FBI Pushes for Surveillance Backdoors in Web 2.0 Tools
The FBI pushed Thursday for more built-in backdoors for online communication, but beat a hasty retreat from its earlier proposal to require providers of encrypted communications services to include a backdoor for law enforcement wiretaps.
FBI general counsel Valerie Caproni told Congress that new ways of communicating online could cause problems for law enforcement officials, but categorically stated that the bureau is no longer pushing to force companies like RIM, which offers encrypted e-mail for business and government customers, to engineer holes in their systems so the FBI can see the plaintext of a communication upon court order.
“Addressing the Going Dark problem does not require fundamental changes in encryption
technology,” Caproni said in her written testimony (.pdf). “We understand that there are situations in which encryption will require law enforcement to develop individualized solutions.”
(“Going Dark” is the FBI’s codename for its multimillion-dollar project to extend its ability to wiretap communications as they happen.)
That’s a far cry from what Caproni told The New York Times last fall:
“No one should be promising their customers that they will thumb their nose at a U.S. court order,” Ms. Caproni said. “They can promise strong encryption. They just need to figure out how they can provide us plain text.”
Those remarks indicated the FBI seemed to want to revisit the encryption wars of the 1990s. That largely ended with the government scrapping its plans to mandate backdoors in encryption, after security researchers discovered flaws in the idea, and the National Research Council concluded that strong encryption made the country safer.
But that retreat didn’t satisfy Susan Landau, a privacy and cryptography expert who testified alongside Caproni in front of a House Judiciary subcommittee Thursday.
That’s because the FBI is still pushing for more online-communications companies to build real-time spying capabilities into their software, which Landau said will harm innovation and introduce security flaws that will be used against American companies, government agencies and citizens.
Innovation happens too fast on the internet to require companies that provide chat and voice-calling capabilities, which these days includes online games, social networking sites and a myriad of online chat and photo-sharing services, to comply with detailed wiretapping specifications that cost hundreds of dollars just to read, according to Landau.
“Requiring that internet applications with communications systems — [which] means anything from speak-to-tweet to Second Life to software supporting music-jam sessions — be vetted first will put American innovation at a global disadvantage,” Landau said. “For American competitiveness it is critical that we preserve the ease and speed with which innovative new communications technologies can be developed.”
And she added the wiretapping holes are serious security risks.
“Building wiretapping into communications infrastructure creates serious risk that the communications system will be subverted either by trusted insiders or skilled outsiders, including foreign governments, hackers, identity thieves and perpetrators of economic espionage,” Landau said in her written testimony (.pdf), pointing to incidents in Greece, Italy and the United States where equipment built to comply with U.S. wiretapping rules were subverted. Those rules, known as CALEA, were enacted in 1994 to require phone companies to engineer their networks to be wiretap-compliant. The rules were expanded by the FCC in the George W. Bush Administration to apply to ISPs as well.
The FBI’s further push for expanded powers to wiretap online communications in real time comes against the backdrop of revolutions in the Middle East that relied heavily on social media communication tools and as Secretary of State Hillary Clinton called for worldwide internet freedom.
“I urge countries everywhere to join the United States in our bet that an open internet will lead to stronger, more prosperous countries,” Clinton said Tuesday, speaking at George Washington University.
But Caproni argued that law enforcement officials are occasionally running into cases where criminals are using online communication tools that aren’t wiretappable in real-time, because the provider had not built-in that capability. Caproni did not mention that the FBI has not encountered a single case of encryption hampering its criminal investigations for the past four years, according to reports to Congress, nor that the FBI has never run into a single case over the last 10 years where it could not get the plaintext of a target’s communications.
Landau told Congress the FBI was overlooking some very good news.
“While there is a genuine problem with intercepting some communications, the FBI now has access to more
communications, and more metadata about communications, than ever before in history,” Landau said.
But Caproni said that’s not enough and the FBI needs to find new technical solutions — though she did add that the Obama administration has no “formal position at this time” about needed changes to the law.
But she warned Congress that the country was in danger from a surveillance gap.
“As the gap between authority and capability widens, the government is increasingly unable to collect valuable evidence in cases ranging from child exploitation and pornography to organized crime and drug trafficking to terrorism and espionage –- evidence that a court has authorized the government to collect,” Caproni said. “This gap poses a growing threat to public safety.”
Also on Thursday, the Electronic Frontier Foundation released some government documents about the FBI’s so-called Going Dark program, which it got under the Freedom of Information Act. Those documents show the project dates to 2006, and that the FBI had hired high-powered consultants from the Rand Corporation and Booz Allen Hamilton to help come up with solutions.
Saturday, February 19, 2011
FBI Pushes for Surveillance Backdoors in Web 2.0 Tools | Epicenter | Wired.com