Friday, 10 February 2006

Who Is Audacious Wins

Never before has a government been revealed to have been spied upon as comprehensively as the Greek government was in the nine months from June 2004 to 8 March 2005. The earlier date is when the first of more than a dozen mobile telephones used to listen in on Greek officials' conversations were activated. The second date is when Vodafone says it removed software from its mainframe computers that diverted the conversations to the spy phones. 

The activation, coming just before the Olympics, and the targets of the surveillance, senior people in the defence, public order and foreign ministries as well as the entire committee overseeing security for the Olympics, strongly suggest that the surveillance stemmed from either an industrial or a governmental concern with Olympic security.

The surveillance story appeared in Athens daily Ta Nea on February 2, and on the same day the government held a well-organised press conference to explain what happened.

The orchestration of the tri-ministerial press event was in sharp contrast to the government's reaction to its last public order scandal in December and January.

Following allegations from Pakistani immigrants last year that they had been abducted and violently interrogated, Public Order Minister George Voulgarakis started with a flat denial, only to end up telling a parliamentary committee on January 11 that the government swept 5,432 immigrants off the streets and questioned them. The government, he said, had acted on a long list of names suspected of involvement in the July 7 bombings in London, provided by British intelligence.

MI6 also provided a series of Greek mobile phone numbers, Voulgarakis revealed, which had been in contact with one of the July 7 bombers. The numbers could not be traced to individuals because they were cardphones.

These are connections that, contrary to monthly subscriptions, can be purchased without formality at a kiosk, their units pre-paid, obviating the need for a name, address and credit card.

Ironically, the 14 or so mobile telephones used to eavesdrop on Greek officials in 2004-5 were also card-phones, and could similarly not be traced despite a ten-month preliminary investigation. The anonymous card-phone emerges as the tool of choice for eavesdroppers, whether they are acting on behalf of a terrorist organisation (July 7) or a government or other legal entity (a possibility that cannot be ruled out in the Greek scandal).

This raises serious issues with the freedom the marketplace offers in the form of subscription-free connections. The ability to own a telephone connection without a name and address, made possible only in recent years by mobile telephony, should be re-examined. The fact that mobile phones act as tracking devices as they emit a constant pulse to their nearest network antenna when they are on may not be enough to render them traceable to their owners, the Greek experience has shown.

The second issue that needs to be examined is mobile companies' legal obligations to security, procedure and confidentiality in an age when politicians, diplomats, military officers and business people worldwide discuss matters of great moment, or even national security, on commercial networks. If their conversations can be tapped by hackers or corrupt engineers, then stronger safeguards need to be adopted.

For instance, procedures could be developed in dealing with breaches of security. We may never learn why Vodafone's CEO in Greece, George Koronias, de-activated the offending spy software more than 48 hours before informing the government. The fact that he did so deprived authorities of a possible lead. Koronias could have made a simple telephone call to the public order minister's office as early as Monday 7 March, when he had confirmation of the breach, instead of informing the minister on Friday. With hindsight, such breaches of company security should not be treated as purely corporate issues, but public order ones as well.

Meanwhile, the key questions surrounding the Greek scandal remain unanswered: Who placed the software on Ericsson's mainframe, and how did they come by such expert knowledge of Ericsson's software? Was the software hacked onto the mainframe from the outside, or installed from the inside? And why was the software shut down so long before the government was informed about it? Koronias' assertion that the security of Vodafone's four million clients was supreme simply does not make sense. Only 100 people were being spied upon, not four million, and Koronias knew this.
The prosecutorial investigation underway may never reveal the ultimate question of who placed the spy software inside Vodafone, but it can lead to legal reforms that will make it difficult to repeat the mistakes of this case.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.