da http://www.edri.org/edrigram/number3.13/backdoor
29 June, 2005
On 21 June 2005 the Italian collective Austistici/Inventati discovered a major police backdoor in their server. The server hosts a large number of websites, mailboxes, mailing lists and Internet services for NGOs, grassroots activists and public interest associations. The backdoor was installed over a year ago, on 15 June 2004 by the Italian "Polizia Postale" (Postal Police), after a seizure ordered by the Procura di Bologna (Office of the Public Prosecutor in Bologna) in the context of an investigation into the anarchist collective Crocenera.
The legal owners of the server ('Investici', a legally recognised association) were not informed, nor by the police nor by the public prosecutor. The provider claimed that the downtime - caused by the Police putting the server off-line - was due to a power outage.
The police gained access to the private SSL certificate stored on the server and installed several tools to monitor, intercept and decrypt all the traffic going through the server - not only the traffic that was actually relevant to the investigations. There is no actual proof that any data (not relevant to the case under investigation) were collected, but the possibility is definitively there.
Austistici/Inventati are most furious about the fact that the server was secretly monitored, intercepted and decrypted for a whole year. All the traffic that passed through the server from over 30.000 people was potentially intercepted. Their basic rights to privacy and presumption of innocence until proven guilty, as granted under the Italian constitution, have been violated.
The collective discovered the backdoor on 21 June 2005, after three hundred, seventy-one days of potential snooping of personal and/or sensitive information. A first step will be a formal complaint to the Italian Data Protection Authority; the general legal strategy is still being discussed.
The server is still being hosted by ISP Aruba (based in Arezzo, Italy), but Autistici/Inventati has clearly warned everyone that communication going through that server is to be considered highly insecure and they are looking for a new housing provider.
PRC (Partito della Rifondazione Comunista) members Titti de Simone and Elettra Deiana, and Green Party members Mauro Bulgarelli and Paolo Cento have already issued formal questions to the Minister of Communications in order to find out whether the Postal Police, the Procura di Bologna and Aruba S.p.a. have acted according to Italian laws on privacy and freedom of speech.
Aruba has issued a public press release, stating that it just complied to Italian criminal laws and that it would reserve its right to sue Autistici/Inventati and/or any other interested party for libel and slander.
Autistici/Inventati web site
http://www.inventati.org/
English summary: "It's not a private matter - it's a matter of privacy" (21.06.2005)
http://www.autistici.org/ai/crackdown/
Press releases (in Italian)
http://www.autistici.org/ai/crackdown/stampa.html
Reply from the ISP: Caso Autistici, la replica di Aruba (28.06.2005)
http://punto-informatico.it/p.asp?i=53734&r=PI
(Contribution by Andrea Glorioso, Italian consultant on digital policies)