9 October 1999. Thanks to q/depesche, Spiegel Online and CS-H.
Source: http://www.spiegel.de/netzwelt/politik/0,1518,45748,00.html

Translation by JYA with Systran.

Spiegel Online, Ocotber 8, 1999


Hunt for the log files

By Christiane Schulzki Haddouti

On October 19 and 20 the Ministers of Interior and Justice of the G-8 states will meet in Moscow. A goal is to act together more powerfully in the future against cyber criminality. An appropriate convention is already in preparation in the Council of Europe.

Nothing works. The delivery system of a large German electrical trade broke down. A "denial of service" attack crippled the network including the delivery data bank of the dealer. The attack came from a computer in France. From there the hacker traveled over Telnet connections of a network in Russia, to which it provided a rlogon connection from a network access point in Japan. It had gained access to the Japanese network over a local telephone system by modem connection. This modem connection was made by way of a Japanese portable radio company. The aggressor works on behalf of a direct competitor, that was afraid for its survival after solid price deductions. Like this example most attacks are run off computer networks in the opinion of G-8 experts.

If the police wanted to pursue the trail of the hacker in this case, it would have to reconstruct the connections over the whole series of service providers and telephone systems in different countries. The first step would consist of finding out how the aggressor achieved the attacked system, in order to then examine the log files of each individual network. But the investigators must receive access to the data in the networks in the different countries. And that cannot happen without problems: The appropriate data could not be with all the providers seized -- or not stored if it was. In some G-8 states for example the connecting data are not kept for local calls by the telephone systems. If an aggressor invaded by modem over the local area network, the identification thereby would be already defeated. The same would be the case if the aggressor had invaded the net over a prepaid mobile phone. In many countries the telephone systems do not retain identification data with their sales.

Also with Internet service providers investigators could search in vain: If the provider uses dynamic IP addresses, appropriate log files must be present for the search to be successful. A dynamic address is used only for a limited time for a certain computer when it is on-line. As soon as the computer of the network says good-bye, the address is assigned to another computer. Thus, if the investigators searched the different stations on the Japanese network, they could encounter only the IP address of the aggressor. Without the information which describes which accounts were assigned to which IP addresses in a certain time, it is not possibly to say which computers are responsible for the attack. Many Internet service providers do not store this information.

Non-uniform regulations as well as different data protection regulations present the investigators of international computer criminality with large technical and organizational problems. From October 19 and 20 Ministers of the Interior and Justice of the G-8 states will meet in Moscow. Top of the agenda: High-tech criminality. A ministerial communique has alredy been sketched at a gathering of G-8 experts in the middle of July in Moscow. The agenda for it came from the G-8 workgroup "Hightech criminality". Their biggest request: To adapt the rules for the storage of connecting and inventory data at Internet service providers and telecommunications companies internationally, in order to make a quick transnational pursuit possible.

Already in a meeting in March this year in Königswinter the group had suggested a certain proceeding: Internet service providers should freeze and store suspect communication data immediately on request of investigators -- the slogan for it is "Freeze and Preserve". With a judicial order or with other suitable legal basis the police could then seize the suspect data and evaluate. A so-called "preservation order" has already been submitted upon advice of the European Union to the Council of Europe, which works at present on a draft of a "convention for cyber criminality". The convention is to facilitate international prosecution, especially for the USA, Canada and Japan through an obligatory agreement with European Union member states and so-called observer countries. The member states want in the future to facilitate international cooperation and to make transnational computer search possible for major criminal offences -- "subject to specific hedge clauses for appropriate protection of the sovereignty of other states". Last member states on request of other states are not to be able to keep stored data.

The European Union data-security commissioners came to meet the G-8 representatives at the beginning of September in their own recommendation already. In view of the fact that in France telecommunications operators can keep data up to ten years, in Norway only 14 days and in Germany up to 80 days, they recommended a harmonization of the time periods: The period should be so selected so that it makes possible on the one hand for the responsible authorities to fulfill their legal obligations and on the other hand also for the protection of data security and private interests. A Solomonic formulation it is called, the period should as long be as necessary, in order to permit "consumers to contest it", but as briefly as possible, so "the operators and providers are not overloaded" and maintain the "right of protection of the private sphere". In short: the period should not amount to more than three months. Exactly as the Americans had themselves wished.

The question remains whether and how data can be accessed which is developing at the moment: so-called future traffic data. In Germany that leads to a possible constitutional dispute for paragraph 12 of the telecommunication installation law on access to this information. A simple initial suspicion is sufficient for the public prosecutor's office to be able to request a simple inventory of dial-up data of telephone and Internet access by listing. The paragraph remains valid until 31 December this year. The DU/CSU BUNDESTAG FACTION on 7 October brought a bill into the Bundestag, which plans an unlimited extension -- for the reason above all that thereby all troubling and insulting telephone calls could be pursued. However, based information of the delegate office of the Green Party's Christian Stroebele the government coalition in the committee wants to discuss friendlier data security alternatives.

Still uncertain is the fate of the telecommunications monitoring regulation (TKUEV). It makes data recovery possible by direct access -- requiring, however, the installation of monitoring interfaces not only with telephone firms, but also with Internet providers at their own expense -- and is therefore not appreciated in the industry. The Federal Criminal Investigation Office could go after information of a employee also without monitoring interface - in which policemen would in this case themselves insert a "specific Black box" into the computers of the providers. While technically feasible, it is politically still unresolved. The Federal Ministry of the Interior blocked it in first preliminary talks. Reason: The state would have to pay for the costs of the "Black box". In addition, the provider would have to co-operate willingly - so far none will so. First results of the discussions between Federal Criminal Investigation Office and Internet service providers are to be presented only in the middle of November.

Privacy protections are safe for now: If there is no extension of the period of validity of Paragraph 12, it is to be reaffirmed in December on a decree of the TKUEV. Willing co-operation or forced obligation? For the providers it seems there are no longer other other possibilities.