The malware scene is changing constantly, and one of the remarkable changes is that today the bad guys might be the good guys. That is, the guys who were supposed to be good. To express it slightly less confusing, authorities have become one of the major malware players and US agencies are already the world's largest buyers of exploits.
This makes an old ethical question for us malware fighters more important than ever. How to deal with policeware? Should this kind of malware be detected or not? F-Secure's stance has been clear. Yes, we do detect any kind of malware. And no, we do not keep any whitelists for authorities' policeware. We have not received any requests to whitelist policeware, and we would refuse to do so if requested.
This might raise mixed feelings as there no doubt are cases where the police work for our common good. There are dangerous criminals that should be behind bars, so why not use any available weapon against them? Aren't we protecting them by refusing to whitelist policeware? Let's take a closer look at the problem and we'll see why there really is no alternative to our current policy.
Why is it a bad idea for an anti-malware vendor to whitelist policeware?
• Authorities' powers are always restricted to a defined geography, but our anti-malware technology is used globally. There is no reliable way for the scanner engine to verify that the policeware is used within its author's jurisdiction.
• Legit warrants always define the suspect. But our anti-malware technology is generic for all customers and can't verify that the policeware is used against the right target.
• When encountering a whitelisted file, our scanner can't verify who is controlling it and who it reports back to. Whitelisting would be irresponsible as real malware could sneak through that way.
• We have an obligation to protect our customers from malware as well as we can. That's what we promise when selling the product. We could naturally make an exception in cases where there is a valid warrant against the user. But as stated above, it is impossible to verify that condition.
• Laws are different in every country. The policeware might be legal in one country but illegal in another. This is complex and unfeasible for us to investigate.
• Which countries' authorities should we serve? We might trust our own country's police, but what about Spain, Brazil, Canada, Israel, Egypt, China, North Korea or USA? Just to mention some randomly picked countries. Should we serve them too? How can we verify that they have legit motives for using spying tools?
• If policeware is misused without an appropriate warrant or otherwise against the law, we have a moral obligation to inform the victim. Otherwise we take part in the crime.
So the problem is really that valid warrants target a well-defined individual or group, but a whitelisting of policeware would be targeting our whole user-base globally. That makes the downside of whitelisting magnitudes larger than the upside.
But that's not all. Here's why it is an even worse idea for agencies to ask for whitelisting.
• Whitelisting requires us to know what to whitelist. The policeware must have a unique and reliable identification mechanism. A core goal for malware is to be as hard as possible to detect, and such an identifier will make the policeware easier to detect and less effective. It could be used for both white- and blacklisting.
• Whitelisting forces agencies to reveal details about their policeware programs to outsiders, which increase the risk for leaks. They also need to reveal the mere existence of the program. Keep in mind that they would need to talk to many anti-malware vendors to get effective whitelisting, not just to us.
• The reliable identifier needed to whitelist policeware ties it to the agency. It gives the suspects a way to know that they are being watched by the authorities. A malware infection that is detected could otherwise blend in with the overall malware threat and not necessary alert the suspects.
• As recent news coverage reveal, a significant part of the policeware seems to be outright illegal or at least on shaky ground. This makes it even less sensible for the agencies to talk to outsiders about it.
The best strategy for agencies is to play the same game as the bad boys. To change the policeware constantly and try to fly under the anti-malware products' radar. When their program gets caught, they change it and try again, and the target may think it was an ordinary malware attack. Law enforcement agencies have plenty of resources and are well able to play this game successfully. And many criminals are probably not that tech savvy. Even big organized gangs might operate without properly protected computers. Reality is not like in the movies where the villain is both a global drug dealer and a super-hacker at the same time. Many criminals are soft targets even without whitelisting policeware.
Our policy to never whitelist is old already, but today it's more important than ever. The police used to be trustworthy in the good old days. Warrants and targeted actions against suspects have been seen as a legit part of crime-fighting. It's sad to see how this traditional police work blends into secret mass surveillance with totally different motives. It's not only sad, it's scary as this is creating a chasm between citizens and the authorities.
With this in mind, it is easy to see why a strict policy against whitelisting really is the only alternative. It has always been an easy choice, now it is a no-brainer.