May 22, 2017

CALEA II: Risks of wiretap modifications to endpoints

Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps.

The FBI argues that the Net is “going dark”—that they are losing their ability to carry out valid wiretap warrants. In fact, this seems to be a golden age of surveillance—more collectable communications are available than ever before, including whole new categories of information such as detailed location tracking. Regardless, the FBI wants Congress to require that voice, video, and text communication tools be (re-)designed so that lawful wiretap orders can be executed quickly and silently.

Our report focuses in particular on the drawbacks of mandating wiretappability of endpoint tools—that is, tools that reside on the user’s computer or phone. Traditional wiretaps are executed on a provider’s equipment. That approach works for the traditional phone system (wiretap in the phone company’s switching facility) or a cloud service like GMail (get data from the service provider). But for P2P technologies such as Skype, information can only be captured on the user’s computer, which means that the Skype software would have to be changed to add a virtual “wiretap port” that could be activated remotely without the user’s knowledge.
[Read more…]