Police backdoor discovered in Italian alternative server
On 21 June 2005 the Italian collective Austistici/Inventati discovered a
major police backdoor in their server. The server hosts a large number of
websites, mailboxes, mailing lists and Internet services for NGOs,
grassroots activists and public interest associations. The backdoor was
installed over a year ago, on 15 June 2004 by the Italian “Polizia
Postale” (Postal Police), after a seizure ordered by the Procura di
Bologna (Office of the Public Prosecutor in Bologna) in the context of an
investigation into the anarchist collective Crocenera.
The legal owners of the server (‘Investici’, a legally recognised
association) were not informed, nor by the police nor by the public
prosecutor. The provider claimed that the downtime – caused by the Police
putting the server off-line – was due to a power outage.
The police gained access to the private SSL certificate stored on the
server and installed several tools to monitor, intercept and decrypt all
the traffic going through the server – not only the traffic that was
actually relevant to the investigations. There is no actual proof that any
data (not relevant to the case under investigation) were collected, but
the possibility is definitively there.
Austistici/Inventati are most furious about the fact that the server was
secretly monitored, intercepted and decrypted for a whole year. All the
traffic that passed through the server from over 30.000 people was
potentially intercepted. Their basic rights to privacy and presumption of
innocence until proven guilty, as granted under the Italian constitution,
have been violated.
The collective discovered the backdoor on 21 June 2005, after three
hundred, seventy-one days of potential snooping of personal and/or
sensitive information. A first step will be a formal complaint to the
Italian Data Protection Authority; the general legal strategy is still
being discussed.
The server is still being hosted by ISP Aruba (based in Arezzo, Italy),
but Autistici/Inventati has clearly warned everyone that communication
going through that server is to be considered highly insecure and they are
looking for a new housing provider.
PRC (Partito della Rifondazione Comunista) members Titti de Simone and
Elettra Deiana, and Green Party members Mauro Bulgarelli and Paolo Cento
have already issued formal questions to the Minister of Communications in
order to find out whether the Postal Police, the Procura di Bologna and
Aruba S.p.a. have acted according to Italian laws on privacy and freedom
of speech.
Aruba has issued a public press release, stating that it just complied to
Italian criminal laws and that it would reserve its right to sue
Autistici/Inventati and/or any other interested party for libel and
slander.
Autistici/Inventati web site
http://www.inventati.org/
English summary: “It’s not a private matter – it’s a matter of privacy” (21.06.2005)
http://www.autistici.org/ai/crackdown/
Press releases (in Italian)
http://www.autistici.org/ai/crackdown/stampa.html
Reply from the ISP: Caso Autistici, la replica di Aruba (28.06.2005)
http://punto-informatico.it/p.asp?i=53734&r=PI
(Contribution by Andrea Glorioso, Italian consultant on digital policies)