Reports that federal law enforcement and national security officials want to create new regulations to help them intercept electronic communications raised a sense of d??«j??à vu for Cindy Cohn.
Cohn, legal director at the Electronic Frontier Foundation, remembers when these same issues arose in the 1990s, a time when the Clinton administration was pushing the Communications Assistance for Law Enforcement Act (CALEA) and the now-defunct “Clipper chip.”
The government’s story at the time was the same-centering on concerns about criminals and others using the technology for nefarious ends. But just as it was a bad idea then, she said, it is a bad idea now.
“This isn’t a question where there’s this thing that can make us safer, should we do it or should we not do it,” she said. “This thing that they want won’t make us safer. It will make us more vulnerable. Not just to government misuse, but to third parties.”
According to the New York Times, federal law enforcement and national security officials want to require all services that enable communications-from Skype to Facebook to BlackBerry-to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages, the Times reported. The Obama administration plans to introduce the bill to lawmakers next year.
An FBI spokesman told eWEEK that law enforcement has “struggled to keep pace with evolving communications technology” for decades, and noted that CALEA was “needed to preserve law enforcement’s surveillance capabilities as digital switching and wireless telephony advanced.”
According to the Times, the rules appear to be coming together around these ideas: Communications services that encrypt messages must have a way to unscramble them; foreign-based providers that do business inside the United States must have a domestic office capable of performing intercepts; and developers of peer-to-peer software must redesign their service to allow file interception.
However, these changes could present security risks of their own-for example, opening up backdoors that could be exploited by attackers.
“Abuse of backdoors by hackers or other foreign governments should be a major concern,” opined Forrester Research analyst John Kindervag. “If our government is able to get into these systems or look at this traffic, then other entities will be able to do so. We must disabuse ourselves of any notion that our government can do it in a manner that is completely secure and cannot be exploited by non-authorized or malicious actors. This could lead to things as dangerous as creating intentional flaws or decrementing the security implementations of SSL /TLS-as an example. In theory, this could be disastrous for e-commerce.”
A backdoor is a backdoor, Cohn said, adding that the government already has the ability to do wiretaps with its existing authority.
“If you want a secure thing, it’s got to be secure, period,” Cohn said. “It just doesn’t work to try to make something insecure only against one possible [entity]. … Right now the government has so many different ways to get access to our communication with really very little justification, and very little court oversight. Taking away our ability to do encryption is just another hit, and it’s one that I think again has tremendous collateral effect.”
Valerie Caproni, general counsel for the FBI, reportedly told the Times that authorities were not talking about “expanding authority.”
“We’re talking about lawfully authorized intercepts. … We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security,” she said.
Earlier this year, several tech companies and privacy groups banded together to push for reforms to the Electronic Communications Privacy Act (ECPA), which was enacted in 1986 to establish a framework for extending government monitoring of telephone communications to electronic communications on computers. The Senate Judiciary Committee held a hearing on proposed updates to the bill Sept. 22.
“Privacy, public safety and security are not mutually exclusive goals. … If citizens are confident that their privacy rights will be protected online, they will be more comfortable using American communications technologies at home and at work,” said Sen. Patrick Leahy, D-Vt., committee chairman, in a statement.
But while balance must be struck between privacy and security in some cases, the proposal outlined in the Times report is not one of them, Cohn said.
“There are … security-based reasons that it died the last time,” she said. “There are definitely civil liberties reasons that it died the last time too.”