Common sense tells us the FBI and other police and intelligence agencies need Internet surveillance tools to track the communications of terrorists and other criminals. But the effort to extend the Communications Assistance for Law Enforcement Act to networks that Congress had no way of anticipating when it passed the law in 1994 is misguided.
The effort threatens not just the effectiveness of law enforcement but also the civil liberties of Internet users and the security of enterprise networks.
Early last month, Marcus Thomas, head of the FBIs cyber-technology section, debunked published reports of a sweeping new Internet wiretapping initiative by the agency. Mike Clifford, chief of the FBIs CALEA implementation section, elaborated, saying that a closed-door meeting Nov. 6 in Tucson with the nations largest carriers was simply an attempt to implement current law, not to expand Internet wiretapping authority.
"What we are interested in doing is developing—or having the industry develop—capabilities for identifying and isolating individual communications that are subject to guidelines of the law," Thomas said.
I take little comfort in that assertion—not because I doubt Thomas integrity, but because the very notion of building digital surveillance policy on laws designed to control analog wiretaps is rife with danger.
For example, its relatively easy to confine a court-sanctioned wiretap to a single telephone circuit, but what defines the limits of a tap on a packet-switched network? Is the authorized surveillance limited to data packets with headers containing specific routing information? In an Internet tap, is my online bank account as open to the police as my e-mail? In an analog world police need separate court orders to examine my financial transactions and listen to my communications.
And what about network security? From the perspective of enterprise IT, the FBIs insistence that equipment manufacturers produce CALEA-compliant routers with back doors available to police poses a potential vulnerability thats sure to invite corporate espionage.
As for civil liberties, Stewart Baker, former general counsel for the National Security Agency, said in October he believed the FBI was preparing a new plan to involve ISPs in enabling the agency to "pool" information to facilitate mass surveillance, as opposed to traditional, narrowly focused wiretaps. The FBI denies this, but, clearly, the potential to gather intelligence on thousands of people and companies by tapping a single router is very real.
Its time for lawmakers to replace CALEA with a new law that balances citizens privacy rights with police agencies needs for access to packet-switched networks and encrypted data.
Is network security jeopardized? Tell me why at email@example.com.