Good news for hackers: The U.S. government may soon require online communications services to water down their encryption techniques.
The proposed legislation, which federal law enforcement and national security officials hope to present to Congress next year, would mandate that all services that can be used for online communications be capable of providing transcripts of their users’ emails or chats to the government if asked. The services would have to be able to intercept and decode all encrypted messages sent using their sites or software.
The rules would affect e-mail transmitters like BlackBerry, social networking sites like Facebook, and peer-to-peer messaging software like Skype. Officials hope to write the bill in general terms, without reference to specific technologies, so that other, yet unimagined, services would also fall under the regulations.
A 1994 law, the Communications Assistance to Law Enforcement Act, currently requires phone and broadband network providers to be capable of intercepting messages for the benefit of the cops, but that does investigators little good if messages are sent through online services that add their own encryption. Many online communications services currently allow users to send messages in ways that make it impossible for anyone, including the service providers, to intercept and unscramble the exchanges.
Law enforcement officials argue that the world of communications is “going dark” as criminals and terrorists increasingly turn to the Internet, instead of telephones, to communicate with one another. Officials don’t lack the authority to eavesdrop in the arena of online communications; they simply lack the ability.
The United States is not the only country asking communications services to turn on the lights so Big Brother can keep watching. India and the United Arab Emirates have recently put pressure on Research In Motion, the Canadian maker of BlackBerry smart phones, to make it easier for them to monitor messages. Some officials in India have even voiced suspicions that Research In Motion is already working with the United States to help it spy on encrypted communications.
I am all for giving counter-terrorism agents and federal law enforcement officers the tools they need to get the job done. Unlike many of those who are likely to speak out against this bill, I think the risk of large-scale government abuse of enhanced surveillance tools is pretty low. If the rules are implemented, law enforcement will probably be criticized more frequently for not making use of the tools at its disposal than it will be for using those tools too broadly.
But I doubt the increased burdens on service providers would really lead to investigators catching bad guys who otherwise would have eluded them. The agencies advocating the regulations, including the Federal Bureau of Investigation, already have ample tools with which to ensnare stupid crooks. And the new regulations would do nothing to help with the detection and capture of smart criminals and terrorists.
As an illustration of the need for the regulations, an official told the New York Times about an investigation into a drug cartel that was delayed because the smugglers were using peer-to-peer software, making it difficult to intercept their communications. The official’s statement seemed to imply that, with the new regulations in place, the smugglers would have been caught more quickly.
But chances are the smugglers used that software precisely because they knew it would put them in law enforcement’s blind spot. If investigators shine a flashlight on these sorts of communications, smugglers will simply find other dark corners, physical or virtual, where they can negotiate their deals.
If the bad guys are forced to be more inventive, they won’t face a scarcity of resources or possibilities. One technology blogger explains in detail how to hide files in JPG images. With his easy, step-by-step instructions, anyone can learn how to email a “lolcats” photo (that’s ‘laugh-out-loud-cats,’ meaning a picture of irresistibly adorable kitties) that also contains the time and place of a drug handoff. Computer users can also easily download free software allowing them to perform their own encryption instead of relying on communications service providers who could be hit with a subpoena.
And as investigators become more and more high-tech in their techniques, criminals can always respond by becoming more low-tech. After all, we don’t require Federal Express to copy all the correspondence it delivers so documents can be turned over upon government subpoena.
The intentions behind the wiretapping proposal are honorable. The threats are real, and the need for timely information is urgent. But if electronic intercepts were the magic bullet, we would have captured Osama bin Laden and Ayman al-Zawahiri years ago. Unfortunately, they and their conspirators are smart enough not to hold their conversations where investigators are looking. By the way, if you’re a government agent who has been directed here because my use of those names raised a flag, welcome to Current Commentary. I hope you enjoy looking around.
When it comes to tracking down dangerous individuals, the detective work is going to have to be performed in other ways, most of which involve getting close enough to a suspect to bug, tail or talk to him.
But, while criminals and terrorists would go to great lengths not to communicate sensitive information through any means subject to the new regulations, others would not. Businesspeople would continue to tap away at their Blackberries, many of them without even realizing that their information had become less secure.
The changes that would allow service providers to access encrypted communications would also make it easier for hackers to get at that information. The proposal is “a disaster waiting to happen,” Steven M. Bellovin, a Columbia University computer science professor, told The New York Times. “If they start building in all these back doors, they will be exploited.”
Even those nefarious figures without superior computer skills stand to benefit from the proposal. If service providers are required to have access to users’ communications in order to comply with government requests, there is also the possibility that rogue employees will sell that information to corrupt corporations looking to crack industry secrets, or even to hostile governments. Potential bribers and extortionists would have a guarantee that communications service providers could, if adequately baited, retrieve whatever information they might want.
I hope Congress will reject the proposed rules, but I am not optimistic. No matter how many security measures we have in place, there will inevitably be breaches, and some of them may be catastrophic. No politician wants to risk being blamed when something goes wrong.
While we wait for the proposal to make its way to the congressional halls, corporate technology managers and would-be entrepreneurial tycoons may want to study up on encryption techniques.