Charlie Savage reported in the NYT today that the Obama administration “is on the verge of backing a Federal Bureau of Investigation plan for a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services,” in particular by fining firms that do not comply with wiretap orders. Susan Landau, author of Surveillance or Security? The Risks Posed by New Wiretapping Technologies, writes in with a reaction about what is at stake:
On the face of it, the new FBI proposal to fine companies that don’t comply with wiretap orders seems eminently reasonable. If law enforcement satisfies the Wiretap Act requirements for a court order, surely the communications provider should deliver the goods.
This view of wiretapping is mired in the 1960s, when each phone was on a wire from the phone company’s central office, and a wiretap consisted of a pair of alligator clips and a headset. In the 1990s, cellphones and advanced services eliminated the wire and made it harder to tap. So we got the Communications Assistance for Law Enforcement Act (CALEA), which mandated that telecommunications carriers build wiretapping capabilities into the phone switches. Building communications intercept equipment into switches is dangerous. There were instances where unauthorized parties used such capabilities to break into the tap and eavesdropped, sometimes on very important people and sometimes for years (the cases are in Greece and Italy, though US CALEA-compliant switches were also not secure).
Now we have a new world with myriad services: Facebook, gmail, Skype, Republic Wireless, each one with a different architecture, some centralized (and thus with information “in the clear” at the provider), some peer-to-peer, some a mix. None of these are traditional carriers, so CALEA doesn’t apply. But the real issue, which the FBI does not seem to recognize, is that the providers of the infrastructure, the wire—or wireless signal, are different from the providers of the service. What this means is that sometimes the infrastructure provider has the content, sometimes the communications provider has the content, and sometimes no one does but the sender and receiver (which is actually the most secure way to communicate).
As the New York Times reports, the FBI has a plan of “fining companies that do not comply with wiretap orders [while] start-ups with a small number of users would have fewer worries about wiretapping issues unless the companies became popular enough to come to the Justice Department’s attention.” This rather misses the point. If the architecture is such that the company can’t get at the content, then the company can’t get at the content.
The FBI plan is really about cost shifting. When wiretapping was about alligator clips, law enforcement paid the full costs of a tap. With CALEA, the government reimbursed the service providers $500 million for retrofitting old switches to be CALEA compliant, but the companies had to pay the costs of doing so for new infrastructure (law enforcement does pay for the work involved in executing a particular tap, but not the cost of creating the infrastructure). What the FBI wants to do now is have communications services wiretap compliant with private industry footing the bill.
Here’s the problem. Sometimes the provider is completely able to see the communication; such is the case for Google and Facebook, since their advertising model is built on knowing what the user is interested in. But sometimes it is not, really not, and to make it so means either completely redoing the service or building in communication backdoors. Both are not only expensive, but the latter is also dangerous.
The CALEA approach is about making it easier to intercept communications, but with all the cyberexploitation and cyberattacks we face, the government should be working to secure communications. And indeed, some other parts of the government are doing so. See, for example, NSA’s efforts to secure communications networks and the military’s investment in security systems that hide who is communicating with whom. Yes, such systems can be used by the bad guys — and sometimes are — but they are even more needed by the good guys, whether they are law-enforcement or national-security investigators, reporters, human-rights workers, or simply businesspeople protecting intellectual property.
The Wiretap Act grants law enforcement the right to wiretap under certain circumstances, but admittedly modern communciations technologies make that difficult. The right answer to the problem is for law enforcement to pay for the whole kit and kaboodle of wiretapping costs — not just for the cost of doing the individual tap, and also for the cost of building the infrastructure that enables it. And it needs to be clever in its approach if straightforward methods for wiretapping don’t work. The FBI has already used “interesting” techniques in some cases; the NSA has been doing so for years. (One idea for wiretapping in such instances is here.)
The FBI says that all it wants is the capablities offered to it by the Wiretap Act, but once one understands the real import of the proposal, it is both an insidious technology mandate and an enormous cost shift rolled into a single innocuous sounding package. The full cost of wiretapping should be borne by the parties who use it, not by the tech and telecommunications companies, whose business should be providing innovative and secure communications services. Goodness knows we need it.