VoIP meets Wiretaps...
The telecom industry should stop bellyaching and accept a law that was written to help keep the good guys and bad guys on a mostly level playing field. Yes, I know a smart crook can use crypto technology, but most crooks aren't all that smart. Thus we find wiretaps useful all the time against people who ought to know they are being wiretapped, such as murder suspect Scott Peterson (news - web sites) and the late mob boss John Gotti.
The mistake here is a subtle one. Clearly, to declare a technological "safe zone" for criminals and terrorists where wiretapping is impossible would not be a good idea. Although wiretaps are themselves excessively invasive for most criminal cases, there are same cases involving sophisticated criminals where wiretaps are a vital necessity; the obvious answer, in this day and age, is espionage or even terrorism.
But the question is not as simple as whether to allow wiretapping on VoIP or not. The question is: who should develop the technology, and bear the costs of that development? And more importantly, does the government have the power to impose a legal requirement of wiretapping capability upon all new communications technology?
Let's start by examining what you really need in order to do VoIP. You need a fast internet connection, a reasonably fast computer, speakers, a microphone, a sound card of some kind, and a software package at both ends. Alternatively, you can replace either or both ends with a gateway to a more traditional telephone.
In practice, what this means is that anyone with a computer can develop VoIP technology. We're not just talking about telecommunications giants here; we're talking about open-source programmers, who have already developed applications that provide VoIP capabilities.
So, if CALEA is expanded to include VoIP, do open-source programmers now face a legal requirement to write their software with a wiretap backdoor? I can promise you right now that such a requirement will not play. Because it's open source, the wiretap capability will be both obvious and easily removed. Programmers in other countries, not subject to US law, will develop VoIP software without the government backdoors. And there's no central server required for this.
In essence, this is the same fight that happened over publically available cryptography. Once the technology becomes publically available in software form it cannot be completely suppressed. And, yes, the fact that open-source cryptography is available means that sophisicated criminals will be able to encrypt their VoIP communications whether the police have a special wiretap control or not.
So VoIP wiretaps are doomed to failure against sophisticated users no matter what, unless the US decides to erect legal barriers to open-source software development in blatant violation of the First Amendment. Even if such barriers are erected, programmers in other nations will develop the features required. Again, sophisticated users (which, in this context, means spies and terrorists) will have the software they need to conceal their communications.
In fact, in some existing cases, the government has taken steps to defeat encryption used by the criminals they wanted badly enough. They did so not by using backdoors, but by installing a "key-logger" to acquire the user's password and encryption keys. They didn't need industry help to do that. And they don't need it to take similar measures today. It does make their job harder, by forcing them to request a secret warrant to install their device. But the Patriot Act has substantially reduced the burdens for such warrants in cases of national security or terrorism.
So if the government has a legitimate national security interest, they can figure out a way to evesdrop. Existing cases and technology, including key loggers and Carnivore, demonstrate that law enforcement agencies are fully capable of making surveillance happen when they think it is worthwhile.
So the real question is whether ordinary people will have the capability to communicate securely, and how difficult it will be for the government to obtain access to their communications. I think that the First Amendment sets a very high standard for the use of wiretaps against ordinary people, and our current legal standard for that use is too low -- in part because of CALEA, which mandates not merely that the capability for wiretapping exist, but that the technology be capable of wiretapping about 5% of the population at any given time.
Do you want the government listening to that percentage of our conversations? 5% is far, far more people than could be considered a national security threat at any given time. Extending that capability by extending CALEA would be extending a grave mistake made under the Clinton administration, a mistake that makes a mockery of the First Amendment.
And speaking of the Clinton Administration, the FBI under their watch tried to implement something called the Clipper Chip. This was the public name used to refer to technology that would automatically decrypt encrypted communications for a government listener in embedded devices -- like, for example, cell phones. The government couldn't get their Clipper Chip proposal to pass, because it was rightly viewed as far too threatening to free speech.
The Clipper Chip was a hardware-oriented proposal. But today, software-based encryption is perfectly capable of realtime operation, as required for VoIP applications. What the government is effectively demanding is the Clipper Chip proposal all over again -- that is, legally-required government decryption capabilities for all telecommunications devices.
That's not what they are asking for right now. They're just asking for the technical capability to wiretap. But in systems that are heavily software based and use encryption technology, the "technical capability" will be interperted to mean "bypassing any encryption". So we are back to a legal mandate for government snooping on anyone, anywhere, at any time... and only terrorists, spies, and open-source programmers will be able to circumvent the technology.
But privacy concerns aren't the only reason to oppose this government edict. If CALEA is ruled to apply to VoIP, which is really just a specific type of data moving over the Internet, then CALEA can be broadly interperted to apply to the entire Internet, since VoIP technology is just another application moving data from point A to point B. Do we really expect to reengineer the entire internet to permit convenient evesdropping of up to 5% of its users at once?
No. Any such attempt would inevitably fail, and quite possibly destroy the Internet in the process.
The fact is, this issue is not about whether terrorists and spies will be able to evade evesdropping. They will, inevitably, be able to do so. The question is whether law enforcement will be forced to spend its own resources to develop evesdropping technology, or whether the telecommunications providers will be forced to develop it themselves... and what will happen to the open-source programmers who refuse as a matter of principle to include surveillance technology into their software.
Law enforcement has very little technical expertise. Instead of developing that expertise they demand that the telecommunications industry provide it. The attempt to do so further demonstrates their ignorance of the field, because the telecommunications industry is made up not only of vast telephone companies, but now also of many thousands of individual programmers.
All the components of VoIP technology, including encrypted technology, are now public knowledge. Any competent programmer can assemble his own own VoIP application from scratch within a year working outside of the US. This cat is well-and-truly out of the bag; it is impossible for government to mandate universal evesdropping capability.
Law enforcement has its own budget to implement evesdropping solutions that apply to their specific needs. They have demonstrated the capability to do just that when faced with a criminal they want to wiretap badly enough. This is the appropriate solution; let government spend its own resources rather than forcing limitations on technological advancement. Imposing requirements on the industry to facilitate extensive, invasive surveillance is inappropriate and, indeed, a practical impossibility. Let law enforcement build their own wiretapping capabilities if they can. Anything else is doomed to failure.
Check the groups below and enter your email address to receive updates by email:
The trackback URL for this entry is: http://triggerfinger.org/weblog/servlet/trackback/5876
No trackbacks have been posted so far.
No comments have been posted so far.