http://www.washingtonpost.com/blogs/wonkblog/wp/2013/05/17/how-the-fbis-online-wiretapping-plan-could-get-your-computer-hacked/?print=1
****
How the FBI’s online wiretapping plan could get your computer hacked****

The FBI is pushing for expanded
power<http://articles.washingtonpost.com/2013-04-28/world/38885216_1_wiretap-proposal-companies>to
eavesdrop on private Internet communications. The law enforcement
agency
wants to force online service providers to build wiretapping capabilities
into their products. But a group of prominent computer security experts
argues that mandating “back doors” in online communications products is
likely to compromise the security of Americans’ computers and could even
pose a threat to national security.****

The fundamental problem is that eavesdropping facilities are a double-edged
sword. They make it easier for the U.S. government to spy on the bad guys.
But they also make it easier for the bad guys to hack our computers and spy
on us. And, the researchers say, the Internet’s decentralized architecture
makes it particularly hard to build effective and secure wiretapping
capabilities online.****

Since the 1994 Communications Assistance for Law Enforcement Act (CALEA),
telephone companies have been legally obligated to build wiretapping
capabilities into their telecommunications equipment. But CALEA didn’t
apply to Internet-based communications technologies. The result, the FBI
says, is that its surveillance capabilities are “going dark,” as criminal
suspects increasingly shift to digital communications platforms that don’t
offer real-time interception capabilities.****

In response, the government is reportedly seeking to impose CALEA-type
requirements on Internet services. But rather than mandating the
implementation of specific surveillance standards, as the original CALEA
did, the government’s proposal would fine online service providers who
failed to comply with a wiretapping request from the government — leaving
it to each individual firm to decide the best way to comply.****

Crucially, according to
reporting<http://articles.washingtonpost.com/2013-04-28/world/38885216_1_wiretap-proposal-companies>by
The Washington Post, the FBI proposal would apply even to “Internet
phone calls conducted between two computer users without going through a
central company server.” In a paper published
Friday<https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf>by the
Center for Democracy and Technology, more than a dozen prominent
computer security experts warn that such a requirement would be a disaster
for the security of online communications.****

If information isn’t flowing through a central server, then the only way to
intercept it is to add surveillance software to the user’s PC. But popular
software is constantly being probed by hackers seeking vulnerabilities they
can exploit. The more complex a system, the more likely programmers are to
make mistakes that could provide hackers with an opening. And surveillance
features are particularly dangerous, the researchers argue.****

“The cleverest and most dangerous cyber-attackers are those who are able to
not only compromise a system but also to evade detection,” they write.
“That is also precisely the objective of a government surveillance
solution.”****

Even worse, a huge number of companies could be forced to comply with the
government’s proposed regulations. Ed Felten, a computer scientist at
Princeton and one of the paper’s authors (and, full disclosure, my graduate
adviser) points out that a growing number of companies are adding
peer-to-peer communications capabilities to their products. For example,
many multi-player video games include built-in facilities for players to
communicate with each other in real time.****

A wiretapping mandate could greatly increase the complexity of these
products, raising development costs and increasing the likelihood of
security vulnerabilities. Chris Soghoian, a computer security researcher
and the principal technologist at the American Civil Liberties Union, notes
that even the largest technology companies struggle to keep their products
secure. “Google has hundreds of engineers doing nothing but security,” he
says. Yet Google is still routinely discovering new security problems in
its most popular products.****

Perhaps the most serious concern the researchers point to is the danger a
wiretapping mandate could pose to national security. Many government
agencies use the same communications software as do private firms. Which
means that wiretapping mandates could make the software the government
itself uses less secure.****

“When vulnerabilities in the equipment such as back doors and malicious
code can be exploited by another country it becomes a priority and a
national security concern,” said Rep. Mike Rogers (R-Mich.) at an October
hearing. <http://www.youtube.com/watch?v=ApQjSCUpt4s> Rogers was referring
to Huawei and ZTE, two Chinese telecommunications companies Rogers
suspected of helping the Chinese government to spy on Americans. But
Soghoian argues the same point applies to backdoors mandated by the U.S.
government. They will make American communications technologies more
vulnerable to online attacks. And no one has more resources to devote to
looking for security vulnerabilities than foreign governments.****

This is more than a hypothetical concern. In 2005, the Greek government
discovered<http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/AR2007080801961.html>that
an unknown party was intercepting the phone conversations of Prime
Minister Kostas Karamanlis and dozens of other senior officials in the
Greek government. They had been under surveillance for almost a year.****

The attack was made possible because the Greeks were using off-the-shelf
telecommunications equipment. Thanks to CALEA and similar laws in other
countries, the gear came with built-in wiretapping capabilities. The
wiretapping feature was only supposed to be activated with the approval of
Greek authorities. But someone, likely a foreign government, figured out
how to activate the wiretapping feature without the Greeks noticing.****

According to the authors of the CDT paper, an Internet version of CALEA
would be much worse. Right now, only large, sophisticated
telecommunications firms are subject to CALEA requirements, and they have
carefully-designed procedures to ensure that wiretapping capabilities are
not abused. An Internet version of CALEA could apply to many more firms,
including many small software firms that can’t afford to hire dedicated
personnel to design, administer, and audit their surveillance capabilities.
So it’s likely that some of those firms will make mistakes that will leave
many users’ computers vulnerable to attack.****

Worst of all, the researchers say, the proposed mandate is unlikely to even
be effective. People who want to evade surveillance will inevitably find
ways to modify the software on their computers to deactivate the
eavesdropping feature, just as many people today “jailbreak” their
smartphones to activate forbidden features. Indeed, some popular
communications software is open source, making it trivial to build a
version of the software with the wiretapping feature removed. So an
Internet wiretapping mandate will do little to help the government spy on
the bad guys, while reducing security for everyone else.****

According to Matt Blaze, a computer science professor at the University of
Pennsylvania and another paper co-author, the current debate over online
wiretapping echos the debate over cryptography in the 1990s. During the
Clinton administration, the federal government sought to limit the use of
cryptography out of fear that it would undermine the government’s
surveillance capabilities. They promoted a “key escrow” regime in which
Americans who used encryption would be required to provide the encryption
keys to the government for use in subsequent investigations.****

By the mid-1990s, research by Blaze and others had demonstrated that the
government’s key escrow scheme was impractical. Meanwhile, the spread of
full-strength cryptographic software proved unstoppable. So by the end of
the decade, the Clinton administration — wisely, in Blaze’s view — gave up
and stopped trying to limit the use of cryptography. They concluded that it
was more important for law-abiding Americans to have secure communications
capabilities than to continue to wage a hopeless war against cryptography.**
**

Blaze believes that policymakers today should draw the same lesson. “It’s
hard enough to build a system that tries to solve the relatively simple
problem of people who want to communicate securely,” he says. Adding a
requirement that the government be able to intercept the communication
makes the process “much more complex and therefore much harder to do
securely.”****

** **

-- 
-- 
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum

* Visit our other community at http://www.PoliticalForum.com/  
* It's active and moderated. Register and vote in our polls. 
* Read the latest breaking news, and more.

--- 
You received this message because you are subscribed to the Google Groups 
"PoliticalForum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to