So, what about Cybercrime in Switzerland?

Yesterday, I joined some people from Chaos Computer Club Zürich (CCCZH) to visit the Cybercrime Coordination Unit (KOBIK) in Bern. The background was a Freedom of Information Act based request by the CCCZH: KOBIK provides a list of domain names that host child pornography. It is seen as a voluntary DNS blacklist for ISPs (and all the large Swiss ISPs apply this list). Naturally, groups like the CCCZH are worried given the non-public and intransparent nature of this list, lack of independent monitoring, and its possible implications for future expansion to other areas. This is not a theoretical danger, given that a court ordered Swiss ISPs to block swissjustice.net for “defamatory statements”.



$ dig @8.8.8.8 swissjustice.net any +short # google dns
"v=spf1 a mx ip4:72.34.40.81 ?all"
0 swissjustice.net.
ns1.mh.tc. accounts.elinuxservers.com. 2011102801 86400 7200 3600000 86400
ns1.mh.tc.
ns2.mh.tc.
72.34.40.86
$ dig @62.2.24.162 swissjustice.net any +short # cablecom.ch dns
$

KOBIK, the Cybercrime Unit, invited us to look at the list. The head of the organization and his assistant gave a presentation on the background of the unit and their main activities. We asked several questions, and were repeatedly encouraged to write more questions or come for another visit any time.

Down to Earth in Switzerland

The atmosphere was very friendly, and we felt welcome. In some way they even wanted us to be there, to hear their side of the story. I have no reason not to believe what they told us, and I did not sense any hidden agenda. In contrast to other law enforcement agents I had contact with in the past, they did not seem to be much depressed about external influences or wrong decisions being made “above them”. In some way, Switzerland seems to be successful in buying its freedom in some areas, and, due to this independence and size, does not appear to be under the same non-stop heat of lobbyism as I am used to in Germany.
Knowing about our background, they constantly tried to assure us that they were against all sorts of “other” blocking activities, and that the lists were provided more as a side project to providers who asked about them, not because anyone would believe it is a particularly useful measure against child pornography, but to “spare children and families from accidentially stumbling across the content”. At the same time, they contact ISP and local law enforcement. They are well aware that DNS level blocks are no defense mechanism at all, and argue against IP level blocks for their coarse granularity and side effects (and any other categories of blocking for that matter).

Cybercrime’s Just Images

I reckon it’s still not much different in other European countries, but it still came as a surpise to us to experience that the whole Switzerland Cybercrime Coordination Unit, the (quote) “center of excellence for the public, authorities and Internet service providers about legal, technical and criminological issues on Internet crimes” plus “contact for foreign cybercrime authorities” (my emphases), has only 10 employees at a ~$1m budget. Maybe a somewhat special situation in Switzerland and for historical reasons, it still almost completely focusses on child pornography and display of violence (hard pornography illegal in Switzerland). They will slowly expand into other directions in the future, but specifically grew out of a working group around a large child pornography case in the 90s, Operation Genesis. Also, they themselves argue that most crimes involve the real world and are better suited to be dealt with in the traditional departments.
Yes, Porn
How do they find the sites in the first place? They have three main sources: a form where anyone can report suspicious websites ‘anonymously’ (they do log IPs and don’t offer HTTPS!). Secondly, INTERPOL seems to maintain a somewhat broader list, but KOBIK verifies each site again for specific violations of Swiss law. They also seem to conduct a limited number of own investigations. The head of department didn’t go into detail about this area, not only because they cannot talk too much about their operational strategies, but also because the whole event was more focussed on blacklist creation, distribution and verification. I don’t believe the budget allows for many investigations after all. (a few numbers are at the end of this post)
Once the sites are added to the list, they are regularly checked again to see if content has changed. It sounded like a low number of countries and ISPs don’t cooperate well (but most do), and there isn’t much else they can do in such cases. The situation is different with pictures that directly involve Swiss citizens. In those cases they work together with the traditional pedocrime unit and try to seize the server.

Independent monitoring

So far there is no external inspection. Some ISPs seem to verify the content themselves before redirecting DNS (not all ISPs block all hostnames), which according to the KOBIK lawyer is perfectly legal to do in Switzerland. You get to see the website depicted in the screenshot, which ISPs can either self-host or use one hosted by KOBIK. Alledgely, IPs hitting the blocked sites are not stored/analyzed in any way, nor does KOBIK operate any honeypots or have legal or technical access to visitor information (no DPI/logging at ISPs). Most of the sites they deal with, at least concerning the blocks, are public websites full of advertisements and clearly not “insider exchanges”, and tend to move quickly. The turnaround time for the full list is only a few days (until most or all sites are either taken down or moved somewhere else), and most sites and pictures pop up again under a different name.

Need some hash?

Another growing area for KOBIK is the maintenance of a database of “100% illegal child pornography” hashes for various commercial forensic tools used by the different Kantons (states). Looking for (or at) evidence in child pornography cases is arguably not a very delightful job, so investigators more and more turn to automatic tools for that. KOBIK stated that they are careful about only including definitive matches and pick out only 100% clear-cut child pornography images for this.

Encryption and Tor

Given my background, I was naturally quite interested in their take on Tor, and how often they come across encryption. While they are not involved in the seizure or forensic analysis of machines very much, they did say that “apparently most pedo criminals have their blood somewhere else”.
KOBIK uses Tor in their investigations.

Technical

Once ISPs subscribe to the service and sign some paperwork, they get SFTP access to a daily updated and zipped textfiles of hostnames.
KOBIK seemed genuinely interested in extending the cooperation towards research institutes, especially since they don’t have the manpower to properly follow up on developing trends (what kind of ISPs and ASNs are more involved than others in this business etc).

Conclusion

The current staff seems to have its heart at the right place. The list serves a well-intentioned purpose and was not introduced by external pressure, but as an internal idea, not alone to save the investigators the trouble to have to justify that some websites might still be up “days after a report came in.” Still, changes in political climate can come faster than KOBIK expects. Even if they can hold powers back for a while, in the end either heads will roll or, more likely, some people will want to keep their job. What if, some day rather sooner than later, something like Cleanfeed UK repeats in Switzerland? Will KOBIK stand against a court order? Not likely. And Torproject.org is already listed in several “civilized” blocklists around the globe. This is real.