Pages

April 29, 2013

FBI claims default use of HTTPS by Google and Facebook has made it difficult to wiretape


A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort.
Driven by FBI concerns that it is unable to tap the Internet communications of terrorists and other criminals, the task force’s proposal would penalize companies that failed to heed wiretap orders — court authorizations for the government to intercept suspects’ communications.
Rather than antagonizing companies whose cooperation they need, federal officials typically back off when a company is resistant, industry and former officials said. But law enforcement officials say the cloak drawn on suspects’ online activities — what the FBI calls the “going dark” problem — means that critical evidence can be missed.
“The importance to us is pretty clear,” Andrew Weissmann, the FBI’s general counsel, said last month at an American Bar Association discussion on legal challenges posed by new technologies. “We don’t have the ability to go to court and say, ‘We need a court order to effectuate the intercept.’ Other countries have that. Most people assume that’s what you’re getting when you go to a court.”
There is currently no way to wiretap some of these communications methods easily, and companies effectively have been able to avoid complying with court orders. While the companies argue that they have no means to facilitate the wiretap, the government, in turn, has no desire to enter into what could be a drawn-out contempt proceeding.
Under the draft proposal, a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.
Instead of setting rules that dictate how the wiretap capability must be built, the proposal would let companies develop the solutions as long as those solutions yielded the needed data. That flexibility was seen as inevitable by those crafting the proposal, given the range of technology companies that might receive wiretap orders. Smaller companies would be exempt from the fines.
The proposal, however, is likely to encounter resistance, said industry officials and privacy advocates.
“This proposal is a non-starter that would drive innovators overseas and cost American jobs,” said Greg Nojeim, a senior counsel at the Center for Democracy and Technology, which focuses on issues of privacy and security. “They might as well call it the Cyber Insecurity and Anti-Employment Act.”
The Obama administration has not yet signed off on the proposal. Justice Department, FBI and White House officials declined to comment. Still, Weissmann said at the ABA discussion that the issue is the bureau’s top legislative priority this year, but he declined to provide details about the proposal.
The issue of online surveillance has taken on added urgency with the explosion of social media and chat services and the proliferation of different types of online communication. Technology firms are seen as critical sources of information about crime and terrorism suspects.
“Today, if you’re a tech company that’s created a new and popular way to communicate, it’s only a matter of time before the FBI shows up with a court order to read or hear some conversation,” said Michael Sussmann, a former federal prosecutor and a partner at the law firm Perkins Coie’s Washington office who represents technology firms. “If the data can help solve crimes, the government will be interested.”
Some technology companies have developed a wiretap capability for some of their services. But a range of communications companies and services are not required to do so under what is known as CALEA, the 1994 Communications Assistance for Law Enforcement Act. Among those services are social media networks and the chat features on online gaming sites.
Former officials say the challenge for investigators was exacerbated in 2010, when Google began end-to-end encryption of its e-mail and text messages after its networks were hacked. Facebook followed suit. That made it more difficult for the FBI to intercept e-mail by serving a court order on the Internet service provider, whose pipes would carry the encrypted traffic.
The proposal would make clear that CALEA extends to Internet phone calls conducted between two computer users without going through a central company server — what is sometimes called “peer-to-peer” communication. But the heart of the proposal would add a provision to the 1968 Wiretap Act that would allow a court to levy fines.
Challenges abound
One former senior Justice Department official, who is not privy to details of the draft proposal, said law enforcement officials are not seeking to expand their surveillance authorities. Rather, said Kenneth L. Wainstein, assistant attorney general for national security from 2006 to 2008, officials are seeking “to make sure their existing authorities can be applied across the full range of communications technologies.”
Proponents say adding an enforcement provision to the 1968 Wiretap Act is a more politically palatable way of achieving that goal than by amending CALEA to redefine what types of companies should be covered. Industry and privacy experts, including some former government officials, are skeptical.
“There will be widespread disagreement over what the law requires,” said Albert Gidari Jr., a partner at Perkins Coie’s flagship Seattle office who represents telecommunications companies. “It takes companies into a court process over issues that don’t belong in court but rather in standards bodies with technical expertise.”
Some experts said a few companies will resist because they believe they might lose customers who have privacy concerns. Google, for instance, prides itself on protecting its search service from law enforcement surveillance, though it might comply in other areas, such as e-mail. And Skype has lost some of its cachet as a secure communicationsalternative now that it has been bought by Microsoft and is reportedly complying with wiretap orders.
Susan Landau, a former Sun Microsystems distinguished engineer, has argued that wiring in an intercept capability will increase the likelihood that a company’s servers will be hacked. “What you’ve done is created a way for someone to silently go in and activate a wiretap,” she said. Traditional phone communications were susceptible to illicit surveillance as a result of the 1994 law, she said, but the problem “becomes much worse when you move to an Internet or computer-based network.”
Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, said good software coders can create an intercept capability that is secure. “But to do so costs money,” he said, noting the extra time and expertise needed to develop, test and operate such a service.
A huge challenge, officials agree, is how to gain access to peer-to-peer communications. Another challenge is making sense of encrypted communications.
Thomas said officials need to strike a balance between the needs of law enforcement and those of the technology companies.
“You want to give law enforcement the ability to have the data they’re legally entitled to get, at the same time not burdening industry and not opening up security holes,” he said.

No comments:

Post a Comment