Not Being Able To Spy On Everyone Online Is A Feature, Not A Bug
from the tell-the-FBI dept
With the recent news coming out that the feds plan to introduce dangerous legislation early next year to mandate backdoors for wiretapping into every form of internet communications, plenty of people have expressed their horror at such a plan. It’s not just the basic questions of due process and privacy, but the massive burdens lumped upon all sorts of companies, combined with the equally worrisome security holes opened up by such demands.
Julian Sanchez has a wonderful article over at the American Prospect discussing just how problematic this plan would be:
But the current proposal is far more radical, in part because the Internet is not much like a traditional phone network. To see why, consider Skype, a popular program that allows users to conduct secure text chats, phone conversations, video conferences, and file transfers. Skype is designed as a distributed peer-to-peer network, meaning there’s no central hub or switching station through which calls are routed; only the login server used to register members as they sign on to the network is centralized. Calls are encrypted end-to-end, meaning that only the end users who are parties to a call hold the secret keys to secure the conversation against online snoops. There’s no device Skype can install at their headquarters that would let them provide police with access to the unencrypted communications; to comply with such a mandate, they’d have to wholly redesign the network along a more centralized model, rendering it less flexible, adaptable, and reliable as well as less secure.
Skype is just one of the thousands of firms, large and small, that would be burdened with the obligation to design their systems for breach. We’ve already seen how this can cause security vulnerabilities on traditional phone networks: In 2005, it was discovered that unknown hackers had exploited wiretap software built into Vodaphone Greece’s computer system for law-enforcement use to eavesdrop on the cellular phone conversations of high Cabinet officials and even the prime minister. Designing for surveillance means, more or less by definition, designing a less secure, more vulnerable infrastructure. It’s for just this reason that similar proposals were wisely rejected during the Crypto Wars of the 1990s, a decision that helped give rise to a thriving online economy that’s wholly dependent on strong encryption.
It’s not just hackers who could exploit such vulnerabilities, of course. A network architecture designed for the convenience of American law enforcement also necessarily makes eavesdropping easy for the many regimes whose idea of a “national-security threat” includes political dissent or blasphemous speech. And there’s always the threat of interception by insiders: An engineer at Google was recently fired for using his privileged access to snoop into the private accounts of several teenage users. One way to alleviate such concerns is for firms like Google to enable end-to-end encryption, so users can feel secure that even the company’s own employees won’t have the keys needed to read their communications. The government’s proposal would deny them the ability to make that promise.
Sanchez also has a wonderful line towards the end. In discussing why law enforcement would obviously love this kind of access (while also highlighting its widespread past abuses of wiretapping ability, he notes:
But while governments may consider it a bug when network architecture renders such sweeping surveillance infeasible, citizens should probably regard it as a feature.
An important feature, too, and one that we shouldn’t easily part with just because a government with a history of abusing surveillance rights doesn’t want to do any legwork anymore.
Filed Under: internet, spying, surveillance, us government
Comments on “Not Being Able To Spy On Everyone Online Is A Feature, Not A Bug”
A fair idea
If they have a back door into my computer, I get a back door to theirs. It’s all about openness in government, isn’t it?
Re: A fair idea
This is a really good point. How long after these mandates are in place will it be before hackers have the backdoor figured out and ALL government systems are compromised?
Re: Re: A fair idea
About 3 weeks before the plan is “officially” to be put into action.
Re: Re: A fair idea
There have been persistent rumors that Evil Hackers have used the DCS-3000/DCS-6000 systems for their own uses.
The DCS systems are the ones formerly known as “Carnivore” and mandated by the CALEA.
Re: Re: A fair idea
Happened about 5 to 10 years ago.
Of course, this is probably where the tap could be (and is, if you believe the theory that the SIGINT agencies don’t consider Skype a problem) implemented, by listing certain users or IPs whose communications are to be routed to a certain set of machines under the control of NSA/FBI/other TLA agency. What are the statuses of breaking the Skype protocol and reverse-engineering the binary now?
