, eBay and CNN have all been seriously disrupted by DoS attacks launched by malicious hackers, and that the same tools could be effectively wielded by the forces of law and order.

Before any of this can take place, though, countries will have to lay out clear rules for online enforcement.

Reidenberg told the OII that there must be prerequisite legal authority, stating the conditions when police can resort to online tools. This could include an assessment of the magnitude of the threat. For example, in the Yahoo France case, if the presence of Nazi memorabilia for sale online was likely to lead to public rioting, the French authorities could be justified in deciding to attempt to shut Yahoo down immediately.

According to Dr Stephen Coleman, visiting professor in e-democracy at the OII, Reidenberg's views are just one part of a bigger picture surrounding law enforcement and government action on the Internet. "There is some speculation about whether some of the necessary technology exists already," Coleman said, warning that he was extremely dubious whether we could ever have the effective global intelligence needed, as well as a truly accountable appeal process. "In terms of the use of disruptive technology, the UK government's secure intranet is hacked into once every three seconds -- primarily by its allies."

A senior official from Cable&Wireless also warned that there is a much greater degree of uncertainly about the location and identity of online agents, compared to offline. He believes this would make it much harder for courts to issue a warrant permitting action to be taken against a Web site rather than an offline entity such as an office.

Another hurdle to be overcome is the problem of third-party damage. An attack on an Internet bank or email provider could inconvenience Web users across many countries -- governments could find it impossible to justify causing such disruption.

Dr Reidenberg is currently working on a book about states and Internet enforcement. He recently published a research paper on the issue, which can be seen online here.