Experts: Fed's Push for More Wiretapping a Recipe for Security Disaster
A group of 20 security experts warns against FBI's proposal for "sweeping overhaul of surveillance laws"
As the New York Times' Charlie Savage reported, the FBI plan would entail a "sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services."
Specifically, "The proposal would extend technical design mandates for 'wiretap readiness' to peer-to-peer communications tools," Joseph Lorenzo Hall of the Center for Democracy & Technology (CDT) writes. The reports adds that it "could encompass a wide range of products and services, from instant messaging and chat to Skype to Google Hangouts to Xbox Live. It could include services offered through a variety of means, from stand-alone services to features built into web browser software and social networking sites."
And, the Washington Post reported,
Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.
In their report, "CALEA II: Risks of Wiretap Modifications to Endpoints," the 20 experts warn that "A wiretap design mandate on communications tools is, plainly put, an opportunity for increased exploitation."
Hall sums up the security experts' argument:
First, wiretap functionality allows covert access to communications that can be exploited not only by law enforcement, but by criminals, terrorists, and foreign military and intelligence agencies. Wiretap endpoints will be vulnerable to exploitation and difficult to secure. Second, imposing the obligation to facilitate wiretapping on software developers forces them to choose between two dangerous, expensive, cumbersome options: they can either create a compliance department capable of responding 24/7 to law enforcement demands, or they can show personnel in law enforcement agencies world wide how to exploit their software to harvest user communications. Finally, the wiretap capability that the FBI seeks will be ineffective because it is easily disabled and because knock-off products that lack the wiretap functionality can be readily downloaded from websites abroad. Because many of the tools that people use to communicate are built on open standards and open source software, it will be trivial to remove or disable wiretap functionality.
Ultimately, the group concludes, enacting this proposal would present greater security risks than not wiretapping at all. They write:
We believe that on balance mandating that endpoint software vendors build intercept functionality into their products will be much more costly to personal, economic and governmental security overall than the risks associated with not being able to wiretap all communications.