At an October 22 press conference, Swedish Interior Minister Mikael Damberg announced a sweeping new 34-point plan from the Swedish government to upgrade law enforcement powers of the Swedish police, with a particular focus on cracking down on violent crime. Perhaps the most controversial of the new powers being granted to Sweden’s police force is the ability to deploy spyware on the computers, tablets or phones of suspected criminals. This new spyware, which is slated to go into effect on March 1, 2020, will be capable of turning on device cameras and microphones, as well as accessing encrypted chat logs or images stored on the device.
Privacy concerns about the Swedish spyware
Needless to say, the new expanded powers have attracted the attention of privacy advocates and human rights activists. They are concerned that Swedish law enforcement agencies will overstep their boundaries and eventually usher in a modern surveillance state in which anyone – even someone not suspected of a crime – might be the subject of digital surveillance. This would represent a threat to individual rights, due process and democratic freedoms. In essence, it would turn the entire concept of “innocent until proven guilty” on its head. Moreover, there is the very real risk that criminals or other rogue actors will get their hands on the spyware and use it for their own nefarious purposes.
According to some estimates, the so-called “lawful intercept market” – in which tools and technologies are available for snooping on encrypted communications to the highest bidder – will be worth a combined $4 billion globally by 2022. Around the world, a handful of spyware firms now peddle their wares to governments and law enforcement agencies, positioning the new tools as an essential aspect of cracking down on modern crime. For law enforcement agencies such as the Swedish police, it is becoming increasingly difficult to crack down on criminals because they are all using encrypted communications tools such as WhatsApp, Signal and Telegram to communicate with each other. Thus, the new spyware tools available are very attractive to them.
Swedish police and the problem of encrypted communications
And, indeed, the Swedish government does make a strong case for why the new spyware tools are necessary right now. Over the past few years, it says, 90% of all intercepted communications between criminals is basically worthless because it is entirely encrypted. Even if the Swedish authorities know that criminals are plotting something, they are basically powerless to do anything about it. As an example, the Swedish police point to the crime situation in the city of Malmo, where nearly every violent murder involves communications between gang members. The point of the Swedish police is clear: if they had been able to lawfully intercept even a fraction of those communications, they might have been able to avert those murders.
And, if you think about it, how is planting spyware on suspects’ devices any different from, say, planting a listening device (i.e. “bug”) on a suspect’s phone, like they did in the old analog days? We’ve all seen Hollywood movies where the police or FBI gain access to a criminal’s place of doing business, and insert a bug onto a phone so that all phone calls in and out of the place can be monitored and tracked. In the movies, police in unmarked white vans are listening to everything.
In support of their position, Swedish police point to the example of countries Germany, where German law enforcement authorities have been successful in using “Bundestrojaner” (“Federal Trojan”) malware to track suspects and intercept their communications. According to Swedish police, the spyware will only be used in criminal investigations, such as those involving violent crime and gang-related incidents. And, of course, they pledge to take all steps in order to ensure a “transparent and fair process.” They also promise that the spyware will only be use in the case of serious crimes.
Spyware vs. encryption backdoors
From the perspective of law enforcement, the biggest debate is not over whether they should be spying on criminals, but rather, how they should be doing it. Their top priority is intercepting encrypted communications of crime suspects. In the era of modern encrypted communications, they basically have two options: spyware and encryption backdoors.
In the case of spyware, Swedish police will need physical access to the device in order to plant the spyware on it (although some recent examples of spyware from Israeli surveillance firm NSO Group show that it is possible to implant spyware on a phone by exploiting known security vulnerabilities in messaging platforms such as WhatsApp). In the case of encryption backdoors, law enforcement would need a “backdoor” into the entire communications platform. This is the approach currently being pushed in the United States, where law enforcement officials within the Trump administration are calling for a change to end-to-end encryption. As they see it, law enforcement should always have the option to intercept encrypted communications. So the U.S. is getting behind the idea of forcing big tech companies to “break” encryption and give them a backdoor.
Thus, it might be possible to argue that spyware planted on devices to intercept encrypted communications is much less intrusive than gaining a backdoor into the entire communications platform. Imagine, for example, if the Swedish police had access to every single user of WhatsApp, versus access to just a few gangs of people roaming the streets of Malmo. In one case, you are opening up the prospect of spying on everyone universally; in the other case, you are opening up the prospect of accidentally spying on innocent people somehow caught up in criminal investigations (such as family members of criminals).
The slippery slope of modern surveillance technology
There is something about the word “spyware” – even if it is being used for legitimate purposes to intercept encrypted communications – that is repulsive to most people. So it’s perhaps no surprise that law enforcement agencies (such as the Swedish police) prefer to use the term “lawful intercept” to describe their tools and technologies. The term “lawful intercept” sounds much more optimistic – it implies that everything is being done according to the letter of the law, and only in situations were something awful (such as violent crime) must be avoided. But there is always a slippery slope with surveillance technology – once spyware inevitably gets into the hands of the “bad guys,” it might already be too late.