Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
That's the stark warning given by a short, clear, and very persuasive paper signed by 20 academic and private sector security experts, including big hitters like BT's Bruce Schneier and EECS Berkeley's David Wagner.
"CALEA II: Risks of Wiretap Modifications to Endpoints" is a quick and relatively easy read. Recommended too, if only to confirm the government's shallow grasp of how the Internet actually works -- allegedly, anyway, because the precise details of the legislative overhaul remain speculative.
Here's the core point: The government is expected to mandate either centralized wiretap access to the Internet communications that continue to elude the FBI's grasp, or access at user endpoints. The former alternative being too onerous and costly to contemplate, the latter is more likely.
The background, as regular readers will recall, is the FBI's concern that surveillance is "going dark," as terrorists and other miscreants peskily abandon landlines, short-wave radios, and walkie-talkies as their preferred means of communication.
Back in 1994, the original Communications Assistance for Law Enforcement Act (CALEA) allowed federal authorities to eavesdrop on suspects by having telecommunications companies tap into conversations from centralized nodes on their networks. Now that communications increasingly involve multiple service providers and multiple access points, this is no longer a practicable option.
While it's possible in theory to extend the centralized wiretapping model to some VoIP services that still channel communications through a single access point, this would miss much of the traffic of interest -- and in any case, the communications might well be encrypted.
The preferred solution might be mandating vendors to modify end-user software to permit wiretap access. Here's where the serried ranks of security experts sound the alarm:
- First, an effective modification would -- indeed must -- conceal interception incidents from all parties to the communication. It follows that any bad agents capable of exploiting the breach will also be able to do so without detection.
- Second, if the network provider's cooperation is no longer needed, wiretap access will simply be unmediated, as far as we know, for multiple government agencies and their employees. Judicial oversight? That's another story.
- Third, once the access software is in the wild, why shouldn't just anyone have access, too -- also unmediated and undetected?
But the punchline features just the kind of techie twist the White House and Congress is capable of completely overlooking. With the increasing popularity of open-source software systems, including browsers, there's nothing to stop developers creating "forks" of the software without the backdoor monitoring capability.
The absurd result, as these bold dissenters point out, could be that terrorists and cybercrooks would use inaccessible, forked versions of the software, while the US government, and domestic corporations, would likely be stuck with the approved version.
Back to the drawing board, please.
— Kim Davis , Senior Editor, Internet Evolution