Wiretaps

The records obtained were not just for a few individuals, but a broad-ranging request that included reporters, their editors, and even the general numbers for office buildings.  There is, so far, no official explanation of what was being investigated, but it may be related to a leak.

This is not how a free society is supposed to work.

FreedomSight quotes a Washington Post article (that has since expired) in reference to the possibility for warrantless wiretaps of suspected Al Qaeda members within the US.

I don't have any objection to wiretapping suspected Al Qaeda members. 

I do object to doing it without going through the legal niceties of obtaining a warrant.  No administration is above the law, and however much I prefer this President to the democratic alternatives, he is dangerously cavalier about such things.

I've been avoiding the NSA wiretapping issue because it's fairly complex, and my attention has been demanded on other things lately (and will likely get a lot worse soon, as the holidays end and work ramps up again).  However, this post at SaysUncle doesn't look good for the President.  It's one thing to argue back and forth about whether warrants are needed for one class of surveillance or another, it's a different thing entirely to deliberately flout the law when the judges in charge of issuing FISA warrants have begun to examine your requests more closely -- and even deny some of them (a literally unprecedented occurance in 22 years!).

If the true motive of the shift in warrant practices is to evade a FISA court growing less placid about issuing warrants, as has been alleged, I have only one word to describe the President's conduct on this matter:

Impeachable.

I'm all for wiretapping the enemy in time of war.  And I'm willing to cut a lot of slack when we're talking about international calls to suspected terrorists.  But we're not talking about the enemy necessarily; we're talking about people the administration thinks might be the enemy.   They might also be loyal American citizens.  And the war on terror will most likely never end (just examine the fate of other "state of emergency" executive orders to see how many are still active). 
   
But the key here is motive.

To deliberately evade the requirements of the law is to place yourself above it; and such a deliberate choice requires a response both swift and firm.

To do so over a mere 179 modified requests (plus two denied) from a total of 5645 is to demonstrate an outright contempt for the checks and balances necessary in a free society. 

I have my doubts as to whether the "enemy press" has accurately identified the whole story.  But if it has, the President has crossed the line.

UPDATE: The Hammer of Truth has similarly resisted calling for impeachment... but is now seriously considering it.

According to a Carnegie Mellon press release, $450 per student... totaling $7 billion for all universities.  They want remote access, 24 hours a day, 7 days a week; and they have a law that they are twisting into knots to suggest that it's a legal requirement.  The last time we had this issue was with the phone companies; they made a fuss at the time, as well, but it ended up being settled when the government offered to pay a substantial portion of the cost.  Sadly, I predict that this dispute will end the same way.  

Not satisfied with the new snooping powers granted by the PATRIOT Act, the Department of Justice is now asking the Federal Communications Commission to allow law enforcement the power to regulate the design of Internet communications services to make them easy to wiretap.

If implemented, the new request by Attorney General John Ashcroft would dramatically increase the government?s surveillance powers and set a precedent for opening the entire Internet to law enforcement. By forcing technology companies to build ?backdoors? in their systems for wiretapping, the Ashcroft plan would also create weaknesses that hackers and thieves could use to invade your privacy and steal personal information like credit card numbers.

The government already has more than enough power to spy on individuals suspected of wrongdoing. This measure is the equivalent of requiring all new homes be built with a peephole for law enforcement agents to look through.

The Senate Commerce Committee has before it S. 2281, introduced by Sen. John Sununu (R-NH). It is a broad bill on VOIP and is generally deregulatory. CDT has learned that several Senators are planning amendments that would extend to VOIP services the wiretap design requirements of "CALEA."

CALEA is the Communications Assistance for Law Enforcement Act of 1994. It required traditional phone companies to build into their switches various capabilities so phone calls can be easily wiretapped. When Congress passed CALEA, it explicitly excluded the Internet from the scope of these surveillance mandates. As implemented, CALEA has proven to be a costly design mandate. The FBI used the law to get capabilities it never used to have in the traditional phone system. CALEA has become a straightjacket, and is especially ill-suited to the Internet. Extending CALEA to VOIP and the Internet would be bad for innovation, cost, privacy and security.

The CDT brings us this opportunity to oppose extending the provisions of CALEA to the Internet. If you remember the 90's, CALEA was an issue at that time as well; at that time it only applied to telephone technology. Wiretap technology is invasive enough without forcing those designing new technologies to bear the cost of inventing a wiretap mechanism for the FBI at the same time.

The telecom industry should stop bellyaching and accept a law that was written to help keep the good guys and bad guys on a mostly level playing field. Yes, I know a smart crook can use crypto technology, but most crooks aren't all that smart. Thus we find wiretaps useful all the time against people who ought to know they are being wiretapped, such as murder suspect Scott Peterson (news - web sites) and the late mob boss John Gotti.

The mistake here is a subtle one. Clearly, to declare a technological "safe zone" for criminals and terrorists where wiretapping is impossible would not be a good idea. Although wiretaps are themselves excessively invasive for most criminal cases, there are same cases involving sophisticated criminals where wiretaps are a vital necessity; the obvious answer, in this day and age, is espionage or even terrorism.

But the question is not as simple as whether to allow wiretapping on VoIP or not. The question is: who should develop the technology, and bear the costs of that development? And more importantly, does the government have the power to impose a legal requirement of wiretapping capability upon all new communications technology?

Let's start by examining what you really need in order to do VoIP. You need a fast internet connection, a reasonably fast computer, speakers, a microphone, a sound card of some kind, and a software package at both ends. Alternatively, you can replace either or both ends with a gateway to a more traditional telephone.

