April 23, 2014

avatar

CALEA II: Risks of wiretap modifications to endpoints

Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps.

The FBI argues that the Net is “going dark”—that they are losing their ability to carry out valid wiretap warrants. In fact, this seems to be a golden age of surveillance—more collectable communications are available than ever before, including whole new categories of information such as detailed location tracking. Regardless, the FBI wants Congress to require that voice, video, and text communication tools be (re-)designed so that lawful wiretap orders can be executed quickly and silently.

Our report focuses in particular on the drawbacks of mandating wiretappability of endpoint tools—that is, tools that reside on the user’s computer or phone. Traditional wiretaps are executed on a provider’s equipment. That approach works for the traditional phone system (wiretap in the phone company’s switching facility) or a cloud service like GMail (get data from the service provider). But for P2P technologies such as Skype, information can only be captured on the user’s computer, which means that the Skype software would have to be changed to add a virtual “wiretap port” that could be activated remotely without the user’s knowledge.

Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss.

Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system.

Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks.

Our report discusses other issues, such as the impact of a wiretappability mandate on the ability of U.S. companies to compete in international markets. The bottom line is that harms that would result from the FBI’s plan vastly outweigh any benefits. The cybersecurity problem is bad enough as it is. Let’s not make it any worse.

[Signers of the report are Ben Adida, Collin Anderson, Annie I. Anton (Georgia Institute of Technology), Matt Blaze (University of Pennsylvania), Roger Dingledine (The Tor Project), Edward W. Felten (Princeton University), Matthew D. Green (Johns Hopkins University), J. Alex Halderman (University of Michigan), David R. Jefferson (Lawrence Livermore National Laboratory), Cullen Jennings, Susan Landau (privacyink.org), Navroop Mitter, Peter G. Neumann (SRI International), Eric Rescorla (RTFM, Inc.), Fred B. Schneider (Cornell University), Bruce Schneier (BT Group), Hovav Shacham (University of California, San Diego), Micah Sherr (Georgetown University), David Wagner (University of California, Berkeley), and Philip Zimmermann (Silent Circle, LLC). [Affiliations for identification purposes only. CDT coordinated the creation of the report.]

Comments

  1. paul says:

    We had this discussion when the original CALEA was introduced, because the language of early drafts was ambiguous enough that it could be read to cover local area networks and even computer parts connected by cables (if those parts communicated by a recognizable protocol). Everyone back then agreed that the idea was absurd, because you can’t reliably get secret information into and out of devices that someone else owns and controls. (And if you can, then the device is hopelessly compromised, not really under the control of the owner, and shouldn’t be used for anything the owner cares about.)

    So nothing has really changed in a generation except, perhaps, the power of the surveillance-desiring powers that be.

    The last time around, what made the difference was the federal government offering piles of money to the telecommunications companies (operators and manufacturers) to cover the cost of installing additional wiretapping capabilities. I wonder how much money anyone would be willing to offer today.

  2. Jonathan Wilson says:

    I dont care HOW bad the threat is, there is NO threat serious enough to justify this kind of monitoring.

  3. Hate them says:

    We are subjects.
    They register our children.
    Say what we can and cannot own.
    Say what age of girls we can marry.
    Say that we must obey the woman.

    The state and their global religion is our enemy.
    But we can do nothing about it.

  4. Alpha says:

    Skype is certainly a bad example here, because Microsoft can and does read everything: http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html

  5. Kamil says:

    I’m so confused — do they *really* think Linux or FreeBSD is going to willingly install backdoors into their operating systems for the feds?

    • Mikael says:

      Look at how many web browsers won’t even let you disable the google search box eg. Opera

    • paul says:

      It’s not just backdoors. Remember that the target can’t know they’re being tapped. So there have to be special changes made to all the network status and logging tools so they won’t report connections made and data sent to certain addresses and/or ports, ditto for access points and routers. And then special changes to diff, grep and any other tool that might show hacked versions of the network and logging tools in use. And then more changes so that you couldn’t tell the diff and grep and so forth hadn’t been hacked….

      It’s as if you took Ken Thompson’s Reflections on Trusting Trust and used that section on hacking compilers as an operations manual instead of a warning.

    • Nathanael says:

      OpenBSD certainly won’t.

  6. Ander Humm says:

    Yeah, all the world should worry about chinese hardware.

  7. Jinx says:

    “I would rather be exposed to the inconvenience attending too much Liberty than those attending too small degree of it.” Thomas Jefferson

  8. Slim says:

    Ah CALEA II vs Clipper II

    Love the disinformation on Skype.

    Skype is not P2P and hasn’t been for months. Even Ars Technica picked up on that. Skype == Cloud.

    Heise has proven that the content of Skype text messages is read by Microsoft, as have others.

    Several court cases even refer to Skype voice interception but I am not clear whether that happened with the assistance of MS/Ebay or rather by compromising the endpoint.

    While it is true that Skype could be made even more insecure by CALEA II, the difference will be marginal. Are we really supposed to believe that buggy-as-is Skype has no exploitable (and exploited) vulnerabilities?

    I wonder if all this CALEA II hubhub is merely a diversion from the fact that each and every one of us now voluntarily carries the equivalent of the ill-conceived Clipper chip around on a daily basis (with built-in microphone AND camera).

    Of course CALEA II must die. But unless the eminent security people use their talents and build a smartphone the end user can trust, the fate of CALEA II won’t make much of a difference.

    History has shown that the people who control your phone won’t think twice about assisting the spooks, whether the request is legal or not.

  9. Anon says:

    “Any Society that gives up a little Freedom for a little Security deserves neither and loses both.” – Benjamin Franklin

  10. JD says:

    re: “which means that the Skype software would have to be changed to add a virtual “wiretap port”” anyone that thinks windows, skype, ios, android, etc… don’t already give their keys to the CIA is living in a fantasy world. This law isn’t about IRS bribeable big companies, it is about normal people who want to keep their speech free and secure.
    This a clear violation of civil right to free speech. Exactly the same as “we need invisible envelopes so we can read everyones mail…”

  11. Princess says:

    Merely want to express I’m lucky I came on the internet page.