Moving Rapidly Backwards on Security

10/13/2010 01:07 pm ET | Updated Oct 26, 2011

What is the FBI thinking? The bureau wants to roll back technology -- peer-to-peer voice communications -- and government regulations on encryption in order to be able to wiretap more easily. But our real security problem doesn't lies in law enforcement's inability to read criminals and terrorist on-line communications. Our real problems lie in the cyberintrusions into U.S. systems and a consequent need to secure U.S. communications.

Electronic communications used to be voice calls using a central provider (think AT&T). These were relatively easy for law enforcement to wiretap. Now electronic communications are peer-to-peer and encrypted messages. These confuse wiretaps because peer-to-peer
communications travel in unexpected ways through the network, while encrypted communications thwart wiretaps because the communications are unintelligible without a decryption key. A bill being drafted by the FBI seeks to turn this situation around.

The bureau wants peer-to-peer services to redesign their systems so they can easily accommodate wiretapping -- another way to put this is that the FBI wants applications carrying voice to work like the centralized phone system. The FBI also wants communications carriers that supply encryption to decrypt encrypted wiretapped communications. But contrary to what might appear, these proposed policies would move the U.S in a treacherous direction.

Making it easy for law enforcement to access voice communications means making it easy for others as well. These others include criminal groups and other nation states. In 1994, Congress passed the Communications Assistance for Law Enforcement Act (CALEA), mandating
that all digitally-switched telephone networks be built "wiretap accessible." The question is "wiretap accessible" by whom? Consider what happened in Greece in 2004-2005. As a result of CALEA-type specifications built into the Vodafone Greece cellphone network, the communications of over one hundred leading members of the Greek government, including the Prime Minister, were eavesdropped upon for ten months by parties unknown. Nor was that situation unique.

Recently an IBM researcher found that a Cisco wiretapping architecture designed to accommodate law-enforcement requirements -- a system already in use by major carriers -- had numerous security holes in its design. This would have made it easy to break into the communications network and surreptitiously wiretap private communications.

The U.S. is a prime target for industrial espionage. In August, U.S. Deputy Secretary of Defense William Lynn III said that threats to U.S. intellectual property -- the inventions, processes, and business plans of U.S. industry -- "may be the most

Governmental key escrow -- an idea that publicly reared its head in 1993 and was abandoned later that decade -- means that key repositories, whether governmental or carrier-owned, become a rich target for attack. Redesigning peer-to-peer communications systems to
simplify FBI wiretapping means redesigning peer-to-peer communications systems to simplify interception by anyone, including organized crime and other nation states. Even the most innocuous sounding proposal -- requiring overseas communications providers to have a U.S. office to accommodate law-enforcement wiretapping -- opens a dangerous door. This past summer the governments of the United Arab Emirates and India demanded that BlackBerrys, which provide strong communications security to their users, be redesigned to accommodate efforts at interception. If the U.S. requires a U.S. presence of overseas communications providers to enable access to wiretapping, other nations will demand the same of U.S. communications providers. The privacy and security of communications of overseas U.S. travelers -- think businesspeople -- will suffer.

The FBI proposal occurs at a time when our highly networked society affords law enforcement increasing resources. Communications interception provides rich material to government investigators. Cell phones and the use of transactional information -- the who, what, where of telephone calls and email -- helped find Khalid Sheikh Mohammed, the alleged plotter of the September 11 attacks, and Hamdi Issac Adus, one of the participants in the failed London bombing of July 21, 2005, for example.

In many instances, it's not that the FBI can't wiretap; it is just that the bureau can't do so cheaply. Encryption and peer-to-peer technologies make law-enforcement capture of conversations expensive. So instead of expending funds on individual wiretaps, the bureau wants communications systems redesigned to simplify its problems. This would come at a cost of unsecuring the communications of everyone else. It is a solution we can't afford. The FBI's proposal is dangerous, and its benefits simply do not outweigh its risks.