In practice, what this means is that anyone with a computer can develop VoIP technology. We're not just talking about telecommunications giants here; we're talking about open-source programmers, who have already developed applications that provide VoIP capabilities.

So, if CALEA is expanded to include VoIP, do open-source programmers now face a legal requirement to write their software with a wiretap backdoor? I can promise you right now that such a requirement will not play. Because it's open source, the wiretap capability will be both obvious and easily removed. Programmers in other countries, not subject to US law, will develop VoIP software without the government backdoors. And there's no central server required for this.

In essence, this is the same fight that happened over publically available cryptography. Once the technology becomes publically available in software form it cannot be completely suppressed. And, yes, the fact that open-source cryptography is available means that sophisicated criminals will be able to encrypt their VoIP communications whether the police have a special wiretap control or not.

So VoIP wiretaps are doomed to failure against sophisticated users no matter what, unless the US decides to erect legal barriers to open-source software development in blatant violation of the First Amendment. Even if such barriers are erected, programmers in other nations will develop the features required. Again, sophisticated users (which, in this context, means spies and terrorists) will have the software they need to conceal their communications.

In fact, in some existing cases, the government has taken steps to defeat encryption used by the criminals they wanted badly enough. They did so not by using backdoors, but by installing a "key-logger" to acquire the user's password and encryption keys. They didn't need industry help to do that. And they don't need it to take similar measures today. It does make their job harder, by forcing them to request a secret warrant to install their device. But the Patriot Act has substantially reduced the burdens for such warrants in cases of national security or terrorism.

So if the government has a legitimate national security interest, they can figure out a way to evesdrop. Existing cases and technology, including key loggers and Carnivore, demonstrate that law enforcement agencies are fully capable of making surveillance happen when they think it is worthwhile.

So the real question is whether ordinary people will have the capability to communicate securely, and how difficult it will be for the government to obtain access to their communications. I think that the First Amendment sets a very high standard for the use of wiretaps against ordinary people, and our current legal standard for that use is too low -- in part because of CALEA, which mandates not merely that the capability for wiretapping exist, but that the technology be capable of wiretapping about 5% of the population at any given time.

Do you want the government listening to that percentage of our conversations? 5% is far, far more people than could be considered a national security threat at any given time. Extending that capability by extending CALEA would be extending a grave mistake made under the Clinton administration, a mistake that makes a mockery of the First Amendment.

And speaking of the Clinton Administration, the FBI under their watch tried to implement something called the Clipper Chip. This was the public name used to refer to technology that would automatically decrypt encrypted communications for a government listener in embedded devices -- like, for example, cell phones. The government couldn't get their Clipper Chip proposal to pass, because it was rightly viewed as far too threatening to free speech.

The Clipper Chip was a hardware-oriented proposal. But today, software-based encryption is perfectly capable of realtime operation, as required for VoIP applications. What the government is effectively demanding is the Clipper Chip proposal all over again -- that is, legally-required government decryption capabilities for all telecommunications devices.

That's not what they are asking for right now. They're just asking for the technical capability to wiretap. But in systems that are heavily software based and use encryption technology, the "technical capability" will be interperted to mean "bypassing any encryption". So we are back to a legal mandate for government snooping on anyone, anywhere, at any time... and only terrorists, spies, and open-source programmers will be able to circumvent the technology.

But privacy concerns aren't the only reason to oppose this government edict. If CALEA is ruled to apply to VoIP, which is really just a specific type of data moving over the Internet, then CALEA can be broadly interperted to apply to the entire Internet, since VoIP technology is just another application moving data from point A to point B. Do we really expect to reengineer the entire internet to permit convenient evesdropping of up to 5% of its users at once?

No. Any such attempt would inevitably fail, and quite possibly destroy the Internet in the process.

The fact is, this issue is not about whether terrorists and spies will be able to evade evesdropping. They will, inevitably, be able to do so. The question is whether law enforcement will be forced to spend its own resources to develop evesdropping technology, or whether the telecommunications providers will be forced to develop it themselves... and what will happen to the open-source programmers who refuse as a matter of principle to include surveillance technology into their software.

Law enforcement has very little technical expertise. Instead of developing that expertise they demand that the telecommunications industry provide it. The attempt to do so further demonstrates their ignorance of the field, because the telecommunications industry is made up not only of vast telephone companies, but now also of many thousands of individual programmers.

All the components of VoIP technology, including encrypted technology, are now public knowledge. Any competent programmer can assemble his own own VoIP application from scratch within a year working outside of the US. This cat is well-and-truly out of the bag; it is impossible for government to mandate universal evesdropping capability.

Law enforcement has its own budget to implement evesdropping solutions that apply to their specific needs. They have demonstrated the capability to do just that when faced with a criminal they want to wiretap badly enough. This is the appropriate solution; let government spend its own resources rather than forcing limitations on technological advancement. Imposing requirements on the industry to facilitate extensive, invasive surveillance is inappropriate and, indeed, a practical impossibility. Let law enforcement build their own wiretapping capabilities if they can. Anything else is doomed to failure.

If you're at all concerned about computer security, you need to understand what security methods are useful and which have known flaws that render them useless.  With the growing popularity of WLAN (wireless local-area networking) I felt it was important to point out that the FBI can crack the WEP standard for wireless encryption in about 3 minutes.  The more secure standard for wireless networking is WAP, but a safer solution is probably not to depend on the wireless networking encryption at all.  Encrypt the data itself, not just the transport.