Re: #3
Now, I’m not pretending to be a network expert, but if the Fbi et al tap the login server, the only data they’re going to get is that X is talking to Y. The computers at Skype headquarters don’t actually transmit or receive any of the actual conversation data. That information is stored on whatever computers that X and Y are using.
Re: Re: #3
If you tap the login server, you could probably impersonate one of the users and get in that way. You’d probably also have to alter the client software to broadcast to multiple peers (including the FBI) rather than just one.
It’s doable, but it does open up a lot of security holes though.
Re: Re: #3
The point is that the proposed legislation would require Skype to change the way it works so that the authorities could intercept the person-to-person conversation. One bad option would be a re-route through a central server.
Among Mike’s point are one that this might break Skype. Another is that it would make Skype much less desirable by users.
Making things suck for government’s convenience, or making technology crawl so that our own governments can spy on us is policy more becoming of North Korea or China. Not the USA.
The consequences are dire. If this passes, all residents of New Hampshire will die. (Or at least need to change their license plates.)
Whats shocking
is that the argument is about the technology limitations, rather than our government wishes to have this kind of power.
Re: Whats shocking
Ummmm…what article are you reading? This article is about why its bad for the government to have this kind of power, it just goes into tech-talk to give one explanation for why its bad. I’m presuming you didn’t read “A network architecture designed for the convenience of American law enforcement also necessarily makes eavesdropping easy for the many regimes whose idea of a “national-security threat” includes political dissent or blasphemous speech.”
God I hope this goes through. If everything is easily tapped it’ll be so much easier for the really tech savvy and motivated get the login passwords of different government officials (probably not the higher ups, but a good number of the lower echelon passwords will be up for grabs). The media spectacle following the massive amount of information that gets leaked will probably be enough of a reason for me to start watching the news again.
On the plus side, this sort of attitude is what causes the Justice Department to actively fight against three-strikes legislation, because that would encourage people to encrypt everything.
If it's true, it could be big business.
Question:
Why else do you think AT&T was allowed to go on its M&A spree a few years ago?
Answer:
It was because they had a solid business plan with forward-thinking, marketplace defining, consumer-friendly business practices that place customer satisfaction as #1 priority and at the center of their business.
Yup…of COURSE you can trust the government. Just go ask a native American Indian! (rolling my eyes)
For The Children! (tm)
It will be interesting to see which congress-critters jump onboard to sponsor this sort of legislation, then rush home to froth about government over-regulation and interference with business.
Subject
This would make way for peeping toms to spy on your wifes beach vacation photos, your daughters pool party pictures and would allow pervs to snoop around in your families email and online banking transactions and even tax information.
Yep. Sounds like a good idea!
Here’s another great idea, why not let the movie and music industry spy on your family and children too? They would LOVE to do this, and no doubt these “spy” laws can be helpful to them too!
YAY!!!!
Re: Subject
I get that spying on people’s beach and pool photos make you a peeping tom, but I don’t understand the relationship between pervs and bank/tax records
Dan Brown
What’s surprising me here is that this is pretty much the plot of Dan Brown’s “Digital Fortress”. American law enforcement want to be to tap everything, so they build a supercomputer able to crack any encryption…
Skype wouldn't be hard to change
I’m no expert, but I think Skype’s protocol would be very easy for the company to compromise. It’s been capable of conference calls for years, all Skype needs to do is introduce a “feature” that silently adds a third caller when the login server asks it to.
Admittedly one of the users might notice that Skype was using more bandwidth than usual – or that it’s now transmitting to two places instead of one – but there are various ways to make it harder to spot. For example, they could increase the compression so the perv/scammer/spy/carefully-vetted law enforcement officer gets a lower quality but still audible signal. Or just pay a few people to spread rumours about Skype’s ridiculous new encryption that interferes with its compression under certain circumstances…
1984
1984 was a book, not an instructional guide.