Tuesday, September 28, 2010

Law enforcement wants to wiretap the Internet

The New York Times reports that the Obama administrations wants to make it easier to wiretap the internet. Charlie Savage reports that the government is seeking the ability to monitor any communication on the internet - including encrypted communication. They want to do this by requiring communications providers to have back doors that allow them to decrypt communications if a legal wiretap order is obtained.

The desired law would require companies that provide encrypted email, such as Research in Motion (RIM), and social networking sites, and peer to peer messaging providers would all have to provide the means for government access to communications over their networks. It would also require people writing software for peer to peer networks to include the means for the government to spy on their users.

What you think of this idea depends, in part, on how much you trust the government not to abuse the system. It also depends on how much faith you have in the idea that these back doors will not be accessed and exploited by hackers:

Steven M. Bellovin, a Columbia University computer science professor, pointed to an episode in Greece: In 2005, it was discovered that hackers had taken advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.

Gotta love it. Legally mandated 'enforcement' access is turned on the enforcers. And Dr. Bellovin believes that once back doors are engineered into the systems in the US, they will be exploited. I have to ask, with the number of unknown exploits that are discovered by white and black hat hackers every day, how long will it take the black hats to find the ones they know are there because they are legally required?

Some of the reasons being given don't really show a need for the proposed law, but a failure to understand the technology:

But as an example, one official said, an investigation into a drug cartel earlier this year was stymied because smugglers used peer-to-peer software, which is difficult to intercept because it is not routed through a central hub.”

So in order to make it possible for the government to spy on peer to peer networks, we're going to require they be routed through a central server? Then it's no longer peer to peer. And the added expense will kill most peer to peer softwares, anyway. But that's really what the government wants to happen.

And for some reason, government officials seem to think there is a reasonable similarity between cell phones and the internet: They also noted that critics predicted that the 1994 law would impede cellphone innovation, but that technology continued to improve. In 1994 cell phones were still a fledgeling technology. They had been around for a couple of decades, but the networks and userbase were still (relatively) small. The internet is a 40 year old technology involving a huge network with almost 2,000,000,000 users, almost 300,000,000 of them in North America. The amount of legacy hardware and software is almost unimaginable. Comparing making a fundamental change to the structure of the Internet now to making a fundamental change to cell phones in 1994 is ridiculous.

I agree with Benjamin Franklin. To paraphrase, anyone willing to give up some freedom for some security will wind up securely without freedom. I'm distrustful of anything that makes it easy for the government to spy on law abiding citizens, even (or maybe especially) if it is pushed as being necessary to catch bad guys. The Patriot Act was "necessary." Tapping the vast majority of phones in the U.S. was "necessary." Making it possible for the government to access all communications is "necessary." I don't think so.