Today I joined a group of twenty computer scientists in issuing a report criticizing an FBI plan to require makers of secure communication tools to redesign their systems to make wiretapping easy. We argue that the plan would endanger the security of U.S. users and the competitiveness of U.S. companies, without making it much harder for criminals to evade wiretaps.
The FBI argues that the Net is “going dark”—that they are losing their ability to carry out valid wiretap warrants. In fact, this seems to be a golden age of surveillance—more collectable communications are available than ever before, including whole new categories of information such as detailed location tracking. Regardless, the FBI wants Congress to require that voice, video, and text communication tools be (re-)designed so that lawful wiretap orders can be executed quickly and silently.
Our report focuses in particular on the drawbacks of mandating wiretappability of endpoint tools—that is, tools that reside on the user’s computer or phone. Traditional wiretaps are executed on a provider’s equipment. That approach works for the traditional phone system (wiretap in the phone company’s switching facility) or a cloud service like GMail (get data from the service provider). But for P2P technologies such as Skype, information can only be captured on the user’s computer, which means that the Skype software would have to be changed to add a virtual “wiretap port” that could be activated remotely without the user’s knowledge.
Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss.
Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system.
Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks.
Our report discusses other issues, such as the impact of a wiretappability mandate on the ability of U.S. companies to compete in international markets. The bottom line is that harms that would result from the FBI’s plan vastly outweigh any benefits. The cybersecurity problem is bad enough as it is. Let’s not make it any worse.
[Signers of the report are Ben Adida, Collin Anderson, Annie I. Anton (Georgia Institute of Technology), Matt Blaze (University of Pennsylvania), Roger Dingledine (The Tor Project), Edward W. Felten (Princeton University), Matthew D. Green (Johns Hopkins University), J. Alex Halderman (University of Michigan), David R. Jefferson (Lawrence Livermore National Laboratory), Cullen Jennings, Susan Landau (privacyink.org), Navroop Mitter, Peter G. Neumann (SRI International), Eric Rescorla (RTFM, Inc.), Fred B. Schneider (Cornell University), Bruce Schneier (BT Group), Hovav Shacham (University of California, San Diego), Micah Sherr (Georgetown University), David Wagner (University of California, Berkeley), and Philip Zimmermann (Silent Circle, LLC). [Affiliations for identification purposes only. CDT coordinated the creation of the report.]