Wednesday, September 29, 2010

Administrations desire to wiretap web could freeze the cloud

Yesterday I blogged about the feds desire to wiretap the internet. So did a lot of other people. One of the best was by Rich Mogull, CEO of Securosis. His post on the Securosis blog, Proposed Internet wiretapping law fundamentally incompatible with security gives only a glancing nod to privacy issues, but shows the hard technical and business realities of what the administration is proposing. And those are the realities that will put a stop to this proposal. As I've said before, as the government grows in size and scope, citizens privacy becomes a barrier to continued growth. That means that privacy issues will have less and less effect on government plans.

Of course, there comes a point when private enterprise becomes a roadblock to continued government growth. We're almost there - but that's a topic for a different blog.

Rich read the same NYT article I did, and saw three likely requirements for the law as reported:

  • Communications services that encrypt messages must have a way to unscramble them.
  • Foreign providers that do business inside the United States must establish a domestic office capable of performing intercepts.
  • Developers of software that enables peer-to-peer communication must redesign their services to allow interception.

Looks simple enough, doesn't it? But that apparent simplicity reveals a fundamental ignorance. The first might be fairly simple, technically. But complying with it would make hacking into a system, whether using social engineering or technical means, much simpler.

To allow a communications service to decrypt messages, they will need an alternative decryption key (master key). This means that anyone with access to that key has access to the communications. No matter how well the system is architected, this provides a single point of security failure within organizations and companies that don't have the best security track record to begin with. That's not FUD -- it's hard technical reality.

What business wants to make it easier for hackers to break in? But that is what this law would do. And it won't just affect businesses. Like your electronic bill pay? Say good-bye to it. Unless I miss my guess, this lovely idea would put banks out of compliance with either Sarbanes-Oxley or PCI-DSS, or both. For that matter, the credit card industry would probably have to shut down ... Maybe this one isn't such a bad idea. ;^)

The second point has the most potential for blatant harm. It could do serious damage to our international reputation, strain relations with those friendly to us, and possibly break down fledgling relationships with countries who are not necessarily well disposed to help us.

Requiring foreign providers to have interception offices in the US is more of a political than technical issue. Because once we require it, foreign companies will reciprocate and require the same for US providers. Want to create a new Internet communications startup? Better hope you get millions in funding before it becomes popular enough for people in other countries to use it. And that you never need to correspond with a foreigner whose government is interested in their actions.

Peer to peer networks, the third point, perhaps present the greatest difficulty technically:

There are only 3 ways to enable interception in peer to peer systems: network mirroring, full redirection, or local mirroring with remote retrieval. Either you copy all communications to a central monitoring console (which either the provider or law enforcement could run), route all traffic through a central server, or log everything on the local system and provide law enforcement a means of retrieving it. Each option creates new opportunities for security failures, and is also likely to be detectable with some fairly basic techniques -- thus creating the Internet equivalent of strange clicks on the phone lines, never mind killing the bad guys' bandwidth caps.

Rich goes on to point out some other issues. Such as handing oppressive regimes tools they don't have for monitoring their citizens. That shows a lack of foresight on the part of the enforcers, but isn't as bad as (what I see as) outright lies claiming that this is just an effort to get back capabilities that the fluid nature of the internet and the readily available strong encryption tools have taken away. It is not that. It is an attempt to find an easier way to spy and get it built into the fabric of the Internet. 

He also points out that the police do need the tools to do their job. But doing their job should not interfere with the security and operations of legitimate businesses just to make law enforcement's job easier.