Police obtain wholesale access to encrypted e-mails and internet discussion groups used by activists
On 21 June 2005, members of the association Autistici/Inventati found out that an operation by the postal police in June 2004 may have resulted in the entire telecommunications traffic passing through their servers, and its contents, having been under surveillance for the last year in the context of police investigations into terrorist activities by anarchists. Autistici/Inventati is active in the field of privacy rights and provides encrypted Internet and e-mail services widely used by Italian activists, journalists, lawyers and student groups. Investici, a non-profit association that is responsible for the autistici.org and inventati.org domains, plays host to 500 websites, 600 discussion groups with 30,000 participants, and 5,000 e-mail accounts, and offered secure communications encrypted using an SSL protocol.
On 15 June 2004, the postal police went to the headquarters of the commercial web hosting company Aruba, whose server farm had Investici's servers in "housing" (providing space and connection, although ownership of and responsibility for the servers are exercised by Investici), to carry out enquiries in relation to specific e-mail accounts, demanding access to the computer belonging to Investici, which held the entire contents of the two domains that it runs. The investigation related to the e-mail account of the group Crocenera anarchica (Anarchist Black Cross, an anarchist collective), and Aruba allowed the police access to the computer, unplugging the server and allowing them to copy its contents and encryption keys, thus rendering the server's SSL protocol and security certificates ineffective. The company did not inform Investici, its customer, about this, and when Investici complained about the server being down, staff at Aruba lied, claiming that there was a problem related to the electric mains cabinet. A statement by Investici argues that this case "clinically certifies the death of digital privacy in Italy", adding that if it had been informed and its lawyers had been involved "the violation of thousands of users' privacy may have been prevented".
The association found out about these events a year later as a result of an investigation into Crocenera anarchica, seven of whose members were arrested in May 2005 in Rome and Bologna. Their website, hosted by ecn.org (an activist domain), was confiscated by the police, after the prosecutors' office argued that it included subversive material which may have been related to a letter-bomb campaign that targeted, among others, Romano Prodi, the former Commission president. ECN's lawyer Gilberto Pagani argued that the website did not contain "anything of the kind", and the arrests were annulled by a judge who considered them "unfounded". The appeal and a request for Autistici/Inventati to shut down the group's e-mail account resulted in the disclosure of some details of the investigations. This showed that the police had copied the contents of the server "acquiring information that could be used for a potential mass registration", according to a statement by Investici. The documents concerning the investigation that were handed over to the association include a report by the Reparto Operazioni Speciali (ROS, special operations unit) of the carabinieri (Italy's paramilitary police force) which sought to map the "insurrectionalist anarchist scene" and a report by the Divisione Investigazione Generale e Operazioni Speciali (DIGOS, special operations and general investigation division) unit of the police that describes the investigation which led to the intervention by the postal police. The DIGOS report includes the complaints by postal police officers analysing the traffic data of the Crocenera anarchica bulletin who wanted to de-crypt the e-mail communications of some suspects to confirm their suspicions over who had sent out which issue of the bulletin.
Investici stated that it will take legal action, file a complaint before the privacy ombudsman, and transfer its service to some new machines, as well as calling for a boycott of Aruba. The company claimed in a statement to have merely followed an order issued by the prosecutors' office in Bologna, and those given by the officers who executed it, adding that its staff could not refuse to carry them out and were not authorised to inform the people affected without incurring criminal sanctions of their own. It also stressed that the fact that it did not run the server, which was not its property and was only in "housing" at Aruba, meaning that it was unable to provide the postal police with only a limited section of its contents, something that it could have done in relation with servers that it did run itself. Nonetheless, this raises the issue of whether it had the authority to hand over the server's contents, and whether Investici, who was the owner and had responsibility over the server should have been responsible for allowing or refusing the police access to its servers. After all, it was not Investici, but rather a collective using its services, that was under investigation. Furthermore, the purpose for which the association ran the servers and related services was to provide a channel for secure communications for the groups and collectives using them, a purpose that it was unknowingly unable to fulfil, with consequences for its users.
For instance, the Genova Legal Forum (GLF) lawyers, a network that is defending many of the accused activists and is documenting abuses by police and carabinieri officers during the incidents at the G8 in Genoa in July 2001, used the Autistici/Inventati communication services - which may mean that their legal strategy and communications may have been under surveillance over the last year, contravening the rights to lawyer-customer confidentiality, a fair trial and privacy of communications. A statement by Autistici/Inventati expressed its regret for having used commercial services, drawing the conclusion that its members' "paranoia" with regards to the protection of its customers' data and communications had proved insufficient to protect them, in part because of an ill-placed faith in data protection legislation, adding that only what it refers to as "hard encryption" instruments "such as gpg" offer any guarantee.
It is not the first time that the Italian police and judicial authorities have interfered with material relating to events in Genoa, a process that started on the very week-end of the summit, with a police raid on the school from which Indymedia had been operating during the Summit in 2001. There were a large number of indiscriminate beatings, and raids on social centres and a trade union office linked to the Italian Indymedia network, as well as a Bologna office of the Associazione dei Giuristi Democratici (Association of Democratic Lawyers), on the same pretext of seeking "photographic/video material made by private individuals" relevant to investigations into July's G8 summit in Genoa (see Statewatch news online, February 2002). Moreover, lap-top computers were confiscated from two people acting as legal advisors for the GLF who were accosted by over a dozen policemen during a lunch break, when they attended a hearing in a trial involving activists in March 2005 in Milan. The confiscation was ordered by judges in Genoa who claimed that their court reports were "defamatory" towards them.
On 27 June 2005 another server hosting Internet privacy related services, called Firenze Linux Users Group (FLUG), issued a statement claiming that its server had been interfered with, due to the absence of some screws and details such as a missing CD-Rom cable and a side of the computer which was not correctly re-assembled.
Information about the case by Autistici/Inventati is available on: http://www.autistici.org/ai/crackdown/
The statement by Aruba is available on: http://assistenza.aruba.it/news.php?newsid=27
Punto Informatico, 24.6.2005
Il manifesto, 23.6.2005
Statewatch news online, February 2002
Misteri d'Italia newsletter, 27.6.2005
Statewatch News online | Join Statewatch news e-mail list | Search Statewatch database
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.