Should Government Mandate Backdoors for Snooping on the Internet?

FBI pushes for technological backdoors to Internet communications.

Oct. 8, 2010— -- Research In Motion is locked in a struggle with several countries, including India and the United Arab Emirates, which are demanding the company hand over the keys to the encrypted messages flying back and forth between BlackBerry users. For most U.S. citizens the travails of RIM were little more than a sideshow, playing out in sidebar stories of mainstream media.

But last month I cautioned readers here about something I called the "BlackBerry Butterfly Effect," where, "in this era of a globally interconnected world, the clash between technology, user privacy, and national security anywhere in the world eventually affects us all.

"Once a company like RIM gives in to one government's demands for surveillance capabilities that do not properly protect privacy rights," I wrote, "other governments will demand equivalence."

What I didn't know then was how quickly the BlackBerry Butterfly Effect would hit U.S. shores. Answer: Right now.

According to news reports, the FBI is asking for expansive authority to require that all Internet communications platforms, including web-based social media networks and end-to-end encrypted networks like Skype and RIM, build in some kind of a technical back door allowing law enforcement easy wiretapping access.

FBI to Ask Congress for 'Keys' to Encrypted Internet Communication

Although the proposal hasn't been made public and is still under discussion within the administration, news reports suggest that the FBI proposal seeks to dramatically expand on the 1994 law -- known as the Communications Assistance to Law Enforcement Act (CALEA) -- which required telecommunications carriers to build easy wiretap access into their networks.

Since that time, CALEA has been expanded to broadband and VoIP providers, but stopped short of covering the application layer of the Internet. That's because Congress made clear when it passed CALEA that the Internet was out of bounds.

Now, the FBI is poised to ask Congress to extend CALEA to cover the Internet and to reverse course on the law's important treatment of encrypted communications, which provides that telecommunications carriers are not responsible for decrypting communications or ensuring the government's ability to decrypt them, unless the carrier both provides the encryption and holds the keys.

That policy has permitted the development and use of strong encryption, benefiting both commerce and civil liberties. If the FBI gets its way, companies will be required to hold a copy of the keys for all encrypted communications on their networks, or otherwise provide the government a back door into targeted communications.

Security Risked

Security has progressively tightened in the post 9/11 era; cybersecurity has risen to White House executive level importance.

At a time when the Pentagon is grappling with how to fend off foreign government cyber attacks, this FBI proposal to build back doors into the most dynamic parts of the Internet could ironically put the architecture of the entire network at risk.

The thing about requiring easy-to-access back doors is that they invite hackers, whether foreign–governments, criminals or other malicious actors to find those doors to perpetrate crimes and threaten national security.

This isn't idle speculation. Hackers exploited wiretapping features built into the telephone system in Greece and were able to eavesdrop upon cellular telephone calls made by cabinet ministers and the prime minister himself. http://spectrum.ieee.org/telecom/security/the-athens-affair/0.

Back doors to enable interception of cell phone calls are already required by CALEA – imagine the security risk if the mandate for back doors was extended to application based communication services.

There is a reason that U.S. government officials use Blackberries; the Blackberry enterprise service is more secure than alternatives. Do we really want to build in back doors to more secure services like Blackberry in order to facilitate FBI access to Blackberry communications when doing so will increases the vulnerability of the communications of U.S. officials' to foreign intelligence agencies?

It's ironic. The President just launched "Cybersecurity Awareness Month," while the FBI is proposing measures that weaken cybersecurity.

Privacy in Peril

FBI surveillance is in the U.S. is already at record levels. In 2009, 2,376 federal and state wiretaps were conducted in criminal investigations, a figure that eclipses any other year. This amount electronic snooping exacts a huge toll on privacy. For example, last year each wiretap captured an average of 3,763 communications, of which a whopping 82 percent were non-incriminating, according to government records.

Meanwhile, the legal obstacles to surveillance are eroding on a regular basis; after 9/11 that trend accelerated. Now, the FBI wants the last vestiges of technological hurdles broken -- a request that Congress has rebuffed in earlier FBI wiretap proposals.

We are edging closer and closer to being a surveillance state. So it's a legitimate question: What are the limits on the government's power to intrude on our lives? Should the rule be that every form of communication be equally accessible to the government as every other? Privacy would take a body blow if a government back door were built into every technology.

Our current laws governing government access to information have already been far outstripped by technology (link to DDP.) When a few companies are required to hold the keys to millions of communications, the temptation to spy on people will be difficult to resist.

Innovation Sacrificed

The Internet is an engine of innovation. Every day, small innovators are working in their garages and dorm rooms, as well as in small companies, to launch hundreds of new applications and technologies.

Should each new communications technology be required to make design changes and get FBI sign off on its design before it launches? Who should pay for the delay in bringing new technologies to market or the cost of compliance? And what would it mean for innovation to have a law enforcement agency be the final arbiter of technical design?

When CALEA was first enacted, it placed a massive financial burden on the major telecommunications providers, but taxpayers absorbed a substantial part of that bill. But in today's economy, it seems unlikely that this FBI plan will come with financial support for the smallest of innovators to meet new technical standards.

More likely, the morass of legal and technical specifications, the cost of compliance and potential sanctions will simply scare off innovators or force some current applications to be drastically altered.

The World is Watching

Secretary of State Clinton's historic speech on 21st Century Statecraft elevated the Internet as a full-blown tool of diplomacy and human freedom. In taking the bold step to put Internet freedom squarely in the center of US foreign policy, U.S. policies have been put in the spotlight as well.

Those efforts to bolster America's moral authority on Internet freedom are endangered or at very least, contradicted, by moves such as this current FBI proposal.

As we've seen in the recent kerfuffle between BlackBerry and foreign governments, everyone points to the U.S. government surveillance record as political (and moral) justification for tougher surveillance mandates. If this FBI proposal is allowed to go forward, any future attempt by the State Department to call out a country's new surveillance mandates will fall on deaf ears. Internet freedom begins at home and the U.S. must lead by example. We can start by putting this proposal aside and looking for solutions that better reflect our values.

Leslie Harris is president and CEO of the Center for Democracy & Technology.