The story of journalists hacking into the voice mails of princes, police, celebrities, sports figures, and ordinary people has caught everyone's attention. It's the story of politicians too cozy with the press and police too friendly with the people they're investigating -- all of which meant investigations didn't happen when and how they should have. It's been described as the biggest scandal in British politics in seventy-five years, and it is possible that it will bring down the current coalition government.
For those of us in communications security, the events across the pond are mesmerizing -- and all too familiar. It started with a common problem -- insecurity. In this case, it was the access mechanism for voice mail messages. At the time the hacking began, two of the three major carriers -- O2 and Vodafone -- allowed customers to use a preset PIN for accessing cell phone messages. The predictable result: many users didn't change the default, and so the hackers -- people hired by News of the World and other News International papers -- tried the limited number of default numbers. Often they got in.
But this was not the only problem. Sometimes when service advisers would help customers change their PINs (e.g., if customers lost a phone), the service representative knew the key. And then, according to a Member of Parliament, at various times -- unknown at present whether this includes the current set of hacking cases -- "There is clear evidence that in some cases rogue staff members [of mobile phone companies] sold information to investigators and reporters." A worse breach was "pinging." The New York Times has reported that the rogue British newspaper paid off police to find people's precise locations through the "pings" of their of their cell phones to towers.
The latter is, of course, an important investigatory technique for law enforcement; it is one increasingly used for locating high-value targets. Being able to track someone at this level of specificity presents a huge privacy and security risk, and so law enforcement and security officials were supposed to employ it on a case-by-case basis and only for targets of high importance (the Times reported it was to be limited to "high-profile criminal cases and terrorism investigations"). But procedures were subverted -- police submitted requests after being paid off by the paper -- and the risks are enormous.
In the debates about wiretapping in the U.S., there has been little focus on rogue wiretapping. This is not to say such things haven't happened; for example, through the 1980s and 1990s, the LAPD often wiretapped without the required court order. And the 2007 Department of Justice Inspector General report on the FBI use of exigent letters -- letters requesting immediate access to telephone records with claims to service providers that subpoenas would follow -- found various problems: no paper trail for some requests (only a verbal request), dates and other specifics of the surveillance missing (so much more information was supplied than ought to have been), fishing expeditions to discover the circle of contacts a potential target had.
Could the situation in Britain happen here? Start with the observation that any big organization has bad apples. We don't know if the Greek case, in which one hundred senior members of the government were wiretapped by parties unknown, had its start with an insider, but it is a fair assumption that the ten-year illegal wiretapping of Italian judges, politicians, celebrities and sport figures used phone company insiders to enable the taps. The Stuxnet worm was spread through an infected USB stick, meaning an insider, perhaps unwittingly, enabling the worm's spread through an Iranian nuclear facility. Rogue insiders happen. In recent decades the CIA had Aldrich Ames and the FBI had Robert Hanssen. Britain had Kim Philby. And let us not forget Whitey Bulger, the recently arrested crime boss who has been charged in connection with nineteen murders. Lawmen protected Bulger for decades -- he was an FBI informant -- even while he was committing violent crimes.
So it is quite ironic that the same week the news about the News of the World hacking was finally breaking, Congress held a hearing on data retention, the proposal that Internet service providers be required to retain customer network address, dates and time of access, etc, for eighteen months. This proposed law would require the service providers to keep this data for everyone -- not just the people that law enforcement has reason to believe have committed a crime.
Requiring such data retention boggles the mind. Storing eighteen months of such data on each and every American creates huge risk. There are risks of data breaches, of rogue reporters and police gone bad exploiting and accessing the data, of trusted insiders selling it for the right price. As both the police and News International reporters know, communications transactional information is remarkably revelatory. It tells you who is seeing whom when, who's important, how information is transmitted, who is in the know, who matters in an organization; if the data retained are ISP addresses, you learn who is looking at what on the Internet. In many ways, such information is much more valuable than the contents of the communication.
The FBI has been seeking data retention laws since 2006. For various reasons, including costs and threats to privacy, these law-enforcement efforts have not resulted in a law. Nor should there be one. This is not a dispute about privacy versus security, or about cost versus catching criminals. This conflict is about surveillance or security, and the issue is squarely about universal data collection and storage. Yes, there are cases when data retention would be valuable. But universal data retention raises serious security risks. The best way to secure data is not to collect it in the first place. Just ask John Yates, Gordon Taylor, Max Clifford, Tess Jowell -- and any of the hundreds whose cell phone messages were hacked. And toss out proposals on mandatory data retention.