Equalize, the scandal that is filling the newsfeed of these hours re-proposes all the issues posed by similar events that have happened in Italy and abroad, and in particular, highlights three of them: the ‘loyalty’ of the civil servants entrusted with the power to enter the citizen’s lives, the involvement of private entities in the provision of technological services to critical apparatuses of the State, the need to ‘cut angles’ or to practice ‘plausible deniability’ on the part of institutions, companies and subjects in top positions even in private sectors – by Andrea Monti – Initially published in Strategikon – Italian Tech – La Repubblica
The problem does not lie in regulations
Let’s clear up one doubt right away: the rules to prevent such phenomena and punish those responsible for them are there, and not just today. On paper, private dossier-taking has been prohibited since the 1930s when the Consolidated Law on Public Security established (and still establishes) in Article 134 that gathering information on other people was only allowed for holders of a licence issued by the Prefect. Since 1930, the Criminal Code has contained various rules that would prevent ‘from scratch’ the gathering of information on persons, such as those protecting the inviolability of the home and correspondence, and those punishing as unlawful interference in private life the behaviour of those who, by means of undue video recordings or recordings, obtain information on a person, and also those on the taking of control of public and private computer systems. Even the useless and cumbersome ‘GDPR’ of 2016 and before it, Law 675 dating back as far as 1996, were supposed to make public and private information systems leak-proof. However, this seemingly insurmountable wall of laws, rules and (threatened) exemplary punishments proved to be very ineffective in curbing, on the one hand, the criminal propensity of those in charge of controlling the systems and, on the other hand, the need for certain activities of institutional interest to be attributable to private initiatives.
The (non-)control of technology and (leaks of) information
Markus Wolf, the last head of the foreign intelligence division of the East German secret service -the STASI- describes in his autobiography published in 1997 the complex system for managing the information collected by the STASI and stored on paper files. The material was divided into three parts, which were kept in separate and individually guarded locations: thus, those who wanted to access certain information had to go through a series of controls that greatly reduced the probability of unauthorised access. And to those who pointed out to him that the US was far ahead in information management thanks to computers, he replied that he could not trust machines that allowed kids to access NASA systems.
Wolf’s words anticipate by a few decades the problem caused by the use of technology for the management of critical information and the outsourcing of support and maintenance of platforms and equipment to private entities. The longer the chain of subcontracting, the more the control over the activities of those involved is loosened, which is increasingly delegated to ‘checklists’ and ‘certifications’ and less and less to punctual, concrete and targeted checks.
The more security checks are made on paper, the more the ‘invisible’, obscure IT proletarians, or employees entrusted with mere ‘orderly tasks’ – but who have the keys to enter the treasure room – operate below the threshold of perception of the ‘controllers’. In this way, they more easily become the object of the attention of the corrupters interested in buying information when they are not even selling it themselves.
At the same time, phishing and the whole arsenal of the perfect cyber fraudster, together with the lack of scrupulousness with which many online services are managed and the superficial behaviour of users, facilitate the commission of attacks even on private or individual accounts from which information of great value is often accessed (e.g. to blackmail).
AI, technology and dossiers
According to publicly available reports, one of the peculiarities of the Equalize case would be the use of ubiquitous artificial intelligence to ‘process’ the data obtained. In reality, its use to analyse data coming from computer systems and media is far from being exclusive to Equalize, if it is true that, for instance, generative AI has already been presented in the Italian hacker community for the analysis of large quantities of data collected in the context of judicial investigations.
This, however, should not be a scandal or cause for concern because the killer application of generative AI is precisely the possibility of extracting information from a series of files without necessarily having to use a database. Whether this happens for the writing of a dissertation or for the compilation of personal records or individual evaluations by criminal subjects makes little difference (notwithstanding the fact that these technologies are still unreliable in producing results that can be taken for granted without further verification).
The grey area of technological plausible deniability
More than the passive use of (relatively) advanced technologies to analyse data, what should raise concerns is the thinning – if not the elimination – of the boundary between institutional activities and criminal actions.
Whether this is the case in the Equalize affair is too early to tell and we will obviously have to wait for the outcome of the trial. Recent history, however, tells of several cases in which the intermingling of the institutional apparatus and the private sector has not always been handled transparently.
Starting in the 1970s, CryptoAG, a Swiss manufacturer of cipher machines, sold its secure communication equipment to over a hundred countries, allowing its real controllers (CIA and German intelligence) access to apparently secure communications for years. In 2015 again the US (but this time through the NSA) in collaboration with Danish authorities spied on European leaders including Angela Merkel. While in 2021 the UK was condemned by the European Court of Human Rights because of the opaqueness of the criteria for activating surveillance systems, i.e. for creating a bureaucratic process that allowed for deflection of responsibility for choices made.
These examples show empirically that, in the name of realpolitik, there may be cases in which intelligence activities cannot be conducted directly by the official bodies, but it is necessary -whether it is legitimate is another matter altogether- to make use of private operators, not (formally) in relation to the established authority. It is not surprising, therefore, that there are companies that are set up ad hoc or that, while doing something else, lend themselves to cooperating in activities that must remain confidential even within the administration to which they belong, perhaps enjoying some sort of de facto immunity also for work of a different nature or performed for other clients.
Conclusions
In events like those of Equalize, there is always the risk of drifting towards cyberpunk novels, imagining hordes of hooded individuals who manage to take control of all the systems they get their hands on, thanks to the ubiquitous ‘sophisticated information technologies’ that only they have at their disposal, or spy-story scenarios conjuring up global conspiracy scenarios.
A more pragmatic approach, on the other hand, would require us to ask ourselves whether the time has come to streamline the chain of subcontractors in the management of critical information systems, and to intensify controls both on those called upon to provide technical support to judicial police investigations, and on companies operating in information brokerage, especially if they have institutional relations, in order to avoid the consolidation of ambiguous situations such as those that seem to have emerged in recent days.