Proposed bill will require wiretapping, cryptographic insecurity of services operating within the USA.

28 September 2010

Once upon a time, monitoring someone's communications was a relatively simple matter for law enforcement: they sent someone out to the pole or the side of the house with a hex driver and patched a transmitter into the pair of wires leading into the building that would kick on and send both ends of any conversations to a listening post some distance away. Since then, technology's changed just a bit (consider this my entry for the Understatement of the Year Award) but the powers that be are finding themselves hard pressed to keep up. In the year 1994 a law called CALEA (the Communications Assistance for Law Enforcement Act) was passed. CALEA requires that all communication providers be able to wiretap their customers at the request of a law enforcement organization; this includes non-traditional communications companies such as Voice-Over-IP providers like Vonage. This is a relatively simple matter on the back end because CALEA requires that telecom hardware and software (yes, even VoIP software like BroadWorks (formerly Sylantro) has wiretapping functionality built into it.

Unless your communications avoid centralized systems entirely. Or are encrypted with algorithms that would require astounding amounts of computer time to guess the keys to.

US LEOs grow increasingly concerned about communications "in the dark" that they don't have ready surveillance access to should they require it, and thus have put a bill before Congress that will be voted on in 2011 that will require all communication services used in this country (encrypted or not, telecom or not) to be CALEA compliant. Social networking websites like Facebook and MySpace will have to be able to give LEOs access to all users' content (both public and private); so will webmail services like Gmail and Hushmail (though both already comply with court orders, so this is basically a belt-and-suspenders example). Even decentralized systems like Skype and some instant messaging platforms must be able to provide decrypted traffic on demand. Foreign telecom companies that do business within the US will have to set up domestic surveillance offices to comply if they want to do business in the US, and communications software projects will have to install back doors.

In the twenty-first century it goes without saying that the powers that be are afraid of terrorists communicating over media that they are unable to monitor. Slightly closer to home, another reason is the investigation of a suspected drug cartel that made use of peer-to-peer software (what kind isn't stated but educated guesses could be made) and strong cryptography. Law enforcement was able to intercept some of their communications but was unable to decrypt any of it. Thus, the bill also requires the manufacturers of communications devices (like Research In Motion, which manufactures the neigh ubiquitous Blackberry) put backdoors into their cryptographic implementations, which will let their traffic be decrypted more readily if a court order is issued. It wouldn't surprise me if vendors that implement cryptosystems (such as SSL or SRTP) will be forced to backdoor their code in the same way, the better to decrypt eavesdropped traffic. Many of the big net.entities that would be affected by this bill have not said word zero about this potential development, possibly because this bill is still on the drawing board, but also because they know what side their bread is buttered on.

The problem they face lies in forcing everyone to comply. They can't. While a certain amount of the Net is going to be compromised as the organizations that the US government can push around do forklift upgrades and roll out patches, the rest is going to ignore the directives as long as they can. We can expect a certain amount of services to move offshore to countries that won't have to comply, if only to save themselves money in the long run. We can also expect some services to evolve into a more loosely connected form such that not all of the nodes that comprise it will be compromised. This includes open source software development projects the members of which span multiple countries. You can't force them to put a backdoor in because it's trivial to find the bad code and take it out or rework it to to generate spurious output (anybody want to write an Asterisk module that turns voice traffic routed through it into a rickroll, forcing admins to fall back on the default point-to-point mode?) You can't stop people from using peer-to-peer software to communicate, either, if only so they can get their porn fixes. There's a reason that the penalties for running peer-to-peer file sharing programs on the job are so draconian: it's easier to fire people and make an example of them than it is to block it because it's designed to exploit whatever access to the public Net it can find.

The ACLU has already made its position known but that's really about it. Some of the people who fought the crypto wars in the late 1990's will take up keyboards and microphones once again, this time joined by a new generation of people who don't care to be surveilled, are technically literate, and are willing to act in everyone's best interests. The general push toward even more decentralized services is already underway (from file distribution to instant messenger, vocomm to social networking) and shows no signs of slowing down. The bill shouldn't effect any services on machines not within CONUS, though it's possible that a Red, White, and Blue Firewall might be erected (for pity's sake read and sign this!) to ensure that people use tappable communications services and don't get their hands on software that they can't control. For that matter, the bill won't be able to force open source software projects to comply because they're too easy to host in other legal jurisdictions and by their very nature they could be un-compromised by commenting out a couple of lines of code and recompiling.

It also stands to reason by anyone with a lick of common sense that if anybody up to no good is planning something they're going to take it offline.

For the rest of us, it looks like it'll be time to build a list of distributed applications.