April 24, 2017

NSA, the FISA Court, and Risks of Tech Summaries

Yesterday the U.S. government released a previously-secret 2011 opinion of the Foreign Intelligence Surveillance Court (FISC), finding certain NSA surveillance and analysis activities to be illegal. The opinion, despite some redactions, gives us a window into the interactions between the NSA and the court that oversees its activities—including why oversight and compliance of surveillance are challenging.
[Read more…]

Revisiting the potential hazards of the 'Protect America' act

In light of recent news reports about NSA wiretapping of U.S. Internet communications, folks may be interested in some background on the ‘warrantless wiretapping’ provisions of the Protect America act, and the potential security risks such wiretapping systems can introduce. Here’s a 2007 article a group of us wrote entitled “Risking Communications Security: Potential Hazards of the ‘Protect America’ Act”. http://www.cs.princeton.edu/~jrex/papers/PAA.pdf

CALEA II: Risks of wiretap modifications to endpoints

Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps.

The FBI argues that the Net is “going dark”—that they are losing their ability to carry out valid wiretap warrants. In fact, this seems to be a golden age of surveillance—more collectable communications are available than ever before, including whole new categories of information such as detailed location tracking. Regardless, the FBI wants Congress to require that voice, video, and text communication tools be (re-)designed so that lawful wiretap orders can be executed quickly and silently.

Our report focuses in particular on the drawbacks of mandating wiretappability of endpoint tools—that is, tools that reside on the user’s computer or phone. Traditional wiretaps are executed on a provider’s equipment. That approach works for the traditional phone system (wiretap in the phone company’s switching facility) or a cloud service like GMail (get data from the service provider). But for P2P technologies such as Skype, information can only be captured on the user’s computer, which means that the Skype software would have to be changed to add a virtual “wiretap port” that could be activated remotely without the user’s knowledge.
[Read more